jackivanov
commented
7 years ago Did you check the troubleshooting guide?
Closed donniebishop closed 7 years ago
jackivanov
commented
7 years ago Did you check the troubleshooting guide?
donniebishop
commented
7 years ago I did. I tried troubleshooting by adjusting the MTU, but I still can't seem to reach sites. Pings go through just fine when connected to my Algo instance, but trying to reach sites via the browser or even via curl and wget fails.
~ $ ip addr show wlp2s0
3: wlp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1438 qdisc mq state UP group default qlen 1000
link/ether 78:0c:b8:6c:95:85 brd ff:ff:ff:ff:ff:ff
inet 172.16.6.21/25 brd 172.16.6.127 scope global dynamic wlp2s0
valid_lft 316sec preferred_lft 316sec
inet 10.19.48.1/32 scope global wlp2s0
valid_lft forever preferred_lft forever
inet6 fe80::63e:9d79:c21b:cf96/64 scope link
valid_lft forever preferred_lft forever
~ $ ping www.placekitten.com
PING www.placekitten.com (72.47.195.49) 56(84) bytes of data.
64 bytes from somethinglovely.com (72.47.195.49): icmp_seq=1 ttl=51 time=79.1 ms
64 bytes from somethinglovely.com (72.47.195.49): icmp_seq=2 ttl=51 time=80.1 ms
64 bytes from somethinglovely.com (72.47.195.49): icmp_seq=3 ttl=51 time=80.8 ms
64 bytes from somethinglovely.com (72.47.195.49): icmp_seq=4 ttl=51 time=80.3 ms
64 bytes from somethinglovely.com (72.47.195.49): icmp_seq=5 ttl=51 time=80.6 ms
64 bytes from somethinglovely.com (72.47.195.49): icmp_seq=6 ttl=51 time=79.6 ms
^C
--- www.placekitten.com ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5007ms
rtt min/avg/max/mdev = 79.164/80.156/80.899/0.622 ms
~ $ wget -v https://www.placekitten.com
--2017-06-08 21:09:04-- https://www.placekitten.com/
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving www.placekitten.com... 72.47.195.49
Connecting to www.placekitten.com|72.47.195.49|:443... ^CThe wget was killed after waiting about 2 minutes.
jturner314
commented
7 years ago I'm experiencing exactly the same symptoms on my Arch Linux laptop, and I also tried adjusting the MTU, which didn't help. The log messages are exactly the same as those posted by @donniebishop except for the IP addresses and username. Like @donniebishop, the issue does not occur on my Android phone.
OS / environment / software versions: same as @donniebishop
On the client machine (my Arch Linux laptop), I'm using strongswan 5.5.3 (built using the AUR package with NetworkManager support enabled with the --enable-nm configure option).
blueonyx
commented
7 years ago i have this problem on my new arch laptop too, but it works fine on my old one.
jturner314
commented
7 years ago @blueonyx Do you know what's different on your old Arch laptop? (Maybe an older version of strongswan or a different configuration?)
blueonyx
commented
7 years ago i found it's the kernel version!
if i downgrade my new box from linux 4.11.{3,5}-1 to linux 4.10.13-1 it works as expected! likewise if i upgrade linux on my old box to 4.11.5-1 it doesnt work anymore!
although the output of all these commands is the same no matter the kernel version:
ipsec up my-conn ip addr ip route ip route list table 220 ip xfrm policy
jturner314
commented
7 years ago This does, in fact, appear to be a kernel issue with Linux 4.11:
Edit: By the way, thanks for isolating the issue to the kernel version, @blueonyx! I was messing around with the strongswan version with no success.
donniebishop
commented
7 years ago Nice find @blueonyx! I downgraded to 4.10.10 from 4.11.6 and the VPN is working once more, smooth as silk. Great find, and will certainly be keeping an eye out for updates to the 4.11 strongswan bug - thanks to @jturner314 for finding those links as well :+1:
s-zeng
commented
6 years ago Is it possible to have info about which kernel versions have this problem be put somewhere in the docs?
rdonkin
commented
6 years ago I had a different issue but with very similar symptoms, so I'm commenting here in case it helps (issue was fixed by networking change, see below).
My IPSec connection was from macOS 10.11 to Ubuntu 18.04 (kernel 4.15) server, created in AWS by the algo script.
I found that connecting via one broadband provider worked perfectly. Ping and website access worked for a range of sites.
The other broadband provider (fixed wireless) was fine for pings, and connection stayed up, but only a few websites worked (https://google.com, https://bing.com/), with various http and https sites never finishing load (usually not loading the main page).
I tried restarting the VPN server, reducing MTU to 1300 (ping test was fine), disabling IPv6 (in fact all traffic was IPv4 anyway, this was just to check), etc. I read the Troubleshooting guide but only the MTU action applied.
This provider just did a firmware upgrade for a router (2 hops away from Mac, and not involved in IPSec at all), which completely fixed this.
So if you get this type of issue, I recommend:
Perhaps this could be added to the Troubleshooting doc along with "check you don't have kernel 4.11"?
Algo is now working well - thanks for all the effort that has gone into this!
haroondilshad
commented
6 years ago Is there a work-around for this for a 18.04 Ubuntu client aside from downgrading the kernel? I can't seem to use VPN on Ubuntu but everywhere else it works fine.
Benehiko
commented
5 years ago Same issue here. Ubuntu 18.04 | Kernel Version 4.15 Can establish a connection with the provided strongswan configuration file, but cannot access certain websites through the browser. Can ping them though. On my Android device, it works perfectly.
TC1977
commented
5 years ago May be an MTU issue as stated above.
Benehiko
commented
5 years ago Yeah, I tried setting the MTU but didn't work. I redid my configurations and it's working now.
Off topic:
I can only connect if I start the connection manually
eg. sudo ipsec up <conn-name> or by using auto=start in my ipsec.conf
If I use auto=route in my ipsec.conf file it connects to the VPN server, retrieves an IP, but no internet or connection to other clients on the VPN.
OS / Environment
Ubuntu / DigitalOcean
Ansible version
2.2.0.0
Version of components from
requirements.txtmsrestazure: 0.4.8 setuptools: 36.0.1 dopy 0.3.5 boto 2.47.0 boto3 1.4.4 azure 2.0.0rc5 msrest 0.4.1 apache-libcloud 2.0.0 six 1.10.0 pyopenssl 17.0.0 jinja2 2.8
Summary of the problem
After connecting to the VPN via strongswan (
ipsec up algo), the connection is successfully established, but I am unable to connect to websites and browse. Pings and mtrs to many sites are successful, both against IPs and domain names (google.com, placekitten.com, and github.com are sites I have been testing). However, browsing via HTTP/HTTPS and connecting to IRC servers fails.This is only solved by disconnecting from the VPN (
ipsec down algo). When disconnecting, I do get an ominous message about an iptables rule:I did a full iptables flush of all chains, but this did not alleviate the issues I saw.
Steps to reproduce the behavior
Connect to Algo DigitalOcean instance via strongswan (
ipsec algo up). Problem is only solved by disconnecting. Only affects my Arch Linux laptop. Issue does not occur on my Android phone when connecting to the VPNThe way of deployment (cloud or local)
Cloud
Expected behavior
Expect to be able to browse and connect to internet sites/irc servers
Actual behavior
I am unable to connect to web and irc servers until I disconnect from my Algo instance
Full log