Discussion:
[strongSwan] Troubles with some websites depending on ISP via Strongswan VPN
Ahammerl
2018-07-20 15:51:40 UTC
Permalink
Hi,

Connecting via Strongswan VPN, using XAuth PSK, I have troubles visiting
some websites (which don't seem to be blocking any IP in general). Could
there be an issue with the route containing virtual host hops which are not
available with all ISPs?

In my test, I connect one time to the VPN with telekom ISP, another time
with a regional ISP. both connect well without problems and can visit most
websites incl. google, whatsmyip.com etc. properly, which confirms the VPN
IP with success.
However, trying to visit e.g. www.ip8.com, the 2nd connection is failing.

For comparison, with OpenVPN on the same server, it's working with both
ISPs OK, visiting ip8.com without troubles. With Strongswan VPN as
alternative, it fails to connect with the 2nd.
Next, I compared the route with traceroute and mtr via Strongswan VPN. This
looks OK and it's the same route as I have when trying to connect from the
VPN server itself to the website.

Is there a known issue or do you have a hint how to resolve this by
configuration changes, if possible..?

Thank you!
Kevin Olbrich
2018-07-21 07:06:59 UTC
Permalink
Sounds like MTU problems... We had to set PMTU on our gateways to help with
the process.

https://www.linuxtopia.org/Linux_Firewall_iptables/x4700.html

Feedback is welcome, interested if this could be the problem.

Kevin
Post by Ahammerl
Hi,
Connecting via Strongswan VPN, using XAuth PSK, I have troubles visiting
some websites (which don't seem to be blocking any IP in general). Could
there be an issue with the route containing virtual host hops which are not
available with all ISPs?
In my test, I connect one time to the VPN with telekom ISP, another time
with a regional ISP. both connect well without problems and can visit most
websites incl. google, whatsmyip.com etc. properly, which confirms the
VPN IP with success.
However, trying to visit e.g. www.ip8.com, the 2nd connection is failing.
For comparison, with OpenVPN on the same server, it's working with both
ISPs OK, visiting ip8.com without troubles. With Strongswan VPN as
alternative, it fails to connect with the 2nd.
Next, I compared the route with traceroute and mtr via Strongswan VPN.
This looks OK and it's the same route as I have when trying to connect from
the VPN server itself to the website.
Is there a known issue or do you have a hint how to resolve this by
configuration changes, if possible..?
Thank you!
Ahammerl
2018-07-21 09:08:22 UTC
Permalink
Hi,

Connecting via Strongswan VPN, using XAuth PSK, I have troubles visiting
some websites (which don't seem to be blocking any IP in general). Could
there be an issue with the route containing virtual host hops which are not
available with all ISPs?

In my test, I connect one time to the VPN with telekom ISP, another time
with a regional ISP. both connect well without problems and can visit most
websites incl. google, whatsmyip.com etc. properly, which confirms the VPN
IP with success.
However, trying to visit e.g. www.ip8.com, the 2nd connection is failing.

For comparison, with OpenVPN on the same server, it's working with both
ISPs OK, visiting ip8.com without troubles. With Strongswan VPN as
alternative, it fails to connect with the 2nd.
Next, I compared the route with traceroute and mtr via Strongswan VPN. This
looks OK and it's the same route as I have when trying to connect from the
VPN server itself to the website.

Is there a known issue or do you have a hint how to resolve this by
configuration changes, if possible..?

Thank you!

Loading...