| View previous topic :: View next topic |
| Author |
Message |
maxux
n00b
Joined: 25 Jul 2010
Posts: 7
|
 Posted: Mon Jul 23, 2012 10:31 pm Post subject: ssh -w tunnels pings no more after a few seconds |
 |
|
Hi,
I tried to build a ssh tunnel with ssh -w, it works but after a few seconds the link does not respond anymore:
| Code: | client# ssh -Nvw 0:0 remote_host
Password: |
| Code: | client# ip a add 172.16.0.1/32 peer 172.16.0.2 dev tun0
client# ifconfig tun0 up
server# ip a add 172.16.0.2/32 peer 172.16.0.1 dev tun0
server# ifconfig tun0 up |
Just after I turned tun0 to up, I start a ping:
| Code: |
client$ ping 172.16.0.2
PING 172.16.0.2 (172.16.0.2) 56(84) bytes of data.
64 bytes from 172.16.0.2: icmp_req=1 ttl=64 time=37.2 ms
64 bytes from 172.16.0.2: icmp_req=2 ttl=64 time=44.1 ms
64 bytes from 172.16.0.2: icmp_req=3 ttl=64 time=37.3 ms
64 bytes from 172.16.0.2: icmp_req=4 ttl=64 time=37.3 ms
64 bytes from 172.16.0.2: icmp_req=5 ttl=64 time=37.2 ms
64 bytes from 172.16.0.2: icmp_req=6 ttl=64 time=39.0 ms
64 bytes from 172.16.0.2: icmp_req=7 ttl=64 time=36.5 ms
64 bytes from 172.16.0.2: icmp_req=8 ttl=64 time=36.9 ms
64 bytes from 172.16.0.2: icmp_req=9 ttl=64 time=38.1 ms
64 bytes from 172.16.0.2: icmp_req=10 ttl=64 time=41.6 ms
64 bytes from 172.16.0.2: icmp_req=11 ttl=64 time=36.9 ms
64 bytes from 172.16.0.2: icmp_req=12 ttl=64 time=36.8 ms
[...]
64 bytes from 172.16.0.2: icmp_req=54 ttl=64 time=37.1 ms
[No response anymore]
|
I tried with different servers and options, it fails each time about after 50 seconds. I have no error on ssh -v logs, and with tcpdump, the client sends the ping through tun0, but the server didn't receive it. I have no special rules on iptables.
Where would the problem be ? |
|
| Back to top |
|
 |
khayyam
Veteran
Joined: 07 Jun 2012
Posts: 1307
|
| Posted: Tue Jul 24, 2012 4:29 am Post subject: |
|
|
maxux ...
just like the flow of water depends on gravity, TCP depends on packet loss. So, if you tunnel TCP over TCP its only the traffic created by the tunnel that is exposed to this, inside the tunnel its more like a vaccum in which the traffic has no idea of what the hell it should be doing, as there is no friction or what-have-you. Its a well known problem with ssh tunneling.
So, the best method to setup such tunnels is by using something that assembles/disassembles the stream on either end ... data over TCP, not TCP over TCP ... and for this I would recommend net-proxy/sshuttle.
best ... khay |
|
| Back to top |
|
|
maxux
n00b
Joined: 25 Jul 2010
Posts: 7
|
| Posted: Tue Jul 24, 2012 4:21 pm Post subject: |
|
|
| Thanks, I'll try that. |
|
| Back to top |
|
|
Jimmy Jazz
Apprentice
Joined: 04 Oct 2004
Posts: 271
Location: Strasbourg
|
| Posted: Tue Jul 24, 2012 9:08 pm Post subject: |
|
|
| maxux wrote: | | Thanks, I'll try that. |
And that ?
net.netfilter.nf_conntrack_tcp_be_liberal = 1
net.netfilter.nf_conntrack_tcp_timeout_established = 86400
_________________
« La seule condition au triomphe du mal, c'est l'inaction des gens de bien » E.Burke
| Code: |
+----+----+----+
| |::::| |
| |::::| |
+----+----+----+ |
motto: WeLCRO
WritE Less Code, Repeat Often |
|
| Back to top |
|
|
maxux
n00b
Joined: 25 Jul 2010
Posts: 7
|
| Posted: Wed Jul 25, 2012 4:51 pm Post subject: |
|
|
Same 
I tried this options on client and serveur (with /proc) |
|
| Back to top |
|
|
|
Networking & Security
