我有以下连接方案:
Site A (radius server) <--> Site B (gateway) <--> Roadwarrior (Bob)
站点 B 使用 eap-radius 插件进行 RADIUS 身份验证和记帐。
eap-radius {
dae {
enable = yes
listen = 0.0.0.0
port = 3799
secret = verystrongsecret
}
class_group = yes
eap_start = no
load = yes
accounting = yes
servers {
server-a {
address = xx.xx.xx.xx
auth_port = 1812
acct_port = 1813
secret = verystrongsecret
nas_identifier = gw
sockets = 5
}
}
}
配置了站点 A 和站点 B 之间的陷阱策略。
children {
net-net {
local_ts = xx.xx.xx.xx/xx
remote_ts = xx.xx.xx.xx/xx
start_action = trap|start
...
}
}
然后我强制终止 Radius 服务器和网关之间的连接:swanctl -t -i radius
当 Bob 连接到网关时,RADIUS Auth 在建立 RADIUS 服务器和网关之间的连接之前失败。看起来直到 EAP_RADIUS 失败后才启动与 RADIUS 服务器的 IKE_SA。
Nov 03 05:41:43 gw: received EAP identity 'user'
Nov 03 05:41:43 gw: sending RADIUS Access-Request to server 'server-a'
Nov 03 05:41:43 gw: creating acquire job for policy xx.xx.xx.xx/xx[udp/52470] === xx.xx.xx.xx/xx[udp/radius] with reqid {1}
Nov 03 05:41:44 gw: ignoring request with ID 2, already processing
Nov 03 05:41:45 gw: retransmit 1 of RADIUS Access-Request (timeout: 2.8s)
Nov 03 05:41:46 gw: ignoring request with ID 2, already processing
Nov 03 05:41:47 gw: retransmit 2 of RADIUS Access-Request (timeout: 3.9s)
Nov 03 05:41:50 gw: ignoring request with ID 2, already processing
Nov 03 05:41:51 gw: retransmit 3 of RADIUS Access-Request (timeout: 5.5s)
Nov 03 05:41:57 gw: RADIUS Access-Request timed out after 4 attempts
Nov 03 05:41:57 gw: initiating EAP_RADIUS method failed
Nov 03 05:41:57 gw: generating IKE_AUTH response 2 [ EAP/FAIL ]
Nov 03 05:41:57 gw: sending packet: from xx.xx.xx.xx[4500] to xx.xx.xx.xx[23811] (80 bytes)
Nov 03 05:41:57 gw: initiating IKE_SA radius[31] to xx.xx.xx.xx
由于在第一次连接尝试后站点 A 和站点 B 之间的连接已经建立,因此 Bob 第二次连接成功。
如何克服此问题,以确保客户端连接到网关时站点到站点隧道已启动?是否可以增加 RADIUS 身份验证超时(如果有帮助的话)?