On Thu, 2015-08-06 at 14:18 +0300, Matti Koskimies wrote:
> 
> Pinging doesn't work, but I don't expect it to in our network. 


Oh? Your network is infested by idiot admins who like to block ICMP?
That's almost certainly relevant.

> Instead,
> I used netcat for "port pinging" the ssh port:
> 
> $ nc -znvw1 172.24.38.144 22
> Connection to 172.24.38.144 22 port [tcp/*] succeeded!
> $
> 
> Despite this, the ssh command just hangs.

This is a typical symptom of the above-mentioned 'idiot admin' problem.
If you do a packet capture, do you find that the connection hangs the
moment the SSH server wants to send you a full-sized packet? Which
presumably doesn't fit through the VPN, so the VPN server sends back an
ICMP packet to the server telling it to send a smaller one... and the
VPN server never receives it because of the aforementioned idiot
admins. So the SSH server just keeps sending the too-large packets.
which never get through.
 
You normally get away with this when you are connecting directly from
the VPN client host (as opposed to a virtual machine running thereon).
Because the TCP connection setup will indicate an MSS value which
*will* fit in the MTU for the immediately local connection.

Can you show that packet capture? And try *reducing* your MTU on the
VPN interface (tun0) and see if that works?

And go and punch one of the idiots for me.

-- 
dwmw2

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to