Pfsense, IPsec MSS Clamping and SSH connectivity issue

I have two Pfsense firewalls for two sites. Sites are connected to each other with Pfsense IPsec tunnel.

Today I experienced a strange issue. I can ssh from one site to other without any issue but I can’t ssh from the other site.

$ telnet 192.168.1.100  22
Trying 192.168.1.100...
Connected to 192.168.1.100.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.4

I can get SSH banner with telnet but ssh -l user 192.168.1.100 does not work. The ssh connection stays in expecting SSH2_MSG_KEX_ECDH_REPLY state

debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

After searching on google, I added -o MACs=hmac-sha2–256 parameter to ssh

$ ssh -l user 192.168.1.100  -o MACs=hmac-sha2-256
user@192.168.1.100's password:

But It is not a good idea to tell everyone add this parameter. The problem was related to MTU size. I enabled Maximum MMS in VPN->IPSec->Advanced Settings and set value to 1350

Now I can connect remote site without changing SSH parameter.

Ismail YENIGUL

Devops Engineer