Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SSH hanging through IPSEC VPN

    Scheduled Pinned Locked Moved IPsec
    6 Posts 3 Posters 842 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • LucaTNTL
      LucaTNT
      last edited by

      Hello,
      I have 2 pfSense firewalls (2.4.4-p3 on both sides) with public IPs connecting to each other via IPSEC, routed VTI phase 2.
      I set up the tunnel interface and added the required static routes through each other. I can ping hosts across networks, I can connect to HTTP/HTTPS, SMB, stuff mostly seems to work ok.
      One big thing doesn't work, though: SSH.

      It hangs after authentication, until it says broken pipe.

      I tried lowering the MTU on the server side as suggested by some posts, but it didn't work. MSS clamping didn't help either.

      I even tried to switch my phase 2 to Tunnel IPv4 but I still got the same behavior.

      Packets just seem to stop flowing from the SSH server to the client.

      I'm attaching a zip file containing 6 different packet captures , 3 from each side:

      • ssh_client_local was recorded from the machine running the SSH client
      • ssh_client_side_enc0 was recorded from the pfSense firewall in the client network, on the enc0 interface
      • ssh_client_side_ipsec1000 was recorded from the pfSense firewall in the client network, on the ipsec1000 interface
      • ssh_server_local as recorded from the machine running the SSH server
      • ssh_server_side_enc0 was recorded from the pfSense firewall in the server network, on the enc0 interface
      • ssh_server_side_ipsec1000 was recorded from the pfSense firewall in the server network, on the ipsec1000 interface

      Any help?

      Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • D
        danone
        last edited by danone

        I also have the same problem. Tried to trigger MSS clamping and MTU, but no benefit.
        My WAN is PPPoE, if this matters.
        I have many of PfSense IPSec tunnels, but only on one problem persists.

        1 Reply Last reply Reply Quote 0
        • LucaTNTL
          LucaTNT
          last edited by

          I also have PPPoE on one end, the other one is DHCP.

          1 Reply Last reply Reply Quote 0
          • Y
            yachacha
            last edited by

            Same here...
            any progress or solutions?

            1 Reply Last reply Reply Quote 0
            • LucaTNTL
              LucaTNT
              last edited by

              Sadly, no.

              I am pretty sure this is related to a firmware bug on the Broadcom VDSL2 chip (BCM63138) used in the modem at one side of my IPSEC: it used to suffer from different one in the past that would prevent me from using Hurricane Electric's IPv6 tunnel broker: ping would work, any other traffic would not (the configuration was ok, since it worked well with my previous ISP).

              See this and this post about the Broadcom chip bug.

              In my case that was resolved by un update that came ~1 year later from my ISP (I just re-enabled the existing config I used to use with the previous ISP and all started working again), hopefully this will be sorted out as well.

              Y 1 Reply Last reply Reply Quote 0
              • Y
                yachacha @LucaTNT
                last edited by

                @LucaTNT Thank you for the response.
                I’m not connected with PPPoE but behind a glassfibre box, but I’m having the same problems.

                I am pretty sure, ssh was running fine after the initial setup (few weeks ago). So I have no idea what’s going on now...

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.