VPN Tunnel Drops When I Connect via SSH
When I connect to a VPN server using SSH (Secure Shell), all my network traffic, including that which I use while connected to the VPN, drops. Is there anyway to retain my previous network behavior when I’m connected to a VPN via SSH?
Problem Description
I use the Cisco AnyConnect Secure Mobility Client to connect to my WiFi network, which is protected by my home WiFi router using OpenVPN. The VPN provides security and encryption for my network traffic, as well as a private network for my device. Everything works great when I use the VPN and my SSH client on the same network. However, as soon as I disconnect from the VPN and connect to it using SSH, my network traffic drops. I know that I’ve got an open VPN connection because when I use the commandline interface of my SSH client, I can see packets being sent to the VPN server. From what I’ve read and observed, I believe this is a problem with the Cisco AnyConnect Secure Mobility Client. Is this a known issue? Is there anything I can do to retain my previous network behavior when I’m connected to a VPN via SSH?
System Information
Here are the specifications for my computer system:
- Windows 7 Professional 64-bit
- Intel Core i5-4460 CPU @ 3.20GHz
- NVIDIA GeForce GTX 500 Ti BFG GPU
- 12GB of RAM
- 1 TB hard drive space
- Cisco AnyConnect Secure Mobility Client version 2.4.2.0
- OpenVPN version 2.3.2
- SSH version 2.9.1
- Home WiFi router (Linksys WRT160N version 4.0)
Here are the specifications for my VPN server:
- Windows Server 2012 R2 Standard Edition
- 4 cores 2.8GHz
- 16GB of RAM
- 1TB hard drive space (C:)
- Cisco ASA 5500 Series VPN Server
- VPN software version 5.5
- OpenVPN version 2.3.2
- OS version 12.4(SP1)
- SSH version 2.9.1
Here are the specifications for my Smartphone:
- Android 4.4.2 (Kiwi)
- 1GB of RAM
- 8GB of internal storage
- Dual-SIM Card with 4G LTE capability (Nokia Lumia 1020)
- Windows Phone 8.1 (Bundled with Windows 10)
Here are the network policies for my network:
- Wired: Enabled
- Wireless: Disabled
- Public: Enabled
- Private: Enabled
I’m not sure what other system-related information is pertinent. Feel free to ask me for additional details.
Research
I did a bit of research on this topic since I encountered it, and I found that there are two issues which I should address:
- The first issue has to do with IP addressing. When I’m connected to the VPN, all my traffic (that I can see) is sent to the VPN server. The VPN server handles all the routing and forwards my packets to their intended destinations. However, when I’m connected to the VPN server using SSH, my IP addressing is not handled by the VPN server. Instead, my ISP’s default gateway handles my IP addressing. The result is that all my network traffic, which includes whatever I’m doing on the computer while connected to the VPN, drops whenever I’m connected to it through SSH. (This issue is independent of the VPN server software.)
- The second issue is related to the Cisco AnyConnect Secure Mobility Client. When I’m connected to the VPN server, all the network traffic, which includes whatever I’m doing on the computer while connected to the VPN server, is encrypted using RSA-based public key cryptography. However, when I’m connected to the VPN server using SSH, the traffic which is transmitted is not encrypted. It is encapsulated, but not encrypted. Is there any way, within the Cisco AnyConnect Secure Mobility Client, to encrypt my network traffic when I’m connected to the VPN server using SSH? (The encapsulation and lack of encryption is a Cisco issue, which I have to address independently of the VPN issue.)
Possible Solutions
So, what solutions do I see here? I believe that there are actually two separate, but related, solutions which could address my issue:
The first solution is to re-establish my network connections within the VPN server. This could be done in one of two ways:
The first way is to establish a static association between my network interface and the VPN server. This could be done by editing the VPN server’s configuration files and restarting the service. (The association is not broken, just waiting to be reestablished.) The second way is to use the IP-less method to connect to the VPN server. (The IP-less method is a way of getting your device to communicate directly with the VPN server without going through your network interface, which prevents all my network traffic, including that which I use while connected to the VPN server, from dropping when I’m connected to it through SSH.) This is because the VPN server is not aware that I’m no longer connected to its network interface when I’m using SSH to connect to it. Therefore, it keeps thinking that I’m still connected to its network interface, and all the security and traffic-filtering measures which it uses when I’m connected to its network interface still apply. (This method also has the added benefit of encrypting all my network traffic while I’m connected to the VPN server.)
The second solution is to fix the IP addressing issue which results in all my network traffic, including that which I use while connected to the VPN server, dropping whenever I’m connected to it via SSH. This could be done by either of the following methods:
The first method is to connect to the VPN server using the IP-less method and establish a tunnel all the way to the VPN server’s interface. Then, I could use either one of the two SSH connections, made without the need to authenticate, to send my network traffic to the VPN server. When I’m connected to the VPN server with this method, all my network traffic is encrypted and sent to the intended destination, as it should be. (VPN server side: IP-less method, client side: either of the two SSH connections.) The second method is to edit my network interfaces while connected to the VPN server and tell it to only use my ISP’s default gateway for IP addressing, instead of connecting to the VPN server. (VPN server side: only use my ISP’s default gateway for IP addressing, client side: tell my network interface to only use my default gateway for IP addressing.)
I don’t believe that there is a perfect solution here, but hopefully, one of these two solutions will resolve my issue. Of course, it’s also possible that there is another solution which I haven’t thought of yet.