The Tridecadal Korean (astralblue) wrote,
The Tridecadal Korean

  • Mood:

NTT/Verio blocks IPsec

So I have been troubleshooting this IPsec tunnel between my home and work, which stopped working after the office moved from Palo Alto to San Mateo.

After much headache which arose from consulting 10+ RFCs and manpages as well as trying to reconstruct the tunnel essentially from scratch, I finally found the culprit:

seerajeane 01:19:59 rc.conf.d # 171 ping6 <something>
PING6(56=40+8+8 bytes) <me> --> <something>
[1]+ Stopped ping6 <something>
seerajeane 01:20:03 rc.conf.d # 172 bg
[1]+ ping6 <something> &
seerajeane 01:20:03 rc.conf.d # 173 tcpdump -nvvvv -iem0 'not tcp and not udp'
tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes
01:20:08.321079 IP6 (hlim 64, next-header: AH (51), length: 72) <me> > <something>: AH(spi=0x00000100,sumlen=16,seq=0x26b): ESP(spi=0x00000100,seq=0x26b), length 48
01:20:08.345553 IP6 (hlim 59, next-header: ICMPv6 (58), length: 120) 2001:418:1c00:5000::12 > <me>: ICMP6, destination unreachable, length 120[|icmp6] ← !!!
2 packets captured
2 packets received by filter
0 packets dropped by kernel
seerajeane 01:20:09 rc.conf.d # 174 host 2001:418:1c00:5000::12 ← I mean, who is this fucker that blindly rejects AH/ESP? domain name pointer ← OMGWTF
seerajeane 01:20:12 rc.conf.d # 175

A US backbone router in, that is, the US backbone operator of NTT, that is, Verio.  Yes, you can say I am ashamed.

/me is an employee of an NTT subsidiary

Tags: ipsec, ntt, verio

  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.