<html><head></head><body lang="en-GB" style="background-color: rgb(255, 255, 255); line-height: initial;"> <div style="width: 100%; font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);">It is possible MTU issue, usually when you use tunnel with StrongSwan VPN, your MTU for inner packet is less than 1500. When your client device tries to send large MTU package, if your server cannot accept icmp fragmentation-needed messages then that large packet simply discarded. Also if server that hosts website blocks icmp fragmentation-needed, same thing happens. In OpenVPN, it supports to fragment large MTU inner tunnel packets and transmit them as normal encrypted packets over internet (but it is terribly insecure, open to MITM attacks).</div><div style="width: 100%; font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);">Recommended to use:</div><div style="width: 100%; font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);"><span style="background-color: rgba(27, 31, 35, 0.0470588); color: rgb(36, 41, 46); font-family: SFMono-Regular, Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 18px; line-height: 17px;">iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu</span></div> <div style="width: 100%; font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);"><br></div> <div style="font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);">On VPN server. It will help resolving those issues, also I recommend allowing RELATED,ESTABLISHED state packets both as INPUT and FORWARD chains in your server firewall, so they allow icmp fragmentation-needed messages.<br><br></div><div style="font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);">Anvar Kuchkartaev <br>anvar@aegissec.net</div> <table width="100%" style="background-color:white;border-spacing:0px;"> <tbody><tr><td colspan="2" style="font-size: initial; text-align: initial; background-color: rgb(255, 255, 255);"> <div style="border-style: solid none none; border-top-color: rgb(181, 196, 223); border-top-width: 1pt; padding: 3pt 0in 0in; font-family: Tahoma, 'BB Alpha Sans', 'Slate Pro'; font-size: 10pt;"> <div><b>From: </b>Ahammerl</div><div><b>Sent: </b>Saturday, 21 July 2018 08:31</div><div><b>To: </b>users@lists.strongswan.org</div><div><b>Subject: </b>[strongSwan] Troubles with some websites depending on ISP via Strongswan VPN</div></div></td></tr></tbody></table><div style="border-style: solid none none; border-top-color: rgb(186, 188, 209); border-top-width: 1pt; font-size: initial; text-align: initial; background-color: rgb(255, 255, 255);"></div><br><div id="_originalContent" style=""><div dir="ltr"><div class="gmail-linestyle1 gmail-colourline" style="font-family:Consolas,"Lucida Console",monospace;padding-left:7px;word-wrap:break-word;color:rgb(0,0,0);font-size:12.8px;text-decoration-style:initial;text-decoration-color:initial"><span>Hi, </span></div><div class="gmail-linestyle1 gmail-colourline" style="font-family:Consolas,"Lucida Console",monospace;padding-left:7px;word-wrap:break-word;color:rgb(0,0,0);font-size:12.8px;text-decoration-style:initial;text-decoration-color:initial"><span><br></span></div><div class="gmail-linestyle1 gmail-colourline" style="font-family:Consolas,"Lucida Console",monospace;padding-left:7px;word-wrap:break-word;color:rgb(0,0,0);font-size:12.8px;text-decoration-style:initial;text-decoration-color:initial"><span>Connecting via <span style="background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">Strongswan</span> VPN, using XAuth PSK, I have troubles visiting some websites (which don't seem to be blocking any IP in general). Could there be an issue with the route containing virtual host hops which are not available with all ISPs?</span></div><div class="gmail-linestyle2 gmail-colourline" style="font-family:Consolas,"Lucida Console",monospace;padding-left:7px;word-wrap:break-word;color:rgb(0,0,0);font-size:12.8px;text-decoration-style:initial;text-decoration-color:initial"><span><br></span></div><div class="gmail-linestyle2 gmail-colourline" style="font-family:Consolas,"Lucida Console",monospace;padding-left:7px;word-wrap:break-word;color:rgb(0,0,0);font-size:12.8px;text-decoration-style:initial;text-decoration-color:initial"><span>In my test, I connect one time to the VPN with telekom ISP, another time with a regional ISP. both connect well without problems and can visit most websites incl. google, <a href="http://whatsmyip.com">whatsmyip.com</a> etc. properly, which confirms the VPN IP with success.</span></div><div class="gmail-linestyle1 gmail-colourline" style="font-family:Consolas,"Lucida Console",monospace;padding-left:7px;word-wrap:break-word;color:rgb(0,0,0);font-size:12.8px;text-decoration-style:initial;text-decoration-color:initial"><span>However, trying to visit e.g.<span> </span><a href="http://www.ip8.com/" target="_blank" rel="noopener">www.ip8.com</a>, the 2nd connection is failing.</span></div><div class="gmail-linestyle2 gmail-colourline" style="font-family:Consolas,"Lucida Console",monospace;padding-left:7px;word-wrap:break-word;color:rgb(0,0,0);font-size:12.8px;text-decoration-style:initial;text-decoration-color:initial"><span><br></span></div><div class="gmail-linestyle2 gmail-colourline" style="font-family:Consolas,"Lucida Console",monospace;padding-left:7px;word-wrap:break-word;color:rgb(0,0,0);font-size:12.8px;text-decoration-style:initial;text-decoration-color:initial"><span>For comparison, with OpenVPN on the same server, it's working with both ISPs OK, visiting <a href="http://ip8.com">ip8.com</a> without troubles. With <span style="background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">Strongswan</span> VPN as alternative, it fails to connect with the 2nd.</span></div><div class="gmail-linestyle1 gmail-colourline" style="font-family:Consolas,"Lucida Console",monospace;padding-left:7px;word-wrap:break-word;color:rgb(0,0,0);font-size:12.8px;text-decoration-style:initial;text-decoration-color:initial">Next, I compared the route with traceroute and mtr via <span style="background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">Strongswan</span> VPN. This looks OK and it's the same route as I have when trying to connect from the VPN server itself to the website. </div><div class="gmail-linestyle2 gmail-colourline" style="font-family:Consolas,"Lucida Console",monospace;padding-left:7px;word-wrap:break-word;color:rgb(0,0,0);font-size:12.8px;text-decoration-style:initial;text-decoration-color:initial"><span class="gmail-timestamp" style="display:inline"><br></span></div><div class="gmail-linestyle2 gmail-colourline" style="font-family:Consolas,"Lucida Console",monospace;padding-left:7px;word-wrap:break-word;color:rgb(0,0,0);font-size:12.8px;text-decoration-style:initial;text-decoration-color:initial"><span class="gmail-timestamp" style="display:inline">I</span><span>s there a known issue or do you have a hint how to resolve this by configuration changes, if possible..?</span></div><div class="gmail-linestyle2 gmail-colourline" style="font-family:Consolas,"Lucida Console",monospace;padding-left:7px;word-wrap:break-word;color:rgb(0,0,0);font-size:12.8px;text-decoration-style:initial;text-decoration-color:initial"><span><br></span></div><div class="gmail-linestyle2 gmail-colourline" style="font-family:Consolas,"Lucida Console",monospace;padding-left:7px;word-wrap:break-word;color:rgb(0,0,0);font-size:12.8px;text-decoration-style:initial;text-decoration-color:initial"><span>Thank you!</span></div></div>
<br><!--end of _originalContent --></div></body></html>