[strongSwan] Strange behaviour while behind router
André Pinto
andredasilvapinto at gmail.com
Mon May 4 20:11:13 CEST 2015
Any idea on what I can try to do to identify the root cause of the problem?
Thanks.
On Sat, May 2, 2015 at 11:23 AM, André Pinto <andredasilvapinto at gmail.com>
wrote:
> Hi Noel,
>
> Thanks for replying.
>
> I haven't tried it before, but (I think) I've just tried now and it didn't
> work (I got the same connectivity problems).
>
> I've edited /etc/strongswan.d/charon.conf by setting:
> cisco_unity = yes
>
> and I've confirmed I've /etc/strongswan.d/charon/unity.conf being loaded.
>
> Then I've ran the charon-cmd above and the result was the same. I'm not
> sure if charon-cmd reads charon.conf or not though. Is there a way to check
> which plugins are being loaded by charon-cmd?
>
> Thanks,
> André.
>
> On Sat, May 2, 2015 at 10:54 AM, Noel Kuntze <noel at familie-kuntze.de>
> wrote:
>
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Hello André,
>>
>> Did you try using the UNITY plugin?
>>
>> Mit freundlichen Grüßen/Kind Regards,
>> Noel Kuntze
>>
>> GPG Key ID: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>
>> Am 02.05.2015 um 10:45 schrieb André Pinto:
>> > Hi
>> >
>> > I'm trying to connect to my employer's office network from my home
>> using Strongswan's VPN client.
>> >
>> > I'm using 2 factor authentication with pre-shared key and I'm running
>> this command in order to connect to the network:
>> >
>> > charon-cmd --debug 0 --identity $USERNAME --xauth-username $USERNAME
>> --host $RIGHT_IP --profile ikev1-xauth-psk-am --esp-proposal aes256-sha1
>> --ah-proposal aes256-sha1 --ike-proposal aes256-sha1-modp1024
>> >
>> > with the following network configuration:
>> >
>> >
>> >
>> >
>> > With this software versions:
>> > Distro: Debian Jessie ( Debian 3.16.7-ckt9-3~deb8u1 (2015-04-24) )
>> > Strongswan: 5.2.1
>> >
>> > Even though I successfully establish the VPN connection:
>> >
>> > 14[IKE] IKE_SA cmd[1] established between
>> $LOCAL_IP[$USERNAME]...$RIGHT_IP[$RIGHT_IP]
>> > 08[IKE] CHILD_SA cmd{1} established with SPIs $X and TS $Y/32 ===
>> 0.0.0.0/0 <http://0.0.0.0/0>
>> >
>> > I'm not able to open any kind of website (being it inside the office
>> network or the public web) either via WiFi or Ethernet cable. curl just
>> waits forever but traceroute works and mtr doesn't show any package lost.
>> >
>> > When I connect my laptop directly to the Inteno XG6749 switch (managed
>> by the ISP, I don't have any kind of admin access to it), everything works
>> as expected.
>> >
>> > I've confirmed that IPSec passthrough is enabled on the TP-Link
>> TL-WR841ND, I've updated the vendor's firmware, tried DD-WRT, tried a
>> different router (Technicolor TG799vn v2) but the result is always the same.
>> >
>> > Besides that, if I use one of the subregions VPN hosts from my company
>> instead of the generic alias they provide for the VPN access, I'm able to
>> access most of the Internet and a considerable part of the company's
>> private network. However, accessing some sites, for example, Gmail takes
>> forever (I have to fallback to the HTML only version to open it, otherwise
>> it gets stuck in the loading bar), and some other internal resources have
>> the same problem. It kind of "feels" like the connection is losing packets
>> even though mtr doesn't say so.
>> >
>> > Accessing the company's VPN from other networks (e.g. in my previous
>> apartment and at the office Guest's network) also works properly.
>> >
>> > I've already tried to identify the problem by using several tools but I
>> don't really know how Strongswan works that well, so I was unable to get
>> anything useful from that.
>> >
>> > Do you know what might be causing this strange problem? Is there any
>> thing I can do to identify the root cause of the problem or to fix it? I'm
>> completely out of ideas here.
>> >
>> > Thanks in advance,
>> > André.
>> >
>> >
>> > _______________________________________________
>> > Users mailing list
>> > Users at lists.strongswan.org
>> > https://lists.strongswan.org/mailman/listinfo/users
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2
>>
>> iQIcBAEBCAAGBQJVRJDaAAoJEDg5KY9j7GZYp5sP/AibPef1VeHrlptJlgUetXMM
>> L75MQebzyi0T3Ov2IpdjiNlfrzX+3wUOihqxsqJqwIxEvz1dzzjPaBFG2lWqtK6n
>> vcbjhfBepqAw9vYox4dmMrYLKZBD+DfQIzKctxSGCE6FGU0DnSPExGMViMYaXoyR
>> KAVtxMEgw22qyBzaObrMivS3nX2c9ukmxmb++dH2K8SSvTwrLi6xaBhl/bCITVV8
>> MquWEr+8Ou15FAcRDl+dveGlTGdGqJ74/dbyxoYa6/oeufaxFYgd3wDvyRnveQmj
>> +0h2PEnHlwnrR73uBg+o15Cs3DzuHsrqRd6/Q57Y+HIiTmAqc7W2ADjFNj7ygROc
>> dlyoWIfHalGwHhxASqCmPsEYpCAJlAPbpsAygaKBKzzhmzVtSnj3hDcJyghdsnbM
>> eGzl6/XcLxTT4K6XYPnfGCvPrMH0cU20c1UCvYN7swQ7lDjQyRG/hru5pDsjjZYk
>> sVOVLsBgZGZQioQP8q8syixQmU5oFgU0ie+ZRsSDuFw6Rdkrh6ZItKxEktf92KfQ
>> OcLHEZnpZhOmRtw4mavJdeu94kG4r+XhnBPjTsy8PArBiefjObDdklx4mARzckVX
>> Lt+7fR/WTJCjJmamukyif1ZU5ISurJN+nPYaj4uKftV/Hvn2YZylsI0fHSDW/OTi
>> +H++AV0lbkNNdcUWm5Gr
>> =ylOO
>> -----END PGP SIGNATURE-----
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150504/f78e1303/attachment.html>
More information about the Users
mailing list