You are not logged in.
- Topics: Active | Unanswered
#1 2019-03-01 20:37:39
- iMeee
- Member
- Registered: 2013-01-19
- Posts: 10
[SOLVED] Can't do SSL handshake on some sites with Strongswan IKEv2
Hi there !
There is a problem that I can't solve.
When I have my Strongswan IKEv2 VPN tunnel up on my Arch laptop, I can't browse on some destinations like Ubiquiti website (ui.com).
The rightsubnet of my tunnel is 0.0.0.0/0, so everything goes by my tunnel.
alexandre@bob ~> curl https://ui.com -v
* Trying 52.89.117.13...
* TCP_NODELAY set
* Connected to ui.com (52.89.117.13) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):- same destination but with HTTP or echo ICMP : works
- without VPN : works
- same VPN server and config on different devices : works
- iptables policy accept everywhere
- default sysctl configuration
- I can see my destination responding with tcpdump
Some sites will work, but some won't.
I'm really lost here ...
Any idea ?
Thanks !
Last edited by iMeee (2019-03-02 18:04:57)
Offline
#2 2019-03-01 20:56:05
- bugsmanagement
- Member
- Registered: 2017-04-21
- Posts: 201
Re: [SOLVED] Can't do SSL handshake on some sites with Strongswan IKEv2
Hello there,
Is that VPN you connecting to is your default route?
Regards
Offline
#3 2019-03-01 21:41:36
- iMeee
- Member
- Registered: 2013-01-19
- Posts: 10
Re: [SOLVED] Can't do SSL handshake on some sites with Strongswan IKEv2
Hello there,
Is that VPN you connecting to is your default route?
Regards
Yes kind of. It's policy based routing.
Here is my config (/etc/ipsec.conf) :
conn %default
ike=aes128gcm16-prfsha256-modp2048,aes256-sha384-modp1024!
esp=aes128gcm16-prfsha256-modp2048,aes256-sha1!
compress=no
conn vpn
auto=add
left=%defaultroute
leftauth=eap-mschapv2
leftsourceip=%config4
eap_identity=alexandre
right=XXX.XXX.XXX.XXX
rightsubnet=0.0.0.0/0
rightid=mydomain.tldI've also tested with networkmanager-strongswan and Gnome Shell GUI. Same behavior.
Other than HTTPS with few destinations on my Arch laptop, I can't find something else that doesn't work thru my tunnel.
Last edited by iMeee (2019-03-01 21:45:13)
Offline
#4 2019-03-01 21:56:32
- bugsmanagement
- Member
- Registered: 2017-04-21
- Posts: 201
Re: [SOLVED] Can't do SSL handshake on some sites with Strongswan IKEv2
Hey,
I haven't had chance to experiment with IPSec, I wanted to deploy a site-to-site, but haven't gotten around to it. Policy based routing from I understand, set a policy for a client.
When you can't browse a some sites, what does wireshark tells you? What kind information does the browse tells you? Can't connect or Can't find the site?
Regards,
Offline
#5 2019-03-01 22:12:56
- seth
- Member
- Registered: 2012-09-03
- Posts: 51,213
Re: [SOLVED] Can't do SSL handshake on some sites with Strongswan IKEv2
Does this work?
curl -v --tls-max 1.2 https://ui.comOffline
#6 2019-03-02 08:44:34
- iMeee
- Member
- Registered: 2013-01-19
- Posts: 10
Re: [SOLVED] Can't do SSL handshake on some sites with Strongswan IKEv2
Hey,
I haven't had chance to experiment with IPSec, I wanted to deploy a site-to-site, but haven't gotten around to it. Policy based routing from I understand, set a policy for a client.
When you can't browse a some sites, what does wireshark tells you? What kind information does the browse tells you? Can't connect or Can't find the site?
Regards,
It tells me exactly the same information as working websites ... I can see packets coming out and especially in, which make my issue weird.
Browsers tells me that they cannot establish a connection. cURL won't go any further that : * TLSv1.3 (OUT), TLS handshake, Client hello (1):
Does this work?
curl -v --tls-max 1.2 https://ui.com
Unfortunately no, same behavior
Offline
#7 2019-03-02 12:51:29
- iMeee
- Member
- Registered: 2013-01-19
- Posts: 10
Re: [SOLVED] Can't do SSL handshake on some sites with Strongswan IKEv2
I find the issue !
It was related to MTU.
alexandre@bob ~> sudo ip link set dev wlp3s0 mtu 1438alexandre@bob ~> curl -v https://ui.com
* Trying 54.187.71.88...
* TCP_NODELAY set
* Connected to ui.com (54.187.71.88) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256It's actually written why here : https://wiki.strongswan.org/projects/st … MSS-issues
Last edited by iMeee (2019-03-02 18:06:38)
Offline
#8 2019-03-07 20:23:24
- matthew.levi12
- Member
- Registered: 2018-04-08
- Posts: 3
Re: [SOLVED] Can't do SSL handshake on some sites with Strongswan IKEv2
To be honest I'm from Fedora ecosystem, but just came here to say thanks to @iMeee. His solution worked for me. It was all about lowering down "MTU" - maximum transmission unit.
I'm not a networking guy either, and I'm not sure what did exactly. But it worked for me:
Going to the connection settings (not on terminal as suggested, but GUI itself) and set MTU to 1000. It was by default as "automatic".
As I said, not sure why 1000 (or possibly 1200, 1300, 1400), but it's working now.
Image link: https://i.ibb.co/br7p6sb/Screenshot-fro … -19-48.png
Last edited by matthew.levi12 (2019-03-11 21:11:38)
Offline
#9 2019-03-07 20:39:38
- seth
- Member
- Registered: 2012-09-03
- Posts: 51,213
Re: [SOLVED] Can't do SSL handshake on some sites with Strongswan IKEv2
Good to hear, but please read the forum rules and replace the oversized (200x200 max) image w/ a thumbnal or link.
Offline
#10 2019-03-11 21:12:13
- matthew.levi12
- Member
- Registered: 2018-04-08
- Posts: 3
Re: [SOLVED] Can't do SSL handshake on some sites with Strongswan IKEv2
Oh, thanks for point out @Seth! As I was not able to resize it, it just left the link.
Offline