You are not logged in.

#1 2019-03-01 20:37:39

iMeee
Member
Registered: 2013-01-19
Posts: 10

[SOLVED] Can't do SSL handshake on some sites with Strongswan IKEv2

Hi there !

There is a problem that I can't solve.
When I have my Strongswan IKEv2 VPN tunnel up on my Arch laptop, I can't browse on some destinations like Ubiquiti website (ui.com).
The rightsubnet of my tunnel is 0.0.0.0/0, so everything goes by my tunnel.

alexandre@bob ~> curl https://ui.com -v
*   Trying 52.89.117.13...
* TCP_NODELAY set
* Connected to ui.com (52.89.117.13) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):

- same destination but with HTTP or echo ICMP : works
- without VPN : works
- same VPN server and config on different devices : works
- iptables policy accept everywhere
- default sysctl configuration
- I can see my destination responding with tcpdump

Some sites will work, but some won't.
I'm really lost here ...
Any idea ?
Thanks !

Last edited by iMeee (2019-03-02 18:04:57)

Offline

#2 2019-03-01 20:56:05

bugsmanagement
Member
Registered: 2017-04-21
Posts: 201

Re: [SOLVED] Can't do SSL handshake on some sites with Strongswan IKEv2

Hello there,

Is that VPN you connecting to is your default route?

Regards

Offline

#3 2019-03-01 21:41:36

iMeee
Member
Registered: 2013-01-19
Posts: 10

Re: [SOLVED] Can't do SSL handshake on some sites with Strongswan IKEv2

bugsmanagement wrote:

Hello there,

Is that VPN you connecting to is your default route?

Regards

Yes kind of. It's policy based routing.

Here is my config (/etc/ipsec.conf) :

conn %default
    ike=aes128gcm16-prfsha256-modp2048,aes256-sha384-modp1024!
    esp=aes128gcm16-prfsha256-modp2048,aes256-sha1!
    compress=no

conn vpn 
    auto=add
    left=%defaultroute
    leftauth=eap-mschapv2
    leftsourceip=%config4
    eap_identity=alexandre
    right=XXX.XXX.XXX.XXX
    rightsubnet=0.0.0.0/0
    rightid=mydomain.tld

I've also tested with networkmanager-strongswan and Gnome Shell GUI. Same behavior.
Other than HTTPS with few destinations on my Arch laptop, I can't find something else that doesn't work thru my tunnel.

Last edited by iMeee (2019-03-01 21:45:13)

Offline

#4 2019-03-01 21:56:32

bugsmanagement
Member
Registered: 2017-04-21
Posts: 201

Re: [SOLVED] Can't do SSL handshake on some sites with Strongswan IKEv2

Hey,

I haven't had chance to experiment with IPSec, I wanted to deploy a site-to-site, but haven't gotten around to it. Policy based routing from I understand, set a policy for a client.

When you can't browse a some sites, what does wireshark tells you? What kind information does the browse tells you? Can't connect or Can't find the site?

Regards,

Offline

#5 2019-03-01 22:12:56

seth
Member
Registered: 2012-09-03
Posts: 58,785

Re: [SOLVED] Can't do SSL handshake on some sites with Strongswan IKEv2

Does this work?

curl -v  --tls-max 1.2 https://ui.com

Offline

#6 2019-03-02 08:44:34

iMeee
Member
Registered: 2013-01-19
Posts: 10

Re: [SOLVED] Can't do SSL handshake on some sites with Strongswan IKEv2

bugsmanagement wrote:

Hey,

I haven't had chance to experiment with IPSec, I wanted to deploy a site-to-site, but haven't gotten around to it. Policy based routing from I understand, set a policy for a client.

When you can't browse a some sites, what does wireshark tells you? What kind information does the browse tells you? Can't connect or Can't find the site?

Regards,

It tells me exactly the same information as working websites ... I can see packets coming out and especially in, which make my issue weird.
Browsers tells me that they cannot establish a connection. cURL won't go any further that : * TLSv1.3 (OUT), TLS handshake, Client hello (1):

seth wrote:

Does this work?

curl -v  --tls-max 1.2 https://ui.com

Unfortunately no, same behavior

Offline

#7 2019-03-02 12:51:29

iMeee
Member
Registered: 2013-01-19
Posts: 10

Re: [SOLVED] Can't do SSL handshake on some sites with Strongswan IKEv2

I find the issue !
It was related to MTU.

alexandre@bob ~> sudo ip link set dev wlp3s0 mtu 1438
alexandre@bob ~> curl -v https://ui.com
*   Trying 54.187.71.88...
* TCP_NODELAY set
* Connected to ui.com (54.187.71.88) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256

It's actually written why here : https://wiki.strongswan.org/projects/st … MSS-issues

Last edited by iMeee (2019-03-02 18:06:38)

Offline

#8 2019-03-07 20:23:24

matthew.levi12
Member
Registered: 2018-04-08
Posts: 3

Re: [SOLVED] Can't do SSL handshake on some sites with Strongswan IKEv2

To be honest I'm from Fedora ecosystem, but just came here to say thanks to @iMeee. His solution worked for me. It was all about lowering down "MTU" - maximum transmission unit.

I'm not a networking guy either, and I'm not sure what did exactly. But it worked for me:

Going to the connection settings (not on terminal as suggested, but GUI itself) and set MTU to 1000. It was by default as "automatic".

As I said, not sure why 1000 (or possibly 1200, 1300, 1400), but it's working now.

Image link: https://i.ibb.co/br7p6sb/Screenshot-fro … -19-48.png

Last edited by matthew.levi12 (2019-03-11 21:11:38)

Offline

#9 2019-03-07 20:39:38

seth
Member
Registered: 2012-09-03
Posts: 58,785

Re: [SOLVED] Can't do SSL handshake on some sites with Strongswan IKEv2

Good to hear, but please read the forum rules and replace the oversized (200x200 max) image w/ a thumbnal or link.

Offline

#10 2019-03-11 21:12:13

matthew.levi12
Member
Registered: 2018-04-08
Posts: 3

Re: [SOLVED] Can't do SSL handshake on some sites with Strongswan IKEv2

Oh, thanks for point out @Seth! As I was not able to resize it, it just left the link.

Offline

Board footer

Powered by FluxBB