<div dir="ltr"><div>Hi Noel,<br><br></div><div>Thanks for replying.<br><br></div><div>The first two suggestions didn't provide anything useful, but the last one was on the spot!<br><br></div><div>I've changed the MTU from the default 1500 to 1100 (I've experimented with several other values, but ended up picking this one), and the network problems seem to have disappeared! Thank you very much!! I was getting crazy with this :)<br><br></div><div>Regards!<br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, May 6, 2015 at 4:51 PM, Noel Kuntze <span dir="ltr"><<a href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA256<br>
<br>
Hello André,<br>
<br>
</span>Check the counters in "ipsec statusall" to see, if charon gets any packets from the other peer.<br>
Also, check the firewall settings in iptables. Also, an MTU problem can be the cause of the problems.<br>
<span class=""><br>
Mit freundlichen Grüßen/Kind Regards,<br>
Noel Kuntze<br>
<br>
GPG Key ID: 0x63EC6658<br>
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br>
<br>
</span><span class="">Am 04.05.2015 um 20:11 schrieb André Pinto:<br>
> Any idea on what I can try to do to identify the root cause of the problem?<br>
><br>
> Thanks.<br>
><br>
</span><span class="">> On Sat, May 2, 2015 at 11:23 AM, André Pinto <<a href="mailto:andredasilvapinto@gmail.com">andredasilvapinto@gmail.com</a> <mailto:<a href="mailto:andredasilvapinto@gmail.com">andredasilvapinto@gmail.com</a>>> wrote:<br>
><br>
> Hi Noel,<br>
><br>
> Thanks for replying.<br>
><br>
> I haven't tried it before, but (I think) I've just tried now and it didn't work (I got the same connectivity problems).<br>
><br>
> I've edited /etc/strongswan.d/charon.conf by setting:<br>
> cisco_unity = yes<br>
><br>
> and I've confirmed I've /etc/strongswan.d/charon/unity.conf being loaded.<br>
><br>
> Then I've ran the charon-cmd above and the result was the same. I'm not sure if charon-cmd reads charon.conf or not though. Is there a way to check which plugins are being loaded by charon-cmd?<br>
><br>
> Thanks,<br>
> André.<br>
><br>
</span><span class="">> On Sat, May 2, 2015 at 10:54 AM, Noel Kuntze <<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> wrote:<br>
><br>
><br>
> Hello André,<br>
><br>
> Did you try using the UNITY plugin?<br>
><br>
> Mit freundlichen Grüßen/Kind Regards,<br>
> Noel Kuntze<br>
><br>
> GPG Key ID: 0x63EC6658<br>
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br>
><br>
> Am 02.05.2015 um 10:45 schrieb André Pinto:<br>
> > Hi<br>
><br>
> > I'm trying to connect to my employer's office network from my home using Strongswan's VPN client.<br>
><br>
> > I'm using 2 factor authentication with pre-shared key and I'm running this command in order to connect to the network:<br>
><br>
> > charon-cmd --debug 0 --identity $USERNAME --xauth-username $USERNAME --host $RIGHT_IP --profile ikev1-xauth-psk-am --esp-proposal aes256-sha1 --ah-proposal aes256-sha1 --ike-proposal aes256-sha1-modp1024<br>
><br>
> > with the following network configuration:<br>
><br>
><br>
> > <br>
><br>
> > With this software versions:<br>
> > Distro: Debian Jessie ( Debian 3.16.7-ckt9-3~deb8u1 (2015-04-24) )<br>
> > Strongswan: 5.2.1<br>
><br>
> > Even though I successfully establish the VPN connection:<br>
><br>
> > 14[IKE] IKE_SA cmd[1] established between $LOCAL_IP[$USERNAME]...$RIGHT_IP[$RIGHT_IP]<br>
</span>> > 08[IKE] CHILD_SA cmd{1} established with SPIs $X and TS $Y/32 === <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
<span class="">><br>
> > I'm not able to open any kind of website (being it inside the office network or the public web) either via WiFi or Ethernet cable. curl just waits forever but traceroute works and mtr doesn't show any package lost.<br>
><br>
> > When I connect my laptop directly to the Inteno XG6749 switch (managed by the ISP, I don't have any kind of admin access to it), everything works as expected.<br>
><br>
> > I've confirmed that IPSec passthrough is enabled on the TP-Link TL-WR841ND, I've updated the vendor's firmware, tried DD-WRT, tried a different router (Technicolor TG799vn v2) but the result is always the same.<br>
><br>
> > Besides that, if I use one of the subregions VPN hosts from my company instead of the generic alias they provide for the VPN access, I'm able to access most of the Internet and a considerable part of the company's private network. However, accessing some sites, for example, Gmail takes forever (I have to fallback to the HTML only version to open it, otherwise it gets stuck in the loading bar), and some other internal resources have the same problem. It kind of "feels" like the connection is losing packets even though mtr doesn't say so.<br>
><br>
> > Accessing the company's VPN from other networks (e.g. in my previous apartment and at the office Guest's network) also works properly.<br>
><br>
> > I've already tried to identify the problem by using several tools but I don't really know how Strongswan works that well, so I was unable to get anything useful from that.<br>
><br>
> > Do you know what might be causing this strange problem? Is there any thing I can do to identify the root cause of the problem or to fix it? I'm completely out of ideas here.<br>
><br>
> > Thanks in advance,<br>
> > André.<br>
><br>
><br>
> > _______________________________________________<br>
> > Users mailing list<br>
</span>> > <a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>><br>
<span class="">> > <a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br>
><br>
><br>
><br>
><br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2<br>
<br>
</span>iQIcBAEBCAAGBQJVSiqIAAoJEDg5KY9j7GZY26QP/R0j2p5dZ2AtLZLTDaZ4pfDp<br>
P1It3sBA9NHCa3vgG4HXyQarZPHnMjM/v4ZgAs8Ar/jhgzIRZnbcCQstLjZe4fWS<br>
P6btRxAZa+jU1sSH67iDld3nKcPSAm1eVV0MQRrp5/KIwab55xXw1pXvL/u633O5<br>
Yy9lLv9cqmyvWMl3eWmQE5ZQdwOLQElG7F7snpbK3dnwlwzuAQQpbdp+jCTh9Ofv<br>
gXstBsiusROukKX7ByqL7CV/9JxFgXd64DojPrJ4toeNXvRUoxbpTCUUc/Zdf9T7<br>
NCBvs30HN4Z8iiLGJyJG7BsrHDXSUObH/y8ymTNMTTO1X9OMy6SFs0Vbz69ihopQ<br>
h53022JGvX3EM3zoydDvNUe+LYXXOGL5R9wvIZFBA3P9HgddpsAa7q0+0Yd28mDy<br>
HogO2sNKdqZo3qKY7qIr2DlYWZCfGE78tysuhdJekTcB8/C0lc1STuAyW0aHimlO<br>
okt42S34PH1oux2yt6ikPDhZTtZjKvuIaOkmz+bE7CDGHL+92bFv5lvjEwFWS7h7<br>
RTTkriqcPcDZ8GPx3C5LTqrxBPxk9Pe1jlnC+7b5wkWIrVHKFnIh6dWGhYN+42r/<br>
wiIfiO6nP1RlqxxX9lL9Wa7wQPZlREracxEndGFbK7EyhgDBd6b4byiuEn2Aefxn<br>
nkb4JxtAY2RZV9lLj4iC<br>
=VwVc<br>
-----END PGP SIGNATURE-----<br>
<br>
</blockquote></div><br></div>