weird SSH over IPSEC VPN not problem

[tsupport]

Hi,

I have setup a Site to Site IPSEC VPN connection and I can access machines and ping clients on both sides. I can access the web interface of opnsense on both side, but if I try and SSH to a linux machine I get the login prompts and then it just hangs, sometime I eventually get the welcome text and then prompt but then it drops out and stops working with a timeout error.

What is weird is that when I try it from the remote site, to ssh back into a linux machine it works.

I don't have and firewall rules between the connections, I just allow all.
I have tried normalization to set the MSS on the IPSec connection to 1400
I have tried from multiple machines.
I have also tried to ssh into the OpnSense firewall and some switches and they fail as well.

I'm stuck and not sure what else I can change or look at, any suggestions?

[mimugmail]

Can you try MSS 1300 on LAN interface?

[tsupport]

Hi,

Thanks for the reply, I applied MSS of 1300 on both LAN ports on each side of the VPN but it still did not work.

I also tried telnet this morning to check and it fails with the same issue of just taking a long time and then eventually times out. Other traffic is OK though, VNC and web and windows file sharing is OK.

I'm not sure if the MSS took effect as when I ping with a size it's larger than 1300. One thing I did notice is that Side A of the VPN can Ping Side B with a packet size of 1473, where Side B can only ping side A with a packed size of 1342. Could this be causing the issue?

[mimugmail]

MSS is only for TCP. Thats why.

Can you try to disable scrubbing.

[tsupport]

Hi,

I disabled scrubbing under Firewall > Settings > Normalization but that broke communication, I could ping but I couldn't access any other services.

[tsupport]

Hi,

I ended up dumping the IPSEC VPN and setup an OpenVPN STS connection and everything just worked, didn't need to change MSS and we were also facing an issue with drop outs when idle which was also fixed.