tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: IPsec vs ssh

On 11/11/2013 6:22 AM, John Nemeth wrote:
> On Nov 11,  1:39am, Darren Reed wrote:
> }
> } I'm experimenting with IPsec and have found that once I have
> } a tunnel working between a pair of NetBSD hosts running IPsec,
> } I can no longer ssh directly from one to the other - or that
> } once I load ipsec.conf, ssh sessions freeze.
> } 
> } The reason for this is that I suspect the SPD (ipsec.conf)
> } ends up specifying that the packets for ssh between the two
> } hosts are to be encrypted and wrapped up by each end point
> } before being sent to the other end.
>      All matching packets will be wrapped and tunneled.  However,
> ssh isn't any different from any other TCP protocol in this regard.
> This is NOT what's breaking ssh.  Since you didn't provide full
> details, it isn't possible to determine what is wrong with your
> config.


The SPD lines that I am currently using are:

spdadd A.B.C.D/32 E.F.G.0/24 icmp -P in ipsec 
spdadd E.F.G.0/24 A.B.C.D/32 icmp -P out ipsec 

And with that, established ssh sessions are not interrupted.

If I change "icmp" to "any", any currently established ssh
sessions stop working.

To be more precise, I don't want ssh packets to be handled
by IPsec because (a) there's no need to encrypt encrypted
data and (b) it preserves ssh access irrespective of the
status of IPsec. I'm not interested in arguing about the
merits of this, this is the policy that I want to deploy
and it seems like it should be possible. Question is,
why can't I?


Home | Main Index | Thread Index | Old Index