Re: racoon works only in one way

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tuesday, January 04, 2011 04:50:11 am Luc MAIGNAN wrote:
> Hi,
> 
> I use racoon to establish an IPSEC tunnel between a fedora box and a
> router.
> 
> The tunnel is mounted.
> 
> Both my fedora and network behind the router can ping each other
> 
> The network behind the router can use the tunnel to ssh my fedora
> 
> But my fedora isn't able to ssh the network behind the router.
> 
> IPTRAF shows me that packets come correctly from the opposite side, but
> ssh doesn't seem to receive them.
> 
> 
> What can happen ?
> 
> Any help would be appreciated
> 
> BR

I'm sorry.  I don't understand what is being seen when one says
"IPTRAF shows me that packets come correctly from the opposite side, but
ssh doesn't seem to receive them."

Can one get IPTRAF to show the contents of the packets sent and received?

My instinct is to use wireshark or tcpdump to examine the contents of packets 
sent or received on an interface.

Having said the above, and not understanding what is being returned to your PC 
when you try to ssh to the other side, I would say, in general,

if one can initiate ssh in one direction, but not another, the problem might 
be any of the following (the following list is probably not exhaustive; others 
can and will add other possibilities):

1) It is possible the firewall on the remote side is blocking incoming ssh   
    traffic.  This blocking of incoming ssh traffic might be selective.
    The firewall could be configured to block incoming ssh connections from
    certain sites and allow incoming ssh connections from other sites.

2) It is possible the ssh server on the other side isn't running.

3) It is possible something has been placed in the /etc/ssh/sshd_config file,
   on the other side, to selectively control which users can connect to the
   other side's ssh server.

4) If password authentication is not allowed, and only pubic key 
authentication is allowed, the other side's account might not be set up for 
incoming ssh connections that use public key authentication.

There are other possibilities.  Recently, on this list, someone had a problem 
ssh into another machine, because SELINUX was blocking something...please look 
for the can't ssh into a remote machine related to amanda problem.

I'm afraid my answer are very general and not very helpful.

If you use wireshark to dump packets, can you tell us the contents of the 
packets the other side is actually returning?  

Also, when you do ssh, could you do ssh with the "-v" option, so ssh tells you 
when ssh thinks is happening.  I believe you can do multiple "-v", up to 3.
ssh -v -v -v ....

If the problem had been firewall related, and depending how the firewall was 
configured, i.e., the firewall could be configured to "REJECT" incoming ssh 
connections, and an ICMP packet might be returned, or the firewall might be 
configured to "DROP" incoming ssh connections.  

When I wish someone to ssh into my machines, I explicitly add an entry to my 
firewall to allow only that person's IP address to initiate an incoming ssh 
connection to me.  Otherwise, my default ssh rule is to "DROP" without any 
indication or reply to the other side.  My goal and belief, I don't expect 
incoming ssh connections, in general, and only allow incoming ssh connections 
for short periods of time, and only when I'm there to supervise, and don't 
want anyone to know I can receive incoming ssh connections if I so configure 
the firewall to drop unexpected incoming ssh connections by default.

Can you look at the firewall, iptables, on the other side, to see if it allows 
incoming ssh connection packets?  If you don't know much about iptables, we 
can start that discussion...but it is an involved discussion.  Hopefully, 
others will chime in and help with such a discussion.

It is possible the ssh server on the other side is not running.  I don't have 
to run my ssh server unless I expect and want an incoming connection to me.

Can you check the other side to see if the ssh server is running on the other 
side?

It is possible something has been placed in the /etc/ssh/sshd_config file, on 
the other side, to control incoming ssh connections which can allow ssh 
incoming connections to only certain accounts, or allow only certain types of 
authentication, or change the port used for incoming ssh connections, or...I'm 
sure I don't have a complete list of what can be done.

For example, in my /etc/ssh/sshd_config file, I have a line,
AllowUsers ... which is a list of users who can ssh in.  Trying to ssh in to 
any account not on that list will fail.

I do not allow password authentication.  I only allow pubic key 
authentication.  People who ssh into my machine, when I let them, are not told 
the password to the account they are logging in on.  I require public key 
authentication.  I lecture them on making "strong" keys.

I only allow incoming ssh connections that use protocol 2.

I don't allow root logins.

I could, if I wanted to, switch the port, from port 22, to some other port, 
one must use to connect to my ssh server.

If you do "ssh -v -v -v ..."  to ssh to the other side, your ssh client might 
print out some useful information if it is successfully talking to the other 
side's ssh server, telling you why the connection isn't happening.

I'm sorry my answers are so general.  I don't understand what is happening 
when you try to ssh into the other side.

Attachment: signature.asc
Description: This is a digitally signed message part.

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux