On Thu, 2015-08-06 at 14:18 +0300, Matti Koskimies wrote: > > Pinging doesn't work, but I don't expect it to in our network.
Oh? Your network is infested by idiot admins who like to block ICMP? That's almost certainly relevant. > Instead, > I used netcat for "port pinging" the ssh port: > > $ nc -znvw1 172.24.38.144 22 > Connection to 172.24.38.144 22 port [tcp/*] succeeded! > $ > > Despite this, the ssh command just hangs. This is a typical symptom of the above-mentioned 'idiot admin' problem. If you do a packet capture, do you find that the connection hangs the moment the SSH server wants to send you a full-sized packet? Which presumably doesn't fit through the VPN, so the VPN server sends back an ICMP packet to the server telling it to send a smaller one... and the VPN server never receives it because of the aforementioned idiot admins. So the SSH server just keeps sending the too-large packets. which never get through. You normally get away with this when you are connecting directly from the VPN client host (as opposed to a virtual machine running thereon). Because the TCP connection setup will indicate an MSS value which *will* fit in the MTU for the immediately local connection. Can you show that packet capture? And try *reducing* your MTU on the VPN interface (tun0) and see if that works? And go and punch one of the idiots for me. -- dwmw2
smime.p7s
Description: S/MIME cryptographic signature