SSH hanging through IPSEC VPN

LucaTNT

Hello,
I have 2 pfSense firewalls (2.4.4-p3 on both sides) with public IPs connecting to each other via IPSEC, routed VTI phase 2.
I set up the tunnel interface and added the required static routes through each other. I can ping hosts across networks, I can connect to HTTP/HTTPS, SMB, stuff mostly seems to work ok.
One big thing doesn't work, though: SSH.

It hangs after authentication, until it says broken pipe.

I tried lowering the MTU on the server side as suggested by some posts, but it didn't work. MSS clamping didn't help either.

I even tried to switch my phase 2 to Tunnel IPv4 but I still got the same behavior.

Packets just seem to stop flowing from the SSH server to the client.

I'm attaching a zip file containing 6 different packet captures , 3 from each side:

• ssh_client_local was recorded from the machine running the SSH client
• ssh_client_side_enc0 was recorded from the pfSense firewall in the client network, on the enc0 interface
• ssh_client_side_ipsec1000 was recorded from the pfSense firewall in the client network, on the ipsec1000 interface
• ssh_server_local as recorded from the machine running the SSH server
• ssh_server_side_enc0 was recorded from the pfSense firewall in the server network, on the enc0 interface
• ssh_server_side_ipsec1000 was recorded from the pfSense firewall in the server network, on the ipsec1000 interface

Any help?

Thanks in advance.

danone

I also have the same problem. Tried to trigger MSS clamping and MTU, but no benefit.
My WAN is PPPoE, if this matters.
I have many of PfSense IPSec tunnels, but only on one problem persists.

LucaTNT

I also have PPPoE on one end, the other one is DHCP.

yachacha

Same here...
any progress or solutions?

LucaTNT

Sadly, no.

I am pretty sure this is related to a firmware bug on the Broadcom VDSL2 chip (BCM63138) used in the modem at one side of my IPSEC: it used to suffer from different one in the past that would prevent me from using Hurricane Electric's IPv6 tunnel broker: ping would work, any other traffic would not (the configuration was ok, since it worked well with my previous ISP).

See this and this post about the Broadcom chip bug.

In my case that was resolved by un update that came ~1 year later from my ISP (I just re-enabled the existing config I used to use with the previous ISP and all started working again), hopefully this will be sorted out as well.

yachacha

@LucaTNT Thank you for the response.
I’m not connected with PPPoE but behind a glassfibre box, but I’m having the same problems.

I am pretty sure, ssh was running fine after the initial setup (few weeks ago). So I have no idea what’s going on now...