[strongSwan] Strange behaviour while behind router

André Pinto andredasilvapinto at gmail.com
Sat May 2 11:23:50 CEST 2015 

Hi Noel,

Thanks for replying.

I haven't tried it before, but (I think) I've just tried now and it didn't
work (I got the same connectivity problems).

I've edited /etc/strongswan.d/charon.conf by setting:
cisco_unity = yes

and I've confirmed I've /etc/strongswan.d/charon/unity.conf being loaded.

Then I've ran the charon-cmd above and the result was the same. I'm not
sure if charon-cmd reads charon.conf or not though. Is there a way to check
which plugins are being loaded by charon-cmd?

Thanks,
André.

On Sat, May 2, 2015 at 10:54 AM, Noel Kuntze <noel at familie-kuntze.de> wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello André,
>
> Did you try using the UNITY plugin?
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 02.05.2015 um 10:45 schrieb André Pinto:
> > Hi
> >
> > I'm trying to connect to my employer's office network from my home using
> Strongswan's VPN client.
> >
> > I'm using 2 factor authentication with pre-shared key and I'm running
> this command in order to connect to the network:
> >
> > charon-cmd --debug 0 --identity $USERNAME --xauth-username $USERNAME
> --host $RIGHT_IP --profile ikev1-xauth-psk-am --esp-proposal aes256-sha1
> --ah-proposal aes256-sha1 --ike-proposal aes256-sha1-modp1024
> >
> > with the following network configuration:
> >
> >
> > ​
> >
> > With this software versions:
> > Distro: Debian Jessie ( Debian 3.16.7-ckt9-3~deb8u1 (2015-04-24) )
> > Strongswan: 5.2.1
> >
> > Even though I successfully establish the VPN connection:
> >
> > 14[IKE] IKE_SA cmd[1] established between
> $LOCAL_IP[$USERNAME]...$RIGHT_IP[$RIGHT_IP]
> > 08[IKE] CHILD_SA cmd{1} established with SPIs $X and TS $Y/32 ===
> 0.0.0.0/0 <http://0.0.0.0/0>
> >
> > I'm not able to open any kind of website (being it inside the office
> network or the public web) either via WiFi or Ethernet cable. curl just
> waits forever but traceroute works and mtr doesn't show any package lost.
> >
> > When I connect my laptop directly to the Inteno XG6749 switch (managed
> by the ISP, I don't have any kind of admin access to it), everything works
> as expected.
> >
> > I've confirmed that IPSec passthrough is enabled on the TP-Link
> TL-WR841ND, I've updated the vendor's firmware, tried DD-WRT, tried a
> different router (Technicolor TG799vn v2) but the result is always the same.
> >
> > Besides that, if I use one of the subregions VPN hosts from my company
> instead of the generic alias they provide for the VPN access, I'm able to
> access most of the Internet and a considerable part of the company's
> private network. However, accessing some sites, for example, Gmail takes
> forever (I have to fallback to the HTML only version to open it, otherwise
> it gets stuck in the loading bar), and some other internal resources have
> the same problem. It kind of "feels" like the connection is losing packets
> even though mtr doesn't say so.
> >
> > Accessing the company's VPN from other networks (e.g. in my previous
> apartment and at the office Guest's network) also works properly.
> >
> > I've already tried to identify the problem by using several tools but I
> don't really know how Strongswan works that well, so I was unable to get
> anything useful from that.
> >
> > Do you know what might be causing this strange problem? Is there any
> thing I can do to identify the root cause of the problem or to fix it? I'm
> completely out of ideas here.
> >
> > Thanks in advance,
> > André.
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJVRJDaAAoJEDg5KY9j7GZYp5sP/AibPef1VeHrlptJlgUetXMM
> L75MQebzyi0T3Ov2IpdjiNlfrzX+3wUOihqxsqJqwIxEvz1dzzjPaBFG2lWqtK6n
> vcbjhfBepqAw9vYox4dmMrYLKZBD+DfQIzKctxSGCE6FGU0DnSPExGMViMYaXoyR
> KAVtxMEgw22qyBzaObrMivS3nX2c9ukmxmb++dH2K8SSvTwrLi6xaBhl/bCITVV8
> MquWEr+8Ou15FAcRDl+dveGlTGdGqJ74/dbyxoYa6/oeufaxFYgd3wDvyRnveQmj
> +0h2PEnHlwnrR73uBg+o15Cs3DzuHsrqRd6/Q57Y+HIiTmAqc7W2ADjFNj7ygROc
> dlyoWIfHalGwHhxASqCmPsEYpCAJlAPbpsAygaKBKzzhmzVtSnj3hDcJyghdsnbM
> eGzl6/XcLxTT4K6XYPnfGCvPrMH0cU20c1UCvYN7swQ7lDjQyRG/hru5pDsjjZYk
> sVOVLsBgZGZQioQP8q8syixQmU5oFgU0ie+ZRsSDuFw6Rdkrh6ZItKxEktf92KfQ
> OcLHEZnpZhOmRtw4mavJdeu94kG4r+XhnBPjTsy8PArBiefjObDdklx4mARzckVX
> Lt+7fR/WTJCjJmamukyif1ZU5ISurJN+nPYaj4uKftV/Hvn2YZylsI0fHSDW/OTi
> +H++AV0lbkNNdcUWm5Gr
> =ylOO
> -----END PGP SIGNATURE-----
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150502/cd2191cf/attachment.html>

More information about the Users mailing list