Hi,
I am having trouble trying to configure VPN client to use HE's IPv6 and would like to seek assistance from you.
[UPDATED: The following setup is working if Client C is a Mac machine, but this would not work if it is a mobile device such as iPhone/iPad/Android phone as there is no way to add a static route, any help on using RA to deliver the ipv6 addr to clients would be highly appreciated]
First, my setup is as follows:
|
|
+=============+
[[ isp router ]]
+=============+
123.123.123.1
|
|
+===================+
[[physical server (A)]]
+===================+
br0:123.123.123.2
he-ipv6: 2001:123:123:123::2 (endpoint 66.220.18.42)
2001:123:124:123::1/64
|
|
+===============+
[[ KVM VM01 (B) ]]
+===============+
eth0:123.123.123.3
ipv6:2001:123:124:123::123:3
pppX:172.23.0.1 (openswan 2.6.37-1,xl2tpd 1.3.1+dfsg-1,ppp 2.4.5-5ubuntu1)
|------------------------------------------------------+
ppp0 |2001:123:f123:abc0::1 ppp1 | 2001:123:f123:abc1::1
| |
| |
+==================+ +==================+
[[ VPN Client 1 (C) ]] {NOT OK!!} [[ VPN Client 2 (D) ]] {OK}
+==================+ +==================+
Mac or iPhone or iPad or Android phone Windows 8
172.23.0.244 (via ppp0) 172.23.0.245 (via ppp1)
??no ipv6 access?? 2001:123:f123:abc1::100
(L2TP VPN, Allow CHAP, MSCHAPv2, Obtain IPv4/IPv6 automatically, use default gateway on remote)
Host A, B, D can access ipv6.google.com without any issues, however, I am unable to ping ipv6.google.com from Host C.
My settings are as follows:
Config - Host (A)
Ubuntu 12.04.2 LTS Server
1. no IPTABLES / IP6TABLES entries
2. sysctl.conf
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.accept_redirects = 1
net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.ip_forward=1
net.ipv6.conf.all.accept_redirects = 1
net.ipv6.conf.all.accept_source_route = 1
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.default.forwarding = 1
3. radvd.conf
interface br0
{
AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 300;
AdvLinkMTU 1280;
prefix 2001:123:123:123::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};
};
4. /etc/network/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet manual
auto br0
iface br0 inet static
address 123.123.123.2
netmask 255.255.255.248
network 123.123.123.0
broadcast 123.123.123.7
gateway 123.123.123.1
dns-nameservers 8.8.8.8 8.8.4.4
dns-search localdomain
bridge_ports eth0
bridge_fd 9
bridge_hello 2
bridge_maxage 12
bridge_stp off
post-up ifconfig br0 up promisc
auto he-ipv6
iface he-ipv6 inet6 v4tunnel
address 2001:123:123:123::2
netmask 64
endpoint 66.220.18.42
up /sbin/ip -6 route add default dev he-ipv6
up /sbin/ip -6 addr add 2001:123:124:123::1/64 dev br0
up /sbin/route -A inet6 add 2001:123:f123::1/48 gw 2001:123:124:123::123:3
pre-down /sbin/route -A inet6 del 2001:123:f123::1/48 gw 2001:123:124:123::123:3
pre-down /sbin/ip -6 addr del 2001:123:124:123::1/64 dev br0
pre-down /sbin/ip -6 route del default dev he-ipv6
dns-nameservers 2001:4860:4860::8888 2001:4860:4860::8844
Config - Host (B)
Ubuntu 12.04.2 LTS Server
1. no IPTABLES / IP6TABLES entries
2. sysctl.conf
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.ip_forward=1
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.autoconf = 1
net.ipv6.conf.all.accept_ra = 2
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.eth0.forwarding=0
3. /etc/network/interfaces
iface eth0 inet static
address 123.123.123.3
netmask 255.255.255.248
network 123.123.123.0
broadcast 123.123.123.7
gateway 123.123.123.1
dns-nameservers 8.8.8.8 8.8.4.4
dns-search localdomain
iface eth0 inet6 static
address 2001:123:124:123::123:3
netmask 64
gateway 2001:123:124:123::1
4. /etc/ipsec.conf
version 2.0 # conforms to second version of ipsec.conf specification
config setup
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
oe=off
protostack=netkey
conn L2TP
authby=secret
pfs=no
auto=add
keyingtries=3
ikelifetime=8h
keylife=1h
type=transport
#fill in server and nexthop IP below
left=123.123.123.3
leftnexthop=123.123.123.1
#fill in server and nexthop IP above
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
5. /etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = yes
access control = yes
force userspace = yes
[lns default] ; Our fallthrough LNS definition
ppp debug = no
pppoptfile = /etc/ppp/options.xl2tpd
refuse pap = yes
assign ip = yes
hostname = vpn
ip range = 172.23.0.244-172.23.0.254
local ip = 172.23.0.1
lac = 0.0.0.0-255.255.255.255
require authentication = yes
length bit = yes
6. /etc/ppp/options.xl2tpd
ipcp-accept-local
ipcp-accept-remote
noccp
require-mschap-v2
nodefaultroute
ms-dns 8.8.8.8
ms-dns 8.8.4.4
#ms-wins 8.8.8.8
asyncmap 0
auth
noipx
mru 1500
mtu 1410
crtscts
hide-password
modem
name l2tpd
connect-delay 5000
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
+ipv6 ipv6cp-use-ipaddr
ipv6cp-use-persistent
ipv6cp-accept-local
lock
connect /etc/ppp/ipv6-up
disconnect /etc/ppp/ipv6-down
6. /etc/ppp/chap-secret
# client server secret IPaddrs
testuser l2tpd TestP@ssw0rd *
7. /etc/ipsec.secrets
123.123.123.3 %any: PSK "My-T8st#Key"
8. /etc/ppp/ipv6-up.d/local
#!/bin/sh
# need to disable forwarding to receive RAs
sysctl -w net.ipv6.conf.$PPP_IFACE.forwarding=0
ip -6 route add default via $PPP_REMOTE dev $PPP_IFACE
9. /etc/ppp/ipv6-up.local
#!/bin/bash
#
# This script is called with the following parameters:
# interface tty speed local-address remote-address ipparam
#
DEVICE="$1"
CFGFILE="/etc/radvd.conf-$DEVICE"
PIDFILE="/var/run/radvd-$DEVICE.pid"
EXEFILE="/usr/sbin/radvd"
HE_NET='2001:470:f30c:abc'
PREFIX=64
GWADDR=1
if [[ "$DEVICE" = ppp[0-9] ]]
then
eval IPV6=$HE_NET${DEVICE/ppp/}
fi
#echo 1 > /proc/sys/net/ipv6/conf/$DEVICE/autoconf
/sbin/ifconfig $DEVICE add $IPV6::$GWADDR/$PREFIX mtu 1500
/sbin/route -6 add $IPV6::/$PREFIX dev $DEVICE
/etc/init.d/radvd reload
10. /etc/ppp/ipv6-down.local
#!/bin/sh
#
# This script is called with the following parameters:
# interface tty speed local-address remote-address ipparam
#
# Kill the router advertisement daemon on this interface.
# The killing procedure is copied from RedHat 6.0 initscripts.
DEVICE="$1"
echo 0 > /proc/sys/net/ipv6/conf/$DEVICE/autoconf
/etc/init.d/radvd reload
11. radvd.conf
interface ppp0
{
AdvSendAdvert on;
MaxRtrAdvInterval 30;
MaxRtrAdvInterval 100;
IgnoreIfMissing on;
#UnicastOnly on;
prefix 2001:123:f123:abc0::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
};
RDNSS 2001:4860:4860::8888 {};
};
interface ppp1
{
AdvSendAdvert on;
MaxRtrAdvInterval 30;
MaxRtrAdvInterval 100;
IgnoreIfMissing on;
#UnicastOnly on;
prefix 2001:123:f123:abc1::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
};
RDNSS 2001:4860:4860::8888 {};
};
interface ppp2
{
AdvSendAdvert on;
MaxRtrAdvInterval 30;
MaxRtrAdvInterval 100;
IgnoreIfMissing on;
#UnicastOnly on;
prefix 2001:123:f123:abc2::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
};
RDNSS 2001:4860:4860::8888 {};
};
interface ppp3
{
AdvSendAdvert on;
MaxRtrAdvInterval 30;
MaxRtrAdvInterval 100;
IgnoreIfMissing on;
#UnicastOnly on;
prefix 2001:123:f123:abc3::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
};
RDNSS 2001:4860:4860::8888 {};
};
interface ppp4
{
AdvSendAdvert on;
MaxRtrAdvInterval 30;
MaxRtrAdvInterval 100;
IgnoreIfMissing on;
#UnicastOnly on;
prefix 2001:123:f123:abc4::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
};
RDNSS 2001:4860:4860::8888 {};
};
interface ppp5
{
AdvSendAdvert on;
MaxRtrAdvInterval 30;
MaxRtrAdvInterval 100;
IgnoreIfMissing on;
#UnicastOnly on;
prefix 2001:123:f123:abc5::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
};
RDNSS 2001:4860:4860::8888 {};
};
interface ppp6
{
AdvSendAdvert on;
MaxRtrAdvInterval 30;
MaxRtrAdvInterval 100;
IgnoreIfMissing on;
#UnicastOnly on;
prefix 2001:123:f123:abc6::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
};
RDNSS 2001:4860:4860::8888 {};
};
interface ppp7
{
AdvSendAdvert on;
MaxRtrAdvInterval 30;
MaxRtrAdvInterval 100;
IgnoreIfMissing on;
#UnicastOnly on;
prefix 2001:123:f123:abc7::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
};
RDNSS 2001:4860:4860::8888 {};
};
interface ppp8
{
AdvSendAdvert on;
MaxRtrAdvInterval 30;
MaxRtrAdvInterval 100;
IgnoreIfMissing on;
#UnicastOnly on;
prefix 2001:123:f123:abc8::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
};
RDNSS 2001:4860:4860::8888 {};
};
interface ppp9
{
AdvSendAdvert on;
MaxRtrAdvInterval 30;
MaxRtrAdvInterval 100;
IgnoreIfMissing on;
#UnicastOnly on;
prefix 2001:123:f123:abc9::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
};
RDNSS 2001:4860:4860::8888 {};
};
Config - VPN Client - Mac (C)
After connecting to VPN, perform one the following:
1. Type in the following in terminal:
sudo -s
ifconfig {<= this is to mark down the ppp0 link local addr}
ifconfig ppp0 inet6 delete fe80::xxxx:xxxx:xxxx:xxxx%ppp0
ifconfig ppp0 inet6 2001:123:f123:abc0::100
route add -inet6 default 2001:123:f123:abc0::1%ppp0
or
2. add /etc/ppp/ip-up with the following contents (and chmod 755 /etc/ppp/ip-up)
/usr/sbin/sysctl -w net.inet6.ip6.use_tempaddr=0
/usr/sbin/ipconfig set $1 AUTOMATIC-V6
/sbin/route add -inet6 default -interface $1
Now pinging to ipv6.google.com from client, or ssh to Mac using IPv6 is possible
Can anyone guide me through setting up IPv6 for mobile devices such as iPhone/iPad/Android phone please? Many thanks.
I would test what is working one step at a time. First step would be to try bring up the L2TP connection and assign link-local IPv6 addresses to the interfaces. Can you ping the other end of the L2TP connection with IPv6 link-local addresses after doing this?
Hi kasperd,
Now the setup is as follows:
+===================+
[[ KVM VM01 (Ubuntu) ]]
+===================+
| fe80::c02:abcd:527c:ae06%ppp0
ppp0 |
| fe80::22c9:cdef:fe7a:3fcd%ppp0
+===================+
[[ VPN Client 1 (Mac) ]]
+===================+
And the results are as follows:
On Ubuntu
ppp0 Link encap:Point-to-Point Protocol
inet addr:172.23.0.1 P-t-P:172.23.0.244 Mask:255.255.255.255
inet6 addr: fe80::c02:abcd:527c:ae06/10 Scope:Link
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1410 Metric:1
RX packets:187 errors:0 dropped:0 overruns:0 frame:0
TX packets:153 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:23625 (23.6 KB) TX bytes:34436 (34.4 KB)
1. ping6 fe80::22c9:cdef:fe7a:3fcd%ppp0
PING fe80::22c9:cdef:fe7a:3fcd%ppp0(fe80::22c9:cdef:fe7a:3fcd) 56 data bytes
64 bytes from fe80::22c9:cdef:fe7a:3fcd: icmp_seq=1 ttl=64 time=173 ms
64 bytes from fe80::22c9:cdef:fe7a:3fcd: icmp_seq=2 ttl=64 time=173 ms
64 bytes from fe80::22c9:cdef:fe7a:3fcd: icmp_seq=3 ttl=64 time=173 ms
64 bytes from fe80::22c9:cdef:fe7a:3fcd: icmp_seq=4 ttl=64 time=175 ms
2. ssh -l macclient fe80::22c9:cdef:fe7a:3fcd%ppp0
Password:
Last login: Tue May 14 20:30:08 2013
Mac01:~ macclient$
3. ssh -l linux fe80::c02:abcd:527c:ae06%ppp0
linux@fe80::c02:abcd:527c:ae06%ppp0's password:
Welcome to Ubuntu 12.04.2 LTS (GNU/Linux 3.5.0-28-generic x86_64)
* Documentation: https://help.ubuntu.com/
System information as of Tue May 14 20:13:17 HKT 2013
...
Graph this data and manage this system at https://landscape.canonical.com/
0 packages can be updated.
0 updates are security updates.
linux $
On Mac
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
inet6 fe80::22c9:cdef:fe7a:3fcd%ppp0 prefixlen 64 scopeid 0x7
inet 172.23.0.244 --> 172.23.0.1 netmask 0xffff0000
1. ping6 fe80::c02:abcd:527c:ae06%ppp0
PING fe80::c02:abcd:527c:ae06%ppp0(fe80::c02:abcd:527c:ae06) 56 data bytes
64 bytes from fe80::c02:abcd:527c:ae06: icmp_seq=1 ttl=64 time=173 ms
64 bytes from fe80::c02:abcd:527c:ae06: icmp_seq=2 ttl=64 time=173 ms
64 bytes from fe80::c02:abcd:527c:ae06: icmp_seq=3 ttl=64 time=174 ms
64 bytes from fe80::c02:abcd:527c:ae06: icmp_seq=4 ttl=64 time=173 ms
2. ssh -l linux fe80::c02:abcd:527c:ae06%ppp0
linux@fe80::c02:abcd:527c:ae06%ppp0's password:
Welcome to Ubuntu 12.04.2 LTS (GNU/Linux 3.5.0-28-generic x86_64)
* Documentation: https://help.ubuntu.com/
System information as of Tue May 14 20:13:17 HKT 2013
...
Graph this data and manage this system at https://landscape.canonical.com/
0 packages can be updated.
0 updates are security updates.
linux $
3. ssh -l macclient fe80::22c9:cdef:fe7a:3fcd%ppp0
Password:
Last login: Tue May 14 20:32:12 2013
Mac01:~ macclient$
Waiting for your further guidance, thanks.
Obviously, if host B can access IPv6 addresses without problems, host A is NOT the problem.
Could it be that with host B, your lack of use of iptables, thus no NAT, is the problem? 172.16.0.0/12 is not a globally routable network.
You have at least three different IPv6 links in your setup, each of which should be configured with a /64 prefix. The two /64s allocated by default for a tunnel won't be enough for that. So you need to request a /48, if you haven't already done so.
If you have two PPP clients running simultaneously, do they show up as two separate ppp interfaces on the vserver? I guess they will show up as different interfaces, in which case there will be two static links as well as a number of links showing up dynamically.
Once you have received a /48 you need to route a static prefix from that to the vserver. If for example you received 2001:db8:c001::/48 from HE, you could choose to route 2001:db8:c001::/56 to the vserver.
I have requested a /48 and with 2 PPP clients running simultaneously, there are 2 separate ppp interfaces ppp0 & ppp1 on the vserver.
Below are the configuration changes I have made, but I think I may have set the /48 up incorrectly:
Machine A (Physical Server)
1. Modified /etc/radvd.conf:
interface br0
{
AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 300;
AdvLinkMTU 1280;
prefix 2001:123:123:123::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};
route 2001:123:f123::/48 {
};
};
2. Modified /etc/network/interfaces:
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet manual
auto br0
iface br0 inet static
address 123.123.123.2
netmask 255.255.255.248
network 123.123.123.0
broadcast 123.123.123.7
gateway 123.123.123.1
dns-nameservers 8.8.8.8 8.8.4.4
dns-search localdomain
bridge_ports eth0
bridge_fd 9
bridge_hello 2
bridge_maxage 12
bridge_stp off
post-up ifconfig br0 up promisc
auto he-ipv6
iface he-ipv6 inet6 v4tunnel
address 2001:123:123:123::2
netmask 48
endpoint 66.220.18.42
up /sbin/ip -6 route add default dev he-ipv6
up /sbin/ip -6 addr add 2001:123:124:123::1/64 dev br0
up /sbin/ip -6 addr add 2001:123:f123::1/48 dev br0
pre-down /sbin/ip -6 addr del 2001:123:f123::1/48 dev br0
pre-down /sbin/ip -6 addr del 2001:123:124:123::1/64 dev br0
pre-down /sbin/ip -6 route del default dev he-ipv6
dns-nameservers 2001:4860:4860::8888 2001:4860:4860::8844
Machine B (VM server)
1. Modified options.xl2tpd
ipcp-accept-local
ipcp-accept-remote
noccp
require-mschap-v2
nodefaultroute
ms-dns 8.8.8.8
ms-dns 8.8.4.4
ms-wins 8.8.8.8
asyncmap 0
auth
noipx
mru 1500
mtu 1410
crtscts
hide-password
modem
name l2tpd
noproxyarp
nobsdcomp
nodeflate
lcp-echo-interval 30
lcp-echo-failure 4
+ipv6 ipv6cp-use-ipaddr
ipv6cp-accept-local
lock
connect /etc/ppp/ipv6-up
disconnect /etc/ppp/ipv6-down
2. /etc/ppp/ipv6-up.local
#!/bin/sh
#
# This script is called with the following parameters:
# interface tty speed local-address remote-address ipparam
#
DEVICE="$1"
CFGFILE="/etc/radvd.conf-$DEVICE"
PIDFILE="/var/run/radvd-$DEVICE.pid"
EXEFILE="/usr/sbin/radvd"
PPP0='2001:123:f123:abc0::99/64'
PPP1='2001:123:f123:abc1::99/64'
PPP2='2001:123:f123:abc2::99/64'
PPP3='2001:123:f123:abc3::99/64'
PPP4='2001:123:f123:abc4::99/64'
PPP5='2001:123:f123:abc5::99/64'
PPP6='2001:123:f123:abc6::99/64'
PPP7='2001:123:f123:abc7::99/64'
PPP8='2001:123:f123:abc8::99/64'
PPP9='2001:123:f123:abc9::99/64'
case $DEVICE in
"ppp0")
IPV6=$PPP0
;;
"ppp1")
IPV6=$PPP1
;;
"ppp2")
IPV6=$PPP2
;;
"ppp3")
IPV6=$PPP3
;;
"ppp4")
IPV6=$PPP4
;;
"ppp5")
IPV6=$PPP5
;;
"ppp6")
IPV6=$PPP6
;;
"ppp7")
IPV6=$PPP7
;;
"ppp8")
IPV6=$PPP8
;;
"ppp9")
IPV6=$PPP9
;;
esac
#echo 1 > /proc/sys/net/ipv6/conf/$DEVICE/autoconf
/sbin/ifconfig $DEVICE add $IPV6 mtu 1500
# Start router advertisements on this link.
# Based on radvd 0.5.0 behaviour
if [ -x "$EXEFILE" -a -f "$CFGFILE" ]; then
touch "$PIDFILE"
if [ ! -f "$PIDFILE" ]; then
echo "error: $PIDFILE is not a regular file. Aborting"
exit 0
fi
PID="$(cat "$PIDFILE")"
if [ -n "$PID" ]; then
ps h "$PID" >/dev/null 2>&1 && exit 0
fi
# radvd 0.5.0 doesn't write a pid-file so we do it here
# enabling debugging keeps radvd in foreground, putting it
# on background gives us the PID.
"$EXEFILE" -d 1 -C "$CFGFILE" &
echo $! >"$PIDFILE"
fi
3. /etc/ppp/ipv6-down.local
#!/bin/sh
#
# This script is called with the following parameters:
# interface tty speed local-address remote-address ipparam
#
# Kill the router advertisement daemon on this interface.
# The killing procedure is copied from RedHat 6.0 initscripts.
DEVICE="$1"
PIDFILE="/var/run/radvd-$DEVICE.pid"
[ -f "$PIDFILE" ] || exit 0
PID="$(cat "$PIDFILE")"
if [ "$PID" != "" ]; then
if ps h "$PID" >/dev/null 2>&1; then
kill -TERM "$PID"
usleep 10000
if ps h "$PID" >/dev/null 2>&1; then
sleep 1
if ps h "$PID" >/dev/null 2>&1; then
kill -KILL "$PID"
fi
fi
fi
fi
rm -f "$PIDFILE"
4. radvd.conf-pppX
interface pppX
{
AdvSendAdvert on;
MaxRtrAdvInterval 30;
MaxRtrAdvInterval 100;
UnicastOnly on;
prefix 2001:123:f123:abcX::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
};
};
Now, on vserver (machine B), when there are 2 simultaneous L2TP connections, the ifconfig shows:
ppp0 Link encap:Point-to-Point Protocol
inet addr:172.23.0.1 P-t-P:172.23.0.244 Mask:255.255.255.255
inet6 addr: fe80::188e:2be1:6ee5:acc1/10 Scope:Link
inet6 addr: 2001:123:f123:abc0::99/64 Scope:Global
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:2675 errors:0 dropped:0 overruns:0 frame:0
TX packets:1906 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:505986 (505.9 KB) TX bytes:645246 (645.2 KB)
ppp1 Link encap:Point-to-Point Protocol
inet addr:172.23.0.1 P-t-P:172.23.0.245 Mask:255.255.255.255
inet6 addr: fe80::920:317a:b8f:5672/10 Scope:Link
inet6 addr: 2001:123:f123:abc1::99/64 Scope:Global
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:18 errors:0 dropped:0 overruns:0 frame:0
TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:922 (922.0 B) TX bytes:897 (897.0 B)
On the client, ie) PPP0, the ifconfig still only shows:
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
inet6 fe80::22c9:d0ff:fe7a:3fcd%ppp0 prefixlen 64 scopeid 0x7
inet 172.23.0.244 --> 172.23.0.1 netmask 0xffff0000
I wonder what I have done wrong?
Quote from: tkchan on May 14, 2013, 09:14:51 PM route 2001:123:f123::/48 {
};
I have no idea what this would mean to the router advertisement daemon. You probably don't need it.
Quote from: tkchan on May 14, 2013, 09:14:51 PM up /sbin/ip -6 addr add 2001:123:f123::1/48 dev br0
You are missing a gateway specification on this route. Had it been a point to point link, that wouldn't have made a difference. But br0 uses Ethernet on the link layer. So append gw <IP of L2TP vm>, and the route should work.
Quote from: tkchan on May 14, 2013, 09:14:51 PMPPP0='2001:123:f123:abc0::99/64'
PPP1='2001:123:f123:abc1::99/64'
PPP2='2001:123:f123:abc2::99/64'
PPP3='2001:123:f123:abc3::99/64'
PPP4='2001:123:f123:abc4::99/64'
PPP5='2001:123:f123:abc5::99/64'
PPP6='2001:123:f123:abc6::99/64'
PPP7='2001:123:f123:abc7::99/64'
PPP8='2001:123:f123:abc8::99/64'
PPP9='2001:123:f123:abc9::99/64'
Are you sure you want to have this list instead of just generating each of them?
Quote from: tkchan on May 14, 2013, 09:14:51 PMcase $DEVICE in
"ppp0")
IPV6=$PPP0
;;
"ppp1")
IPV6=$PPP1
;;
"ppp2")
IPV6=$PPP2
;;
"ppp3")
IPV6=$PPP3
;;
"ppp4")
IPV6=$PPP4
;;
"ppp5")
IPV6=$PPP5
;;
"ppp6")
IPV6=$PPP6
;;
"ppp7")
IPV6=$PPP7
;;
"ppp8")
IPV6=$PPP8
;;
"ppp9")
IPV6=$PPP9
;;
esac
I think the entire case can be replaced with this much shorter version
if [[ "$DEVICE" = ppp[0-9] ]]
then
eval IPv6=\$${DEVICE/ppp/PPP}
fi
Quote from: tkchan on May 14, 2013, 09:14:51 PMOn the client, ie) PPP0, the ifconfig still only shows:
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
inet6 fe80::22c9:d0ff:fe7a:3fcd%ppp0 prefixlen 64 scopeid 0x7
inet 172.23.0.244 --> 172.23.0.1 netmask 0xffff0000
I don't know if auto configuration of IPv6 addresses on PPP links is supposed to be done using router advertisements, or if it is supposed to be done during the PPP setup. For a start I would try to manually configure the IPv6 address on the PPP client in order to test if the rest of the configuration works.
I have changed the ipv6 portion of /etc/network/interfaces file on Primary Server (A) to the following:
iface he-ipv6 inet6 v4tunnel
address 2001:123:123:123::2
netmask 48
endpoint 66.220.18.42
up /sbin/ip -6 route add default dev he-ipv6
up /sbin/ip -6 addr add 2001:123:124:123::1/64 dev br0
up /sbin/route -A inet6 add 2001:123:f123::1/48 gw 2001:123:124:123::123:3
pre-down /sbin/route -A inet6 del 2001:123:f123::1/48 gw 2001:123:124:123::123:3
pre-down /sbin/ip -6 addr del 2001:123:124:123::1/64 dev br0
pre-down /sbin/ip -6 route del default dev he-ipv6
dns-nameservers 2001:4860:4860::8888 2001:4860:4860::8844
I have also removed the "route" portion of the /etc/radvd.conf on machine A.
When the client (C) is connected to the VPN server (B), the following appears:
Machine B - VPN server
ppp0 Link encap:Point-to-Point Protocol
inet addr:172.23.0.1 P-t-P:172.23.0.244 Mask:255.255.255.255
inet6 addr: 2001:123:f123:abc0::99/64 Scope:Global
inet6 addr: fe80::ba9d:76bf:afc5:b4cc/10 Scope:Link
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1410 Metric:1
RX packets:1195 errors:0 dropped:0 overruns:0 frame:0
TX packets:869 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:178773 (178.7 KB) TX bytes:268769 (268.7 KB)
Client - Mac (C)
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
inet6 fe80::22c9:abef:fe7a:3fcd%ppp0 prefixlen 64 scopeid 0x7
inet 172.23.0.244 --> 172.23.0.1 netmask 0xffff0000
I have also setup manual IPv6 on the Mac (C) with the following:
Router: 2001:123:f123:abc0::99
IPv6 address: 2001:123:f123:abc0::100
Prefix: 64
While I can now ping 2001:123:f123:abc0::99 (of B) remotely from a totally separate network as long as the vpn is connected, but the problem is I cannot ping 2001:123:f123:abc0::100 anywhere, not even on the VM (B).
Waiting for your further advice, thanks.
Quote from: tkchan on May 15, 2013, 02:11:31 AMI cannot ping 2001:123:f123:abc0::100 anywhere, not even on the VM (B).
Am I understanding correctly, that B and C can ping each other using link-local addresses, but not using the global addresses, you got from HE?
Quote from: kasperd on May 15, 2013, 04:52:30 AM
Am I understanding correctly, that B and C can ping each other using link-local addresses, but not using the global addresses, you got from HE?
Yes, that's correct
Quote from: tkchan on May 15, 2013, 08:10:08 AM
Quote from: kasperd on May 15, 2013, 04:52:30 AM
Am I understanding correctly, that B and C can ping each other using link-local addresses, but not using the global addresses, you got from HE?
Yes, that's correct
In that case the next steps must be to figure out why this is happening. I would expect the PPP connection to behave the same way regardless of the scope of the addresses, you are using. Try to run tcpdump on each end of the PPP connection while you try to do a ping with each kind of address, and then compare the results.
Quote from: kasperd on May 15, 2013, 08:22:24 AM
In that case the next steps must be to figure out why this is happening. I would expect the PPP connection to behave the same way regardless of the scope of the addresses, you are using. Try to run tcpdump on each end of the PPP connection while you try to do a ping with each kind of address, and then compare the results.
I think I know what happened, but I am not sure if there is a way to "fix" it (ie. let client get ipv6 address automatically), here is what I have done:
On the Mac client (C), I have performed the following in command line:
sudo -s
ifconfig ppp0 inet6 delete fe80::22c9:cdef:fe7a:3fcd%ppp0
ifconfig ppp0 inet6 2001:123:f123:abc0::100
route add -inet6 default 2001:123:f123:abc0::100%ppp0
Now the ifconfig result is as follows:
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
inet 172.23.0.244 --> 172.23.0.1 netmask 0xffff0000
inet6 fe80::22c9:cdef:fe7a:3fcd%ppp0 prefixlen 64 scopeid 0x7
inet6 2001:123:f123:abc0::100 prefixlen 64
And I can finally ping and access ipv6.google.com.
But this does not work if it is a mobile device such as iphone or iPad :-X
I wonder if there is a way to fix this
PPP for IPv6 only will let you define link-layer addresses in the initial connection. That's the extend of IPCPv6's direct support. From there you have to define statics, or use RA to deliver the appropriate prefix information to clients which either don't require statics, or can't configure statics.
Quote from: kcochran on May 16, 2013, 04:36:13 AMFrom there you have to define statics, or use RA to deliver the appropriate prefix information to clients which either don't require statics, or can't configure statics.
RA was tried previously. But maybe the radvd.conf-pppx configuration files weren't correct.
My first three guesses for why it didn't work are:
- radvd is misconfigured and either doesn't start or doesn't respond properly.
- the client doesn't ask for a router in the first place. Perhaps PPP need to assign a link-local address in order to enable IPv6 on the interface.
- Maybe there is some race condition caused by both radvd and client being started as the device is brought up, and perhaps some initial packets are send before the other end is ready to receive them.
A tcpdump on the ppp interface might be interesting, but it would be difficult to get that tcpdump command started as early, as you'd like it to be.
Static addresses would work on some clients, but that would require the server to recognize the client and assign the same /64 to the client regardless of which ppp interface it got.
Quote from: kasperd on May 16, 2013, 08:06:07 AM
A tcpdump on the ppp interface might be interesting, but it would be difficult to get that tcpdump command started as early, as you'd like it to be.
# tcpdump -i ppp0 -vv ip6
tcpdump: WARNING: ppp0: no IPv4 address assigned
tcpdump: listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
23:35:40.438689 IP6 (hlim 1, next-header Options (0) payload length: 36) fe80::abcd:ff:fe58:8a56 > ff02::16: HBH (rtalert: 0x0000) (padn)[icmp6 sum ok] ICMP6, multicast listener report v2, 1 group record(s) [gaddr ip6-allrouters to_ex { }]
That is all I can get
When using tcpdump it is almost always desirable to have dumps from both ends of the connection.
Additionally, I think it would be useful to try (re)starting radvd manually on B and see if it sends a router advertisement at startup.
Quote from: kasperd on May 16, 2013, 09:51:44 AM
When using tcpdump it is almost always desirable to have dumps from both ends of the connection.
Additionally, I think it would be useful to try (re)starting radvd manually on B and see if it sends a router advertisement at startup.
Thanks kasperd.
I have tried using radvdump and I think there were some issues with my previous config, radvd will not start if there is another instance already running, so I have modified the following configs:
1. radvd.conf
interface ppp0
{
AdvSendAdvert on;
MaxRtrAdvInterval 30;
MaxRtrAdvInterval 100;
IgnoreIfMissing on;
#UnicastOnly on;
prefix 2001:123:f123:abc0::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
};
RDNSS 2001:4860:4860::8888 {};
};
interface ppp1
{
AdvSendAdvert on;
MaxRtrAdvInterval 30;
MaxRtrAdvInterval 100;
IgnoreIfMissing on;
#UnicastOnly on;
prefix 2001:123:f123:abc1::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
};
RDNSS 2001:4860:4860::8888 {};
};
interface ppp2
{
AdvSendAdvert on;
MaxRtrAdvInterval 30;
MaxRtrAdvInterval 100;
IgnoreIfMissing on;
#UnicastOnly on;
prefix 2001:123:f123:abc2::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
};
RDNSS 2001:4860:4860::8888 {};
};
interface ppp3
{
AdvSendAdvert on;
MaxRtrAdvInterval 30;
MaxRtrAdvInterval 100;
IgnoreIfMissing on;
#UnicastOnly on;
prefix 2001:123:f123:abc3::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
};
RDNSS 2001:4860:4860::8888 {};
};
interface ppp4
{
AdvSendAdvert on;
MaxRtrAdvInterval 30;
MaxRtrAdvInterval 100;
IgnoreIfMissing on;
#UnicastOnly on;
prefix 2001:123:f123:abc4::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
};
RDNSS 2001:4860:4860::8888 {};
};
interface ppp5
{
AdvSendAdvert on;
MaxRtrAdvInterval 30;
MaxRtrAdvInterval 100;
IgnoreIfMissing on;
#UnicastOnly on;
prefix 2001:123:f123:abc5::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
};
RDNSS 2001:4860:4860::8888 {};
};
interface ppp6
{
AdvSendAdvert on;
MaxRtrAdvInterval 30;
MaxRtrAdvInterval 100;
IgnoreIfMissing on;
#UnicastOnly on;
prefix 2001:123:f123:abc6::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
};
RDNSS 2001:4860:4860::8888 {};
};
interface ppp7
{
AdvSendAdvert on;
MaxRtrAdvInterval 30;
MaxRtrAdvInterval 100;
IgnoreIfMissing on;
#UnicastOnly on;
prefix 2001:123:f123:abc7::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
};
RDNSS 2001:4860:4860::8888 {};
};
interface ppp8
{
AdvSendAdvert on;
MaxRtrAdvInterval 30;
MaxRtrAdvInterval 100;
IgnoreIfMissing on;
#UnicastOnly on;
prefix 2001:123:f123:abc8::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
};
RDNSS 2001:4860:4860::8888 {};
};
interface ppp9
{
AdvSendAdvert on;
MaxRtrAdvInterval 30;
MaxRtrAdvInterval 100;
IgnoreIfMissing on;
#UnicastOnly on;
prefix 2001:123:f123:abc9::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
};
RDNSS 2001:4860:4860::8888 {};
};
2. /etc/ppp/ipv6-up.local
#!/bin/bash
#
# This script is called with the following parameters:
# interface tty speed local-address remote-address ipparam
#
DEVICE="$1"
CFGFILE="/etc/radvd.conf-$DEVICE"
PIDFILE="/var/run/radvd-$DEVICE.pid"
EXEFILE="/usr/sbin/radvd"
HE_NET='2001:470:f30c:abc'
PREFIX=64
GWADDR=1
if [[ "$DEVICE" = ppp[0-9] ]]
then
eval IPV6=$HE_NET${DEVICE/ppp/}
fi
#echo 1 > /proc/sys/net/ipv6/conf/$DEVICE/autoconf
/sbin/ifconfig $DEVICE add $IPV6::$GWADDR/$PREFIX mtu 1500
/sbin/route -6 add $IPV6::/$PREFIX dev $DEVICE
/etc/init.d/radvd reload
3. /etc/ppp/ipv6-down.local
#!/bin/sh
#
# This script is called with the following parameters:
# interface tty speed local-address remote-address ipparam
#
# Kill the router advertisement daemon on this interface.
# The killing procedure is copied from RedHat 6.0 initscripts.
DEVICE="$1"
echo 0 > /proc/sys/net/ipv6/conf/$DEVICE/autoconf
/etc/init.d/radvd reload
Now, when I use Windows 8 to connect to the VPN, I can obtain IPv6 address automatically (please refer to my first post that I have just updated).
However, Mac, iPhone and iPad are all still having the exact same issue as before. For mac, I still have to create the route manually, for iPhone and iPad, I still cannot get IPv6.
Looks like we are running out of luck?
Quote from: tkchan on May 16, 2013, 10:49:55 PMNow, when I use Windows 8 to connect to the VPN, I can obtain IPv6 address automatically (please refer to my first post that I have just updated).
However, Mac, iPhone and iPad are all still having the exact same issue as before. For mac, I still have to create the route manually, for iPhone and iPad, I still cannot get IPv6.
It would be worth testing if the order in which the clients connect has any influence on which clients get IPv6 connectivity.
Quote from: tkchan on May 16, 2013, 10:49:55 PMLooks like we are running out of luck?
We have reached the boundary of my knowledge. I have quite some knowledge about IPv6, but very little knowledge about PPP and L2TP. And as far as the specific combination of IPv6 and PPP goes, I don't know anything except from what is written in this thread.
Maybe somebody with more knowledge about PPP and L2TP could step in and provide advice for the last few details. But it may be the case, that those devices just aren't able to run IPv6 over VPN. An updated VPN client on those devices could fix it. If the VPN client is built into the firmware, that could mean a firmware update would be required.
I'm glad you made it work on at least one device. That proves that most of the setup is functional.
Quote from: kasperd on May 17, 2013, 03:02:50 PM
But it may be the case, that those devices just aren't able to run IPv6 over VPN. An updated VPN client on those devices could fix it. If the VPN client is built into the firmware, that could mean a firmware update would be required.
kasperd, thanks a lot for your help.
I have the same believe too, what I have done for Mac is to add /etc/ppp/ip-up with the following contents:
/usr/sbin/sysctl -w net.inet6.ip6.use_tempaddr=0
/usr/sbin/ipconfig set $1 AUTOMATIC-V6
/sbin/route add -inet6 default -interface $1
and chmod 755 /etc/ppp/ip-up to make it work
However, mobile devices are still not working :(