On Tue, 01 Feb 2011 08:54:47 EST, Steve Danelli said: > Some carrier, somewhere between us and the service provider is selectively > dropping the IKE packets originating from our VPN gateway and destined for > our Brazil gateway. Other traffic is able to pass, as are the IKE packets > coming > back from Brazil to us. This is effectively preventing us from establishing > the IPSEC tunnel between our gateways.
Has IKE been known to work to that location before? Or is this something new? My first guess is some chucklehead banana-eater at the service provider either fat-fingered the firewall config, or semi-intentionally blocked it because it was "traffic on a protocol/port number they didn't understand so it must be evil". > Also something else is awry, for two given hosts on the same subnet (x.y.z.52 > and x.y.z.53), they take two wildly divergent paths: > Anyone have any insight on to what may be occurring? The paths appear to diverge at 67.16.142.238. I wonder if that's gear trying to do some load-balancing across 2 paths, and it's using the source IP as a major part of the selector function ("route to round-robin interface source-IP mod N" or similar?). The other possibility is your two traceroutes happened to catch a routing flap in progress (obviously not the case if the two routes are remaining stable). Sorry I can't be more helpful than that...
pgpYoxsSsAZQY.pgp
Description: PGP signature