So I have been troubleshooting this IPsec tunnel between my home and work, which stopped working after the office moved from Palo Alto to San Mateo.
After much headache which arose from consulting 10+ RFCs and manpages as well as trying to reconstruct the tunnel essentially from scratch, I finally found the culprit:
seerajeane 01:19:59 rc.conf.d # 171 ping6 <something>
PING6(56=40+8+8 bytes) <me> --> <something>
+ Stopped ping6 <something>
seerajeane 01:20:03 rc.conf.d # 172 bg
+ ping6 <something> &
seerajeane 01:20:03 rc.conf.d # 173 tcpdump -nvvvv -iem0 'not tcp and not udp'
tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes
01:20:08.321079 IP6 (hlim 64, next-header: AH (51), length: 72) <me> > <something>: AH(spi=0x00000100,sumlen=16,seq=0x26b): ESP(spi=0x00000100,seq=0x26b), length 48
01:20:08.345553 IP6 (hlim 59, next-header: ICMPv6 (58), length: 120) 2001:418:1c00:5000::12 > <me>: ICMP6, destination unreachable, length 120[|icmp6] ← !!!
2 packets captured
2 packets received by filter
0 packets dropped by kernel
seerajeane 01:20:09 rc.conf.d # 174 host 2001:418:1c00:5000::12 ← I mean, who is this fucker that blindly rejects AH/ESP?
p6.arpa domain name pointer fa-0.ntta-ntt.plalca01.us.bb.gin.ntt.net. ← OMGWTF
seerajeane 01:20:12 rc.conf.d # 175
A US backbone router in NTT.net, that is, the US backbone operator of NTT, that is, Verio. Yes, you can say I am ashamed.
/me is an employee of an NTT subsidiary