[nycbug-talk] [Fwd: tunnel help request]

Okan Demirmen okan at demirmen.com
Tue Oct 30 14:05:59 EDT 2007 

On Tue 2007.10.30 at 12:31 -0400, nikolai wrote:
> > On Tue 2007.10.30 at 11:53 -0400, nikolai wrote:
> >> Hi,
> >>
> >> Need some help here :)
> >
> > for starters....
> >
> >> Thinking that following Gene's v6 guide would be good
> >> Sunday afternoon fun I registered a tunnel with HE.
> >> 2001:470:1f06:ad::2 is my end of the tunnel,
> >> 2001:470:1f07:ad/64 is my assigned ip space.
> >> No luck so far though.
> >> My router is OpenBSD-current, here's the config:
> >>
> >> Tunnel:
> >> ~$ cat /etc/hostname.gif0
> >> up giftunnel 67.86.49.123 209.51.161.14
> >> up inet6 2001:470:1f06:ad::2 2001:470:1f06:ad::1 prefixlen 128
> >> !route -n add -inet6 default 2001:470:1f06:ad::1
> >
> > this should do it:
> > tunnel 67.86.49.123 209.51.161.14
> > inet6 2001:470:1f06:ad::2
> > !route add -inet6 default 2001:470:1f06:ad::1
> 
> Noted, thanks.
> 
> >
> >> Gene's pdf says prefixlen 64 for gif, which I think is wrong -
> >> it should be 128 for the tunnel.
> >>
> >> ~$ ifconfig gif0
> >> gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
> >>         groups: gif
> >>         physical address inet 67.86.49.123 --> 209.51.161.14
> >>         inet6 fe80::2c0:a8ff:fefd:2a69%gif0 ->  prefixlen 64 scopeid 0x6
> >>         inet6 2001:470:1f06:ad::2 -> 2001:470:1f06:ad::1 prefixlen 128
> >
> > can you ping the tunnel endpoint over ipv6?
> > ping6 2001:470:1f06:ad::1
> 
> Nope, nothing.

well, that's the first thing to solve :) you've gotta be able to ping
your tunnel endpoint.

can you post your ifconfig gif0 again, after destroying and re-creating
with the noted hostname.gif0? the last line doesn't look right.

[snip]

> > are you allowing proto ipv6 through pf?
> >
> 
> I have:
> scrub in
> block in log
> pass out
> # and for giggles
> pass in log on $ext_if proto encap from 209.51.161.14
> 
> Do I need explicit ipv6 rules on any of the interfaces,
> ext_if, int_if, gif? What are they?
> tcpdump on external if shows encap icmp6 leaving, nothing back.

but you need to pass in proto ipv6! (over ipv4). for example:

pass in on egress inet proto ipv6 from 209.51.161.14 to (egress) keep state
pass out on egress inet proto ipv6 from (egress) to 209.51.161.14 keep state

[snip]

okan

More information about the talk mailing list