On Tuesday, January 04, 2011 04:50:11 am Luc MAIGNAN wrote:
> Hi,
>
> I use racoon to establish an IPSEC tunnel between a fedora box and a
> router.
>
> The tunnel is mounted.
>
> Both my fedora and network behind the router can ping each other
>
> The network behind the router can use the tunnel to ssh my fedora
>
> But my fedora isn't able to ssh the network behind the router.
>
> IPTRAF shows me that packets come correctly from the opposite side, but
> ssh doesn't seem to receive them.
>
>
> What can happen ?
>
> Any help would be appreciated
>
> BR
I'm sorry. I don't understand what is being seen when one says
"IPTRAF shows me that packets come correctly from the opposite side, but
ssh doesn't seem to receive them."
Can one get IPTRAF to show the contents of the packets sent and received?
My instinct is to use wireshark or tcpdump to examine the contents of packets
sent or received on an interface.
Having said the above, and not understanding what is being returned to your PC
when you try to ssh to the other side, I would say, in general,
if one can initiate ssh in one direction, but not another, the problem might
be any of the following (the following list is probably not exhaustive; others
can and will add other possibilities):
1) It is possible the firewall on the remote side is blocking incoming ssh
traffic. This blocking of incoming ssh traffic might be selective.
The firewall could be configured to block incoming ssh connections from
certain sites and allow incoming ssh connections from other sites.
2) It is possible the ssh server on the other side isn't running.
3) It is possible something has been placed in the /etc/ssh/sshd_config file,
on the other side, to selectively control which users can connect to the
other side's ssh server.
4) If password authentication is not allowed, and only pubic key
authentication is allowed, the other side's account might not be set up for
incoming ssh connections that use public key authentication.
There are other possibilities. Recently, on this list, someone had a problem
ssh into another machine, because SELINUX was blocking something...please look
for the can't ssh into a remote machine related to amanda problem.
I'm afraid my answer are very general and not very helpful.
If you use wireshark to dump packets, can you tell us the contents of the
packets the other side is actually returning?
Also, when you do ssh, could you do ssh with the "-v" option, so ssh tells you
when ssh thinks is happening. I believe you can do multiple "-v", up to 3.
ssh -v -v -v ....
If the problem had been firewall related, and depending how the firewall was
configured, i.e., the firewall could be configured to "REJECT" incoming ssh
connections, and an ICMP packet might be returned, or the firewall might be
configured to "DROP" incoming ssh connections.
When I wish someone to ssh into my machines, I explicitly add an entry to my
firewall to allow only that person's IP address to initiate an incoming ssh
connection to me. Otherwise, my default ssh rule is to "DROP" without any
indication or reply to the other side. My goal and belief, I don't expect
incoming ssh connections, in general, and only allow incoming ssh connections
for short periods of time, and only when I'm there to supervise, and don't
want anyone to know I can receive incoming ssh connections if I so configure
the firewall to drop unexpected incoming ssh connections by default.
Can you look at the firewall, iptables, on the other side, to see if it allows
incoming ssh connection packets? If you don't know much about iptables, we
can start that discussion...but it is an involved discussion. Hopefully,
others will chime in and help with such a discussion.
It is possible the ssh server on the other side is not running. I don't have
to run my ssh server unless I expect and want an incoming connection to me.
Can you check the other side to see if the ssh server is running on the other
side?
It is possible something has been placed in the /etc/ssh/sshd_config file, on
the other side, to control incoming ssh connections which can allow ssh
incoming connections to only certain accounts, or allow only certain types of
authentication, or change the port used for incoming ssh connections, or...I'm
sure I don't have a complete list of what can be done.
For example, in my /etc/ssh/sshd_config file, I have a line,
AllowUsers ... which is a list of users who can ssh in. Trying to ssh in to
any account not on that list will fail.
I do not allow password authentication. I only allow pubic key
authentication. People who ssh into my machine, when I let them, are not told
the password to the account they are logging in on. I require public key
authentication. I lecture them on making "strong" keys.
I only allow incoming ssh connections that use protocol 2.
I don't allow root logins.
I could, if I wanted to, switch the port, from port 22, to some other port,
one must use to connect to my ssh server.
If you do "ssh -v -v -v ..." to ssh to the other side, your ssh client might
print out some useful information if it is successfully talking to the other
side's ssh server, telling you why the connection isn't happening.
I'm sorry my answers are so general. I don't understand what is happening
when you try to ssh into the other side.
Attachment:
signature.asc
Description: This is a digitally signed message part.
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
