Re: IPsec vs ssh

[Thor Lancelot Simon <tls%panix.com@localhost>]

On Mon, Nov 11, 2013 at 01:39:36AM +1100, Darren Reed wrote:
> I'm experimenting with IPsec and have found that once I have
> a tunnel working between a pair of NetBSD hosts running IPsec,
> I can no longer ssh directly from one to the other - or that
> once I load ipsec.conf, ssh sessions freeze.

That strikes me as extremely odd.  Have you tested with any other
TCP based protocol?

For the record, we run SSH over both ESP and AH on TNF's own
servers all the time, and have done so both statically and
dynamically keyed, and it works fine.

Are you also using ipfilter?  Is it perhaps the case that your
ipfilter rules are -- somehow -- blocking some of the ESP packets
carrying the SSH traffic?

It is not too hard to require ESP for traffic to/from a particular
TCP port with the KAME policy engine in NetBSD.  It is quite hard
to create an "everything but X" exception.  One way to do so is
to use transport mode IPsec with a gif interface to get a second,
post-decryption, filter point for the traffic, and use a combination
of IPsec policy and packet filter rules to implement the exception.

This does not play nicely with dynamic keying, however, because
racoon does not know how to deal with the gif interface.

In any case, if your SSH traffic stops flowing when it is encapsulated
in ESP, something is seriously broken; I would proceed no further
without debugging it, certainly not into something as complex as
excluding some traffic from IPsec but not other traffic.

Thor