[nycbug-talk] [Fwd: tunnel help request]
nikolai
nikolai at fetissov.org
Tue Oct 30 15:04:43 EDT 2007
> On Tue 2007.10.30 at 12:31 -0400, nikolai wrote:
>> > On Tue 2007.10.30 at 11:53 -0400, nikolai wrote:
>> >> Hi,
>> >>
>> >> Need some help here :)
>> >
>> > for starters....
>> >
>> >> Thinking that following Gene's v6 guide would be good
>> >> Sunday afternoon fun I registered a tunnel with HE.
>> >> 2001:470:1f06:ad::2 is my end of the tunnel,
>> >> 2001:470:1f07:ad/64 is my assigned ip space.
>> >> No luck so far though.
>> >> My router is OpenBSD-current, here's the config:
>> >>
>> >> Tunnel:
>> >> ~$ cat /etc/hostname.gif0
>> >> up giftunnel 67.86.49.123 209.51.161.14
>> >> up inet6 2001:470:1f06:ad::2 2001:470:1f06:ad::1 prefixlen 128
>> >> !route -n add -inet6 default 2001:470:1f06:ad::1
>> >
>> > this should do it:
>> > tunnel 67.86.49.123 209.51.161.14
>> > inet6 2001:470:1f06:ad::2
>> > !route add -inet6 default 2001:470:1f06:ad::1
>>
>> Noted, thanks.
>>
>> >
>> >> Gene's pdf says prefixlen 64 for gif, which I think is wrong -
>> >> it should be 128 for the tunnel.
>> >>
>> >> ~$ ifconfig gif0
>> >> gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
>> >> groups: gif
>> >> physical address inet 67.86.49.123 --> 209.51.161.14
>> >> inet6 fe80::2c0:a8ff:fefd:2a69%gif0 -> prefixlen 64 scopeid
>> 0x6
>> >> inet6 2001:470:1f06:ad::2 -> 2001:470:1f06:ad::1 prefixlen
>> 128
>> >
>> > can you ping the tunnel endpoint over ipv6?
>> > ping6 2001:470:1f06:ad::1
>>
>> Nope, nothing.
>
> well, that's the first thing to solve :) you've gotta be able to ping
> your tunnel endpoint.
>
> can you post your ifconfig gif0 again, after destroying and re-creating
> with the noted hostname.gif0? the last line doesn't look right.
>
> [snip]
>
>> > are you allowing proto ipv6 through pf?
>> >
>>
>> I have:
>> scrub in
>> block in log
>> pass out
>> # and for giggles
>> pass in log on $ext_if proto encap from 209.51.161.14
>>
>> Do I need explicit ipv6 rules on any of the interfaces,
>> ext_if, int_if, gif? What are they?
>> tcpdump on external if shows encap icmp6 leaving, nothing back.
>
> but you need to pass in proto ipv6! (over ipv4). for example:
>
> pass in on egress inet proto ipv6 from 209.51.161.14 to (egress) keep
> state
> pass out on egress inet proto ipv6 from (egress) to 209.51.161.14 keep
> state
>
> [snip]
Added these two to my pf.conf
Here's updated config:
~$ cat /etc/hostname.gif0
tunnel 67.86.49.123 209.51.161.14
inet6 2001:470:1f06:ad::2
!route add -inet6 default 2001:470:1f06:ad::1
~$ cat /etc/hostname.re0
inet 192.168.2.1 255.255.255.0 192.168.2.255 media autoselect
inet6 2001:470:1f07:ad::1 64
re0 - internal, fxp0 - external
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
groups: gif
physical address inet 67.86.49.123 --> 209.51.161.14
inet6 fe80::2c0:a8ff:fefd:2a69%gif0 -> prefixlen 64 scopeid 0x6
inet6 2001:470:1f06:ad::2 -> prefixlen 64
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:0e:2e:a9:0d:11
media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
status: active
inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
inet6 fe80::20e:2eff:fea9:d11%re0 prefixlen 64 scopeid 0x2
inet6 2001:470:1f07:ad::1 prefixlen 64
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:c0:a8:fd:2a:69
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::2c0:a8ff:fefd:2a69%fxp0 prefixlen 64 scopeid 0x1
inet 67.86.49.123 netmask 0xfffff000 broadcast 255.255.255.255
~$ netstat -rnf inet6
Routing tables
Internet6:
Destination Gateway Flags
Refs Use Mtu Interface
::/104 ::1 UGRS
0 0 - lo0
::/96 ::1 UGRS
0 0 - lo0
default 2001:470:1f06:ad::1 UGS
0 0 - gif0
::1 ::1 UH
14 0 33208 lo0
::127.0.0.0/104 ::1 UGRS
0 0 - lo0
::224.0.0.0/100 ::1 UGRS
0 0 - lo0
::255.0.0.0/104 ::1 UGRS
0 0 - lo0
::ffff:0.0.0.0/96 ::1 UGRS
0 0 - lo0
2001:470:1f06:ad::/64 link#6 UC
0 0 - gif0
2001:470:1f06:ad::2 link#6 UHL
1 18 - lo0
2001:470:1f07:ad::/64 link#2 UC
0 0 - re0
2001:470:1f07:ad::1 00:0e:2e:a9:0d:11 UHL
0 0 - lo0
2002::/24 ::1 UGRS
0 0 - lo0
2002:7f00::/24 ::1 UGRS
0 0 - lo0
2002:e000::/20 ::1 UGRS
0 0 - lo0
2002:ff00::/24 ::1 UGRS
0 0 - lo0
fe80::/10 ::1 UGRS
0 0 - lo0
fe80::%fxp0/64 link#1 UC
0 0 - fxp0
fe80::2c0:a8ff:fefd:2a69%fxp0 00:c0:a8:fd:2a:69 UHL
0 0 - lo0
fe80::%re0/64 link#2 UC
1 0 - re0
fe80::20e:2eff:fea9:d11%re0 00:0e:2e:a9:0d:11 UHL
0 0 - lo0
fe80::390c:7567:a92c:8dea%re0 00:19:b9:67:ba:55 UHLc
0 2 - re0
fe80::%lo0/64 fe80::1%lo0 U
0 0 - lo0
fe80::1%lo0 link#5 UHL
0 0 - lo0
fe80::%gif0/64 link#6 UC
0 0 - gif0
fe80::2c0:a8ff:fefd:2a69%gif0 link#6 UHL
0 0 - lo0
fec0::/10 ::1 UGRS
0 0 - lo0
ff01::/16 ::1 UGRS
0 0 - lo0
ff01::%fxp0/32 link#1 UC
0 0 - fxp0
ff01::%re0/32 link#2 UC
0 0 - re0
ff01::%lo0/32 ::1 UC
0 0 - lo0
ff01::%gif0/32 link#6 UC
0 0 - gif0
ff02::/16 ::1 UGRS
0 0 - lo0
ff02::%fxp0/32 link#1 UC
0 0 - fxp0
ff02::%re0/32 link#2 UC
0 0 - re0
ff02::%lo0/32 ::1 UC
0 0 - lo0
ff02::%gif0/32 link#6 UC
0 0 - gif0
~$ ping6 -n 2001:470:1f06:ad::1
PING6(56=40+8+8 bytes) 2001:470:1f06:ad::2 --> 2001:470:1f06:ad::1
--- 2001:470:1f06:ad::1 ping6 statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
And here's what I see on the external if:
Oct 30 14:56:08.858930 00:c0:a8:fd:2a:69 00:05:00:e6:67:db 0800 98:
2001:470:1f06:ad::2 > 2001:470:1f06:ad::1: [|icmp6] (encap)
Oct 30 14:56:11.574816 00:c0:a8:fd:2a:69 00:05:00:e6:67:db 0800 90:
2001:470:1f06:ad::2 > 2001:470:1f06:ad::1: icmp6: echo request (encap)
Oct 30 14:56:12.579103 00:c0:a8:fd:2a:69 00:05:00:e6:67:db 0800 90:
2001:470:1f06:ad::2 > 2001:470:1f06:ad::1: icmp6: echo request (encap)
Oct 30 14:56:13.569088 00:c0:a8:fd:2a:69 00:05:00:e6:67:db 0800 90:
2001:470:1f06:ad::2 > 2001:470:1f06:ad::1: icmp6: echo request (encap)
Thanks again Okan.
--
Nikolai
More information about the talk
mailing list