Internal routing error Radius Server over IPsec S2S VPN
We have a problem with multiple routes ER605 Firmware ER605(UN)_V1_1.2.0 Build 20220114 We have several ER605 routers in various smaller locations. Which are connected to our head office (OPNsense) via VPN (IPSec S2S). There is a Radius server here that we want to use for wifi authentication. Which unfortunately doesn't work, because the ER605 probably won't reach them. However, a client connected to an ER605 can reach it. It looks to us that the ER605 does not send its own requests to the VPN (a ping to the Radius server from the ER605, for example, does not work either, but on a PC that is connected to the ER605)
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Did you use the Diagnostics tool on the ER605 to do the ping test?
Try selecting Interface as WAN.
- Copy Link
- Report Inappropriate Content
@Virgo Yes we use the ping function of the ER605 and also on different Lan and Wan interfaces. A ping of the ER605 from the other side (OPNsense) of the VPN works. Web access to the ER605 via the VPN also works. Also a ping from and to OPNsense to a computer connected to the ER605 Only the ping straight from the ER605 to OPNsense does not work. and the ER605 cannot reach our Radius Server via the VPN
- Copy Link
- Report Inappropriate Content
Dear @Stefan_Vogel ,
Stefan_Vogel wrote
@Virgo Yes we use the ping function of the ER605 and also on different Lan and Wan interfaces. A ping of the ER605 from the other side (OPNsense) of the VPN works. Web access to the ER605 via the VPN also works. Also a ping from and to OPNsense to a computer connected to the ER605 Only the ping straight from the ER605 to OPNsense does not work. and the ER605 cannot reach our Radius Server via the VPN
Yes, it's OK that the ping won't work.
The mechanism is like this, if you choose LAN for Interface, then the data will go directly to the routing table in LAN, if you choose WAN, the data will go directly out from WAN, neither of them will go through the VPN channel, it is normal that the ping won't work.
Please no need to worry that, it will not influence the actual usage.
Best Regards!
- Copy Link
- Report Inappropriate Content
@Hank21 for the ping ok. But the problem is that the router does not send the query for the Radius server through the VPN either. This means that authentication via a radius server that can be reached via VPN is not possible. but it is precisely because of such things that one makes the VPN.
- Copy Link
- Report Inappropriate Content
Dear @Stefan_Vogel ,
Stefan_Vogel wrote
@Hank21 for the ping ok. But the problem is that the router does not send the query for the Radius server through the VPN either. This means that authentication via a radius server that can be reached via VPN is not possible. but it is precisely because of such things that one makes the VPN.
Based on your description, the following two scenarios are discussed.
1. If you only find that the PC behind the ER605 can not use that authentication system, then please check whether the PC can ping through to the Radius Server on the other side?
2. If you want the portal set on the controller to be applied to the EAP, then you need to check that the local network at both ends contains all subnets when the VPN is set up. Generally speaking, if the controller can manage the EAP properly, the portal will work.
Best Regards!
- Copy Link
- Report Inappropriate Content
@Hank21 Thank you for your support.
To 1. A PC behind the ER605 can reach the radius server via the VPN. (But don't really need it.)
to 2. the Omada Controller can reach and control all EAPs. That works because in the ER605 in the DHCP field 138 the IP of the Omada controller is entered.
but that's really not the point.
(By the way, the ER605 is not adopted by the Omada controller. We use the Omada controller only and exclusively for the W-Lan aces points.)
The guest authentication has nothing to do with the omada controller or the EAPs.
(we also have a wired guest network that uses authentication)
it's all about the Radius Authentication function of the ER605. we use the ER605's internal custom page.
this is also displayed to the client.
the radius server is of course defined by IP (192.168.10.5) and port in the ER605.
but the authentication does not work.
Unfortunately, there is no more precise error information in the ER605 (not even in the log) only "authentication failed".
But we don't see any requests in our radius server either of the ER605, strictly speaking, our Radius server does not receive a single packet from the ER605.
The pure internal authentication in the ER605 works of course.
We therefore assume that the ER605 does not send the requests to the Radius server through the VPN.
I'll take screenshots of the settings later
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 767
Replies: 6
Voters 0
No one has voted for it yet.