[strongSwan] Troubles with some websites depending on ISP via Strongswan VPN

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Tue Jul 24 12:03:54 CEST 2018


Hello,

Where do you have the information from that this[1] was true?

Kind regards

Noel

[1] "In OpenVPN, it supports to fragment large MTU inner tunnel packets and transmit them as normal encrypted packets over internet (but it is terribly insecure, open to MITM attacks)."

On 21.07.2018 15:23, Anvar Kuchkartaev wrote:
> It is possible MTU issue, usually when you use tunnel with StrongSwan VPN, your MTU for inner packet is less than 1500. When your client device tries to send large MTU package, if your server cannot accept icmp fragmentation-needed messages then that large packet simply discarded. Also if server that hosts website blocks icmp fragmentation-needed, same thing happens. In OpenVPN, it supports to fragment large MTU inner tunnel packets and transmit them as normal encrypted packets over internet (but it is terribly insecure, open to MITM attacks).
> ‎Recommended to use:
> iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
>
> On VPN server. It will help resolving those issues, also I recommend allowing RELATED,ESTABLISHED state packets both as INPUT and FORWARD chains in your server firewall, so they allow icmp fragmentation-needed messages.
>
> Anvar Kuchkartaev 
> anvar at aegissec.net
> *From: *Ahammerl
> *Sent: *Saturday, 21 July 2018 08:31
> *To: *users at lists.strongswan.org
> *Subject: *[strongSwan] Troubles with some websites depending on ISP via Strongswan VPN
>
>
> Hi, 
>
> Connecting via Strongswan VPN, using XAuth PSK, I have troubles visiting some websites (which don't seem to be blocking any IP in general). Could there be an issue with the route containing virtual host hops which are not available with all ISPs?
>
> In my test, I connect one time to the VPN with telekom ISP, another time with a regional ISP. both connect well without problems and can visit most websites incl. google, whatsmyip.com <http://whatsmyip.com> etc. properly, which confirms the VPN IP with success.
> However, trying to visit e.g. www.ip8.com <http://www.ip8.com/>, the 2nd connection is failing.
>
> For comparison, with OpenVPN on the same server, it's working with both ISPs OK, visiting ip8.com <http://ip8.com> without troubles. With Strongswan VPN as alternative, it fails to connect with the 2nd.
> Next, I compared the route with traceroute and mtr via Strongswan VPN. This looks OK and it's the same route as I have when trying to connect from the VPN server itself to the website.    
>
> Is there a known issue or do you have a hint how to resolve this by configuration changes, if possible..?
>
> Thank you!
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180724/b6813ab8/attachment.sig>


More information about the Users mailing list