Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: OSX 10.8.2 tunnel not working  (Read 7064 times)

pgardella

  • Newbie
  • *
  • Posts: 5
OSX 10.8.2 tunnel not working
« on: December 19, 2012, 02:12:57 PM »

Good afternoon.

I've been trying to set up the HE tunnel this afternoon, and while I think I've got things configured right, it's not pinging.  I've used a number of scripts to attempt to set this up, as well as the HE example configuration.  (I reset the gif0 interface each time by deleting the various components.)

Note, I'm NAT'd now, so I'm using the local DHCP address rather than the external IP. But I've tried the external IP as well.

ifconfig gif0
Code: [Select]
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
tunnel inet 10.64.1.31 --> 209.51.181.2
inet6 fe80::3e07:54ff:fe46:b9ba%gif0 prefixlen 64 scopeid 0x2
inet6 2001:470:1f10:6fb::2 --> 2001:470:1f10:6fb::1 prefixlen 128

netstat -rn
Code: [Select]
Internet6:
Destination                             Gateway                         Flags         Netif Expire
default                                 2001:470:1f10:6fb::1            UGSc           gif0
::1                                     link#1                          UHL             lo0
2001:470:1f10:6fb::1                    2001:470:1f10:6fb::2            UHr            gif0
2001:470:1f10:6fb::2                    link#2                          UHL             lo0

ping6 2001:470:1f10:6fb::1
Code: [Select]
PING6(56=40+8+8 bytes) 2001:470:1f10:6fb::2 --> 2001:470:1f10:6fb::1
--- 2001:470:1f10:6fb::1 ping6 statistics ---
7 packets transmitted, 0 packets received, 100.0% packet loss

ping6 2001:470:1f10:6fb::2
Code: [Select]
PING6(56=40+8+8 bytes) 2001:470:1f10:6fb::2 --> 2001:470:1f10:6fb::2
--- 2001:470:1f10:6fb::2 ping6 statistics ---
5 packets transmitted, 0 packets received, 100.0% packet loss

ping6 ipv6.google.com
Code: [Select]
PING6(56=40+8+8 bytes) 2001:470:1f10:6fb::2 --> 2607:f8b0:4000:803::1012
--- ipv6.l.google.com ping6 statistics ---
12 packets transmitted, 0 packets received, 100.0% packet loss

wget -6 http://ipv6.google.com
Code: [Select]
--2012-12-19 17:11:07--  http://ipv6.google.com/
Resolving ipv6.google.com... 2607:f8b0:4000:803::1012
Connecting to ipv6.google.com|2607:f8b0:4000:803::1012|:80...

So it looks like DNS is resolving correctly, but I can't get anywhere.

We're verifying that the router can handle protocol 41.

Other thoughts?

Patrick
Logged

broquea

  • Sr. Network Engineer, HE.NET AS6939
  • Administrator
  • Hero Member
  • *****
  • Posts: 1722
Re: OSX 10.8.2 tunnel not working
« Reply #1 on: December 19, 2012, 02:16:33 PM »

Your second ping, is pinging the IPV6 address you configured locally, and it doesn't respond. That seems like the crux of the issue right there. If anything, you should be able to ping6 locally configured IPv6 addresses. Any IPv6 settings in the MacOSX firewall or whatever?

HE's side is definitely configured and responding:
Code: [Select]
--- 2001:470:1f10:6fb::1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
« Last Edit: December 19, 2012, 02:31:07 PM by broquea »
Logged

pgardella

  • Newbie
  • *
  • Posts: 5
Re: OSX 10.8.2 tunnel not working
« Reply #2 on: December 19, 2012, 04:11:44 PM »

Now that I'm home for the day, I ran the same steps with my home system and everything is working correctly. So it's not in the Mac configuration.  I'm suspecting its the firewall at work.  But now that I've shown that it can work, we should be able to narrow it down more.

I'll make a note if we find anything.  But if anyone has any additional ideas, I'm open to hearing them!

Patrick
Logged

nickbeee

  • tunneld
  • Jr. Member
  • **
  • Posts: 72
  • I do this just for fun.
Re: OSX 10.8.2 tunnel not working
« Reply #3 on: December 20, 2012, 11:30:49 AM »

Now that I'm home for the day, I ran the same steps with my home system and everything is working correctly. So it's not in the Mac configuration.  I'm suspecting its the firewall at work.  But now that I've shown that it can work, we should be able to narrow it down more.

It's quite likely that your firewall at work is blocking protocol 41 which is the IPv6 in IPv4 tunnelling traffic. Ask your network administrator about this as and check if it is acceptable as you may be putting a publicly accessible IPv6 system behind the firewall.

Your home system sounds OK. What model of router are you using?
 
Logged
Nick B.

Tunnelling with [Open|Net|Free]BSD and IOS.
IPv6 courtesy of   HE and   Sixxs.

pgardella

  • Newbie
  • *
  • Posts: 5
Re: OSX 10.8.2 tunnel not working
« Reply #4 on: December 20, 2012, 11:50:22 AM »

At home I've got an Apple Airport that is the endpoint for the tunnel.  That worked like a dream.  Not sure the model of the cable modem. It's the cheap one our local cable company put in.

I did some more testing today, and it does look like the Cisco ASA is not set up to allow protocol 41 at this point.  I connected on the other side of the firewall right on our main router, and the tunnel worked. 

I think the problem with not being able to ping my local IPv6 IP locally is because the gif0 interface requires the tunnel to be up and working.  At least that's my working hypothesis.  I can ping it when the tunnel works, and can't when it isn't.   And when I add an IPV6 address to one of the other interfaces (like en0), I can ping it.
Logged

broquea

  • Sr. Network Engineer, HE.NET AS6939
  • Administrator
  • Hero Member
  • *****
  • Posts: 1722
Re: OSX 10.8.2 tunnel not working
« Reply #5 on: December 20, 2012, 11:58:54 AM »

So get them to drop in a "access-list whatever extended permit 41 any any" :D
Logged

nickbeee

  • tunneld
  • Jr. Member
  • **
  • Posts: 72
  • I do this just for fun.
Re: OSX 10.8.2 tunnel not working
« Reply #6 on: December 20, 2012, 12:49:55 PM »

At home I've got an Apple Airport that is the endpoint for the tunnel.  That worked like a dream.

Airport works well in that respect. I'm always trying to keep track here of which (consumer grade) routers pass proto 41 and which don't.

Quote
I did some more testing today, and it does look like the Cisco ASA is not set up to allow protocol 41 at this point.  I connected on the other side of the firewall right on our main router, and the tunnel worked. 

Just requires an appropriate firewall rule similar to
Quote from: broquea
So get them to drop in a "access-list whatever extended permit 41 any any" :D

Although as you have the infrastructure in place you would be better getting the tunnel terminated on your main router and then you could apply the appropriate IPv6 firewall rules at the ASA.

Quote
I think the problem with not being able to ping my local IPv6 IP locally is because the gif0 interface requires the tunnel to be up and working.
How does the gif interface state track the tunnel state? Does it show UP when there is now tunnel connectivity? I'm using an older version of OSX here and my tunnel is terminated on my router so not able to check that easily.
Logged
Nick B.

Tunnelling with [Open|Net|Free]BSD and IOS.
IPv6 courtesy of   HE and   Sixxs.

pgardella

  • Newbie
  • *
  • Posts: 5
Re: OSX 10.8.2 tunnel not working
« Reply #7 on: December 20, 2012, 01:00:08 PM »

Quote
How does the gif interface state track the tunnel state? Does it show UP when there is now tunnel connectivity? I'm using an older version of OSX here and my tunnel is terminated on my router so not able to check that easily.

I have no idea ;) I just know I can't ping the local IP unless the tunnel is fully functioning.  Right now, the tunnel does not work, nor will it ping, and yet gif0 shows it UP.  Next time I've got the tunnel working, I'll see if I can detect anything different in the flags or netstat.

Quote
Although as you have the infrastructure in place you would be better getting the tunnel terminated on your main router and then you could apply the appropriate IPv6 firewall rules at the ASA.

That'll come next.  We've requested a /48 assignment from ARIN, so we'll be using the BGP tunnel option in the near future. At this point, I'm playing learning.
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2714
Re: OSX 10.8.2 tunnel not working
« Reply #8 on: December 21, 2012, 05:34:27 AM »

An ASA does not let you forward protocols; if you want to forward proto41, you need to send all IP traffic at that host.  I set my IPv6 router outside the firewall and let the ASA do all the filtering and access control.
Logged

nickbeee

  • tunneld
  • Jr. Member
  • **
  • Posts: 72
  • I do this just for fun.
Re: OSX 10.8.2 tunnel not working
« Reply #9 on: December 21, 2012, 08:08:40 AM »

An ASA does not let you forward protocols; if you want to forward proto41, you need to send all IP traffic at that host. 

Maybe that is version-specific? I can certainly set up a rule on v8.4:
Code: [Select]
access-list P41INOUT extended permit 41 host 192.168.64.64 host 192.168.46.46
access-group P41INOUT in interface outside

Quote
I set my IPv6 router outside the firewall and let the ASA do all the filtering and access control.
Yup.  8)
Logged
Nick B.

Tunnelling with [Open|Net|Free]BSD and IOS.
IPv6 courtesy of   HE and   Sixxs.

cholzhauer

  • Hero Member
  • *****
  • Posts: 2714
Re: OSX 10.8.2 tunnel not working
« Reply #10 on: December 21, 2012, 08:10:36 AM »

To be fair, I haven't tried in a few years.  What version is that?
Logged

nickbeee

  • tunneld
  • Jr. Member
  • **
  • Posts: 72
  • I do this just for fun.
Re: OSX 10.8.2 tunnel not working
« Reply #11 on: December 21, 2012, 08:16:02 AM »

8.4(2) - July 2011.
Logged
Nick B.

Tunnelling with [Open|Net|Free]BSD and IOS.
IPv6 courtesy of   HE and   Sixxs.

pgardella

  • Newbie
  • *
  • Posts: 5
Re: OSX 10.8.2 tunnel not working
« Reply #12 on: December 21, 2012, 11:30:43 AM »

We finally got it all working.  We had to enable protocol 41 in the firewall, and configure a static NAT for each of the hosts in question. Our dynamic NAT just wouldn't work.  But now it's up and running. 

Thanks for all the help!  Next step is configuring it in our external router, per your suggestion.
Logged