[vpn-help] VPN Tunnel connection Established, but cannot ssh.

Thu Jan 24 21:12:56 CST 2013

On 01/23/2013 10:38 PM, Jinyan Huang wrote:
> Kevin,
>
> When I connect to the VPN from work, I can still connect computer in my office.
>
> Thank you for your explain. But it seems it is not reasonable. My home
> and office is in CityA, the VPN server is in CityB. When I am in home
> or at work, it should be in the same side.
>
> On Wed, Jan 23, 2013 at 10:16 PM, Kevin VPN <kvpn at live.com> wrote:
>> On 12/20/2012 06:16 PM, Jinyan Huang wrote:
>>>
>>> The NAT-T is disable default. I used all default setting. I have tried
>>> to decrease the MTU to a lower value 900. I does not help.
>>>
>>> I think there is the internet environment problem. But I do not know
>>> where it is. Because I used the same computer, at home I can ssh, in
>>> office, VPN Tunnel connection can be Established, but cannot ssh.
>>>
>>> The IT group told me that all out ports have been open. They also do
>>> not have any idea how to fix it, because they do not know shrew
>>> software.
>>>
>>
>> On 12/19/2012 11:30 AM, Jinyan Huang wrote:> Kevin,
>>
>>> It seems I cannot access the DNS server at 10.10.2.16.
>>>
>>> ping 10.10.2.16
>>> PING 10.10.2.16 (10.10.2.16): 56 data bytes
>>> Request timeout for icmp_seq 0
>>> Request timeout for icmp_seq 1
>>
>>
>> Hi Jinyan,
>>
>> When you connect to the VPN from work, can you connect to ANY computer at
>> all?
>>
>> My guess is that the problem is that the VPN configuration is designed only
>> for connections from external (the Internet), not from internally (in other
>> words, not on the internal network 10.10.x.x/16).  Many VPNs only allow
>> access "across" the firewall - you can connect to the VPN from the Internet
>> side of the VPN gateway/firewall and access resources on the protected side,
>> but it does not like it when you connect to the VPN from the protected side
>> and try to access resources on the protected side.  You also see this often
>> when people connect to the VPN from the Internet and then complain that the
>> VPN won't let them send traffic to the Internet.
>>
>> I expect that at home, you're connecting to the Internet side of the
>> firewall/VPN, but at work, you're connecting to the protected side.  The VPN
>> for some reason lets you connect at work, but when you actually try to send
>> traffic, the firewall drops it because it's exiting the firewall through the
>> same interface it came in on.
>>
>> To be honest, if all you're trying to do is SSH, you probably don't need the
>> VPN when you're at work, since SSH traffic is already encrypted.
>>

Hi Jinyan, thanks for the clarification.  You are correct that in this 
case, both home and work will come into the VPN gateway from the same side.

Can you try the following: connect to the VPN from work using a Windows 
client.  Start a ping to a machine on the far end of the VPN or try to 
SSH. Launch the VPN Trace Utility and look at the Security Associations 
tab.  There should be at least two entries.  Make note of the "State" 
and "Transfered" columns.

In the State column, the entries should be either LARVAL, MATURE, or 
DYING.  A LARVAL state should quickly move to MATURE state.  If it 
doesn't, a failure to negotiate Security Associations is occurring.

Once the Security Associations have the state MATURE or DYING, look at 
the Transfered column.  Both columns should have increasing values of 
bytes transferred.  If they don't, there is a problem somewhere at work, 
possibly that the firewall do not allow IP Protocol 50 (ESP) traffic to 
pass through.