IPSec Rule #1


After years of filling in as Acting Network Guy (now ending, thankfully), I have decided that there’s really only one thing I’m certain of: IPSec problems are always at the other end.

This was demonstrated yet again this morning when we were trying to change our end of a tunnel that had been up for several years from a /32 to a /24, so that additional machines could route through the tunnel. On my end (OpenBSD), this was a one-line change in ipsec.conf and a one-line change in pf.conf. On their end, which involved Real Networking Hardware, it was days of fumbling that left the old /32 tunnel up while they insisted they’d switched their config.

It took a 45-minute conference call this morning to get it straightened out, which I basically spent watching anime with the sound off while their tech guy cleaned cruft out of his configs and rebuilt their end from scratch.

[unrelated, my co-lo had a power outage, and my ancient beta WebEngine never auto-boots completely; you have to hit the big red button on the front. Sadly, the folks at the co-lo had no success with the big red button, so I had to scrounge around the house for the custom console adapter this thing uses, and stop by on my way to work today to watch it fsck the disks. They’ve had several outages this year, and I think it’s time to move the server to one of the statics on my Comcast Business line and then upgrade it to something more powerful than a 500MHz Pentium 3 with 256MB of RAM.]