[Swan] wierd connection issue el7->el6

Simon Peeters simon at inuits.eu
Mon Jul 20 16:21:02 EEST 2015


hey all,

We are having a wierd problem getting an ipsec link to work for our
local development setup.

the setup is (ip addresses changed slightly):
  boxA: centos7 behind NAT (and over an adsl line) port 500 and 4500
are forwarded
    - private subnet ip is 10.50.32.1/19
    - ip on inside of NAT is 192.168.1.10/24
    - router at 192.168.1.1 has public ip ( lets say 123.4.5.6 )
  boxB: centos6 our production ipsec "master" has multiple connections
to other machines, all working nice
    - private subnet ip is 10.50.0.1/19
    - has public ip. (lets say 1.2.3.4)

the issue: (below all using the private subnet ip)
  we can ping A -> B and B -> A
  we can ssh B -> A
  we can't ssh A -> B (hangs on debug1 expecting
ssh2_msg_kex_dh_gex_group)
  we can http GET from A to B
  we can't http POST from A to B (timeout waiting for form data)
if i set up a centos6 node to replace box A (with the same config) all
the above works perfecly

I suspect this to be mtu related, but havn't figured out how.


Greetings

Simon Peeters


More information about the Swan mailing list