[strongSwan] Strange behaviour while behind router

André Pinto andredasilvapinto at gmail.com
Sat May 2 10:45:11 CEST 2015


Hi

I'm trying to connect to my employer's office network from my home using
Strongswan's VPN client.

I'm using 2 factor authentication with pre-shared key and I'm running this
command in order to connect to the network:

charon-cmd --debug 0 --identity $USERNAME --xauth-username $USERNAME --host
$RIGHT_IP --profile ikev1-xauth-psk-am --esp-proposal aes256-sha1
--ah-proposal aes256-sha1 --ike-proposal aes256-sha1-modp1024

with the following network configuration:


​

With this software versions:
Distro: Debian Jessie ( Debian 3.16.7-ckt9-3~deb8u1 (2015-04-24) )
Strongswan: 5.2.1

Even though I successfully establish the VPN connection:

14[IKE] IKE_SA cmd[1] established between
$LOCAL_IP[$USERNAME]...$RIGHT_IP[$RIGHT_IP]
08[IKE] CHILD_SA cmd{1} established with SPIs $X and TS $Y/32 === 0.0.0.0/0

I'm not able to open any kind of website (being it inside the office
network or the public web) either via WiFi or Ethernet cable. curl just
waits forever but traceroute works and mtr doesn't show any package lost.

When I connect my laptop directly to the Inteno XG6749 switch (managed by
the ISP, I don't have any kind of admin access to it), everything works as
expected.

I've confirmed that IPSec passthrough is enabled on the TP-Link TL-WR841ND,
I've updated the vendor's firmware, tried DD-WRT, tried a different router
(Technicolor TG799vn v2) but the result is always the same.

Besides that, if I use one of the subregions VPN hosts from my company
instead of the generic alias they provide for the VPN access, I'm able to
access most of the Internet and a considerable part of the company's
private network. However, accessing some sites, for example, Gmail takes
forever (I have to fallback to the HTML only version to open it, otherwise
it gets stuck in the loading bar), and some other internal resources have
the same problem. It kind of "feels" like the connection is losing packets
even though mtr doesn't say so.

Accessing the company's VPN from other networks (e.g. in my previous
apartment and at the office Guest's network) also works properly.

I've already tried to identify the problem by using several tools but I
don't really know how Strongswan works that well, so I was unable to get
anything useful from that.

Do you know what might be causing this strange problem? Is there any thing
I can do to identify the root cause of the problem or to fix it? I'm
completely out of ideas here.

Thanks in advance,
André.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150502/a2e45af6/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: network.png
Type: image/png
Size: 44093 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150502/a2e45af6/attachment-0001.png>


More information about the Users mailing list