On Tue, 01 Feb 2011 08:54:47 EST, Steve Danelli said: > Some carrier, somewhere between us and the service provider is selectively > dropping the IKE packets originating from our VPN gateway and destined for > our Brazil gateway. Other traffic is able to pass, as are the IKE packets > coming > back from Brazil to us. This is effectively preventing us from establishing > the IPSEC tunnel between our gateways.
Has IKE been known to work to that location before? Or is this something new?
My first guess is some chucklehead banana-eater at the service provider either
fat-fingered the firewall config, or semi-intentionally blocked it because it
was "traffic on a protocol/port number they didn't understand so it must be
evil".
> Also something else is awry, for two given hosts on the same subnet (x.y.z.52
> and x.y.z.53), they take two wildly divergent paths:
> Anyone have any insight on to what may be occurring?
The paths appear to diverge at 67.16.142.238. I wonder if that's gear trying
to do some load-balancing across 2 paths, and it's using the source IP as a
major part of the selector function ("route to round-robin interface source-IP
mod N" or similar?).
The other possibility is your two traceroutes happened to catch a routing flap
in
progress (obviously not the case if the two routes are remaining stable).
Sorry I can't be more helpful than that...
pgpYoxsSsAZQY.pgp
Description: PGP signature
