The Tridecadal Korean (astralblue) wrote,
The Tridecadal Korean
astralblue

  • Mood:

NTT/Verio blocks IPsec

So I have been troubleshooting this IPsec tunnel between my home and work, which stopped working after the office moved from Palo Alto to San Mateo.

After much headache which arose from consulting 10+ RFCs and manpages as well as trying to reconstruct the tunnel essentially from scratch, I finally found the culprit:

seerajeane 01:19:59 rc.conf.d # 171 ping6 <something>
PING6(56=40+8+8 bytes) <me> --> <something>
^Z
[1]+ Stopped ping6 <something>
seerajeane 01:20:03 rc.conf.d # 172 bg
[1]+ ping6 <something> &
seerajeane 01:20:03 rc.conf.d # 173 tcpdump -nvvvv -iem0 'not tcp and not udp'
tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes
01:20:08.321079 IP6 (hlim 64, next-header: AH (51), length: 72) <me> > <something>: AH(spi=0x00000100,sumlen=16,seq=0x26b): ESP(spi=0x00000100,seq=0x26b), length 48
01:20:08.345553 IP6 (hlim 59, next-header: ICMPv6 (58), length: 120) 2001:418:1c00:5000::12 > <me>: ICMP6, destination unreachable, length 120[|icmp6] ← !!!
^C
2 packets captured
2 packets received by filter
0 packets dropped by kernel
seerajeane 01:20:09 rc.conf.d # 174 host 2001:418:1c00:5000::12 ← I mean, who is this fucker that blindly rejects AH/ESP?
2.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.0.0.c.1.8.1.4.0.1.0.0.2.ip6.arpa domain name pointer fa-0.ntta-ntt.plalca01.us.bb.gin.ntt.net. ← OMGWTF
seerajeane 01:20:12 rc.conf.d # 175

A US backbone router in NTT.net, that is, the US backbone operator of NTT, that is, Verio.  Yes, you can say I am ashamed.

/me is an employee of an NTT subsidiary

Tags: ipsec, ntt, verio
Subscribe

  • LOL

    Spotted on cvs-all@freebsd.org: cperciva 2006-06-18 16:12:28 UTC FreeBSD src repository Modified files: . access Log: Forced commit to note that…

  • Trees Can Talk Too…

    … Okay, maybe they can't, but they certainly can express their pissed-off-ness toward the world: t(-_-ㆀt) Crossposted from [ my…

  • Disproportionate

    Hehehehe. Oh, and it's raining here! ^^

  • Post a new comment

    Error

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 2 comments