• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

OSX 10.8.2 tunnel not working

Started by pgardella, December 19, 2012, 02:12:57 PM

Previous topic - Next topic

pgardella

Good afternoon.

I've been trying to set up the HE tunnel this afternoon, and while I think I've got things configured right, it's not pinging.  I've used a number of scripts to attempt to set this up, as well as the HE example configuration.  (I reset the gif0 interface each time by deleting the various components.)

Note, I'm NAT'd now, so I'm using the local DHCP address rather than the external IP. But I've tried the external IP as well.

ifconfig gif0
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
tunnel inet 10.64.1.31 --> 209.51.181.2
inet6 fe80::3e07:54ff:fe46:b9ba%gif0 prefixlen 64 scopeid 0x2
inet6 2001:470:1f10:6fb::2 --> 2001:470:1f10:6fb::1 prefixlen 128


netstat -rn
Internet6:
Destination                             Gateway                         Flags         Netif Expire
default                                 2001:470:1f10:6fb::1            UGSc           gif0
::1                                     link#1                          UHL             lo0
2001:470:1f10:6fb::1                    2001:470:1f10:6fb::2            UHr            gif0
2001:470:1f10:6fb::2                    link#2                          UHL             lo0


ping6 2001:470:1f10:6fb::1
PING6(56=40+8+8 bytes) 2001:470:1f10:6fb::2 --> 2001:470:1f10:6fb::1
--- 2001:470:1f10:6fb::1 ping6 statistics ---
7 packets transmitted, 0 packets received, 100.0% packet loss


ping6 2001:470:1f10:6fb::2
PING6(56=40+8+8 bytes) 2001:470:1f10:6fb::2 --> 2001:470:1f10:6fb::2
--- 2001:470:1f10:6fb::2 ping6 statistics ---
5 packets transmitted, 0 packets received, 100.0% packet loss


ping6 ipv6.google.com
PING6(56=40+8+8 bytes) 2001:470:1f10:6fb::2 --> 2607:f8b0:4000:803::1012
--- ipv6.l.google.com ping6 statistics ---
12 packets transmitted, 0 packets received, 100.0% packet loss


wget -6 http://ipv6.google.com
--2012-12-19 17:11:07--  http://ipv6.google.com/
Resolving ipv6.google.com... 2607:f8b0:4000:803::1012
Connecting to ipv6.google.com|2607:f8b0:4000:803::1012|:80...


So it looks like DNS is resolving correctly, but I can't get anywhere.

We're verifying that the router can handle protocol 41.

Other thoughts?

Patrick

broquea

#1
Your second ping, is pinging the IPV6 address you configured locally, and it doesn't respond. That seems like the crux of the issue right there. If anything, you should be able to ping6 locally configured IPv6 addresses. Any IPv6 settings in the MacOSX firewall or whatever?

HE's side is definitely configured and responding:
--- 2001:470:1f10:6fb::1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms

pgardella

Now that I'm home for the day, I ran the same steps with my home system and everything is working correctly. So it's not in the Mac configuration.  I'm suspecting its the firewall at work.  But now that I've shown that it can work, we should be able to narrow it down more.

I'll make a note if we find anything.  But if anyone has any additional ideas, I'm open to hearing them!

Patrick

nickbeee

Quote from: pgardella on December 19, 2012, 04:11:44 PM
Now that I'm home for the day, I ran the same steps with my home system and everything is working correctly. So it's not in the Mac configuration.  I'm suspecting its the firewall at work.  But now that I've shown that it can work, we should be able to narrow it down more.

It's quite likely that your firewall at work is blocking protocol 41 which is the IPv6 in IPv4 tunnelling traffic. Ask your network administrator about this as and check if it is acceptable as you may be putting a publicly accessible IPv6 system behind the firewall.

Your home system sounds OK. What model of router are you using?
Nick B.

Tunnelling with [Open|Net|Free]BSD and IOS.
IPv6 courtesy of   HE and   Sixxs.

pgardella

At home I've got an Apple Airport that is the endpoint for the tunnel.  That worked like a dream.  Not sure the model of the cable modem. It's the cheap one our local cable company put in.

I did some more testing today, and it does look like the Cisco ASA is not set up to allow protocol 41 at this point.  I connected on the other side of the firewall right on our main router, and the tunnel worked. 

I think the problem with not being able to ping my local IPv6 IP locally is because the gif0 interface requires the tunnel to be up and working.  At least that's my working hypothesis.  I can ping it when the tunnel works, and can't when it isn't.   And when I add an IPV6 address to one of the other interfaces (like en0), I can ping it.

broquea

So get them to drop in a "access-list whatever extended permit 41 any any" :D

nickbeee

Quote from: pgardella on December 20, 2012, 11:50:22 AM
At home I've got an Apple Airport that is the endpoint for the tunnel.  That worked like a dream.

Airport works well in that respect. I'm always trying to keep track here of which (consumer grade) routers pass proto 41 and which don't.

Quote
I did some more testing today, and it does look like the Cisco ASA is not set up to allow protocol 41 at this point.  I connected on the other side of the firewall right on our main router, and the tunnel worked. 

Just requires an appropriate firewall rule similar to
Quote from: broqueaSo get them to drop in a "access-list whatever extended permit 41 any any" :D
Although as you have the infrastructure in place you would be better getting the tunnel terminated on your main router and then you could apply the appropriate IPv6 firewall rules at the ASA.

Quote
I think the problem with not being able to ping my local IPv6 IP locally is because the gif0 interface requires the tunnel to be up and working.
How does the gif interface state track the tunnel state? Does it show UP when there is now tunnel connectivity? I'm using an older version of OSX here and my tunnel is terminated on my router so not able to check that easily.
Nick B.

Tunnelling with [Open|Net|Free]BSD and IOS.
IPv6 courtesy of   HE and   Sixxs.

pgardella

QuoteHow does the gif interface state track the tunnel state? Does it show UP when there is now tunnel connectivity? I'm using an older version of OSX here and my tunnel is terminated on my router so not able to check that easily.

I have no idea ;) I just know I can't ping the local IP unless the tunnel is fully functioning.  Right now, the tunnel does not work, nor will it ping, and yet gif0 shows it UP.  Next time I've got the tunnel working, I'll see if I can detect anything different in the flags or netstat.

QuoteAlthough as you have the infrastructure in place you would be better getting the tunnel terminated on your main router and then you could apply the appropriate IPv6 firewall rules at the ASA.

That'll come next.  We've requested a /48 assignment from ARIN, so we'll be using the BGP tunnel option in the near future. At this point, I'm playing learning.

cholzhauer

An ASA does not let you forward protocols; if you want to forward proto41, you need to send all IP traffic at that host.  I set my IPv6 router outside the firewall and let the ASA do all the filtering and access control.

nickbeee

Quote from: cholzhauer on December 21, 2012, 05:34:27 AM
An ASA does not let you forward protocols; if you want to forward proto41, you need to send all IP traffic at that host. 

Maybe that is version-specific? I can certainly set up a rule on v8.4:

access-list P41INOUT extended permit 41 host 192.168.64.64 host 192.168.46.46
access-group P41INOUT in interface outside


Quote
I set my IPv6 router outside the firewall and let the ASA do all the filtering and access control.
Yup.  8)
Nick B.

Tunnelling with [Open|Net|Free]BSD and IOS.
IPv6 courtesy of   HE and   Sixxs.

cholzhauer

To be fair, I haven't tried in a few years.  What version is that?

nickbeee

Nick B.

Tunnelling with [Open|Net|Free]BSD and IOS.
IPv6 courtesy of   HE and   Sixxs.

pgardella

We finally got it all working.  We had to enable protocol 41 in the firewall, and configure a static NAT for each of the hosts in question. Our dynamic NAT just wouldn't work.  But now it's up and running. 

Thanks for all the help!  Next step is configuring it in our external router, per your suggestion.