Problem logging in over GRE/IPSec tunnel?
Paul Suh
plsuh at goodeast.com
Mon Oct 20 14:51:42 EST 2014
On Oct 19, 2014, at 11:08 PM, Damien Miller <djm at mindrot.org> wrote:
> On Sun, 19 Oct 2014, Paul Suh wrote:
>
>> Hello,
>>
>> First time posting here, but I?ve been using OpenBSD for since 2.7 or
>> so. I hope this is the right place to ask.
>>
>> Anyway, I?m running into a puzzler.
>
> [...]
>
>> On the server, I get this line in /var/log/authlog:
>>
>>> Oct 19 22:42:17 ravelin sshd[5880]: fatal: Read from socket failed:
>>> Connection reset by peer [preauth]
>
> Whatever the problem is, it's happening at a lower level than ssh/sshd.
>
> Can you connect the the sshd using telnet or netcat from the client?
> If not, then that's your problem.
>
> If so, then the problem is more subtle. In the absence of further
> information, I'd expect a MTU blackhole in one/both directions,
> since the KEXINIT packet is likely to be the first bit of data sent
> that is >1KB. You might be able to check this using ping's size
> and don't-fragment options (make sure you test both the client->server
> and server->client directions).
Damien,
I can connect to port 22 via telnet and get the "SSH-2.0-OpenSSH_6.6.1” response, so it’s something more subtle.
Sweep pings fail at the MTU, 1476, both directions. There is some sort of flakiness when I set the packet size to 1460 or 1450, as the first three or four packets will go through, then I get errors back from the router.
I tried cranking the MTU for the path down to 1400 in both directions using the route(8) command, but that doesn’t seem to help.
Thanks for any pointers that you can give me.
—Paul
More information about the openssh-unix-dev
mailing list