Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Pages: [1] 2

Author Topic: setup L2TP tunnel with IPv6 inside a KVM VM?  (Read 13132 times)

tkchan

  • Newbie
  • *
  • Posts: 9
setup L2TP tunnel with IPv6 inside a KVM VM?
« on: May 13, 2013, 09:47:23 PM »

Hi,

I am having trouble trying to configure VPN client to use HE's IPv6 and would like to seek assistance from you.

[UPDATED: The following setup is working if Client C is a Mac machine, but this would not work if it is a mobile device such as iPhone/iPad/Android phone as there is no way to add a static route, any help on using RA to deliver the ipv6 addr to clients would be highly appreciated]

First, my setup is as follows:
Code: [Select]
         |
         |
  +=============+
 [[  isp router ]]
  +=============+
   123.123.123.1                          
         |
         |
 +===================+
[[physical server (A)]]
 +===================+
br0:123.123.123.2
he-ipv6: 2001:123:123:123::2 (endpoint 66.220.18.42)
         2001:123:124:123::1/64
         |
         |
  +===============+
 [[  KVM VM01 (B) ]]
  +===============+
eth0:123.123.123.3
ipv6:2001:123:124:123::123:3
pppX:172.23.0.1 (openswan 2.6.37-1,xl2tpd 1.3.1+dfsg-1,ppp 2.4.5-5ubuntu1)
         |------------------------------------------------------+
    ppp0 |2001:123:f123:abc0::1                            ppp1 | 2001:123:f123:abc1::1
         |                                                      |
         |                                                      |
 +==================+                               +==================+
[[ VPN Client 1 (C) ]] {NOT OK!!}                   [[ VPN Client 2 (D) ]] {OK}
 +==================+                               +==================+
Mac or iPhone or iPad or Android phone               Windows 8
172.23.0.244 (via ppp0)                             172.23.0.245 (via ppp1)
??no ipv6 access??                                  2001:123:f123:abc1::100
                                                    (L2TP VPN, Allow CHAP, MSCHAPv2, Obtain IPv4/IPv6 automatically, use default gateway on remote)

Host A, B, D can access ipv6.google.com without any issues, however, I am unable to ping ipv6.google.com from Host C.

My settings are as follows:
Config - Host (A)
Ubuntu 12.04.2 LTS Server
1. no IPTABLES / IP6TABLES entries
2. sysctl.conf
Code: [Select]
  net.ipv4.icmp_echo_ignore_broadcasts = 1
   net.ipv4.conf.all.send_redirects = 0
   net.ipv4.conf.default.send_redirects = 0
   net.ipv4.tcp_syncookies = 1
   net.ipv4.tcp_max_syn_backlog = 2048
   net.ipv4.tcp_synack_retries = 2
   net.ipv4.tcp_syn_retries = 5
   net.ipv4.conf.all.log_martians = 1
   net.ipv4.icmp_ignore_bogus_error_responses = 1
   net.ipv4.conf.all.accept_redirects = 1
   net.ipv4.icmp_echo_ignore_all = 1
   net.ipv4.ip_forward=1
   net.ipv6.conf.all.accept_redirects = 1
   net.ipv6.conf.all.accept_source_route = 1
   net.ipv6.conf.all.forwarding=1
   net.ipv6.conf.default.forwarding = 1
3. radvd.conf
Code: [Select]
   interface br0
   {
        AdvSendAdvert on;
        MinRtrAdvInterval 3;
        MaxRtrAdvInterval 300;
        AdvLinkMTU 1280;

        prefix 2001:123:123:123::/64
        {
                AdvOnLink on;
                AdvAutonomous on;
                AdvRouterAddr on;
        };
    };
4. /etc/network/interfaces
Code: [Select]
  auto lo
   iface lo inet loopback
   auto eth0
   iface eth0 inet manual
   auto br0
   iface br0 inet static
        address 123.123.123.2
        netmask 255.255.255.248
        network 123.123.123.0
        broadcast 123.123.123.7
        gateway 123.123.123.1
        dns-nameservers 8.8.8.8 8.8.4.4
        dns-search localdomain
        bridge_ports eth0
        bridge_fd 9
        bridge_hello 2
        bridge_maxage 12
        bridge_stp off
        post-up ifconfig br0 up promisc
   auto he-ipv6
   iface he-ipv6 inet6 v4tunnel
        address 2001:123:123:123::2
        netmask 64
        endpoint 66.220.18.42
        up /sbin/ip -6 route add default dev he-ipv6
        up /sbin/ip -6 addr add 2001:123:124:123::1/64 dev br0
        up /sbin/route -A inet6 add 2001:123:f123::1/48 gw 2001:123:124:123::123:3
pre-down /sbin/route -A inet6 del 2001:123:f123::1/48 gw 2001:123:124:123::123:3
        pre-down /sbin/ip -6 addr del 2001:123:124:123::1/64 dev br0
        pre-down /sbin/ip -6 route del default dev he-ipv6
        dns-nameservers 2001:4860:4860::8888 2001:4860:4860::8844

Config - Host (B)
Ubuntu 12.04.2 LTS Server
1. no IPTABLES / IP6TABLES entries
2. sysctl.conf
Code: [Select]
  net.ipv4.conf.default.rp_filter=1
   net.ipv4.conf.all.rp_filter=1
   net.ipv4.icmp_echo_ignore_broadcasts = 1
   net.ipv4.conf.all.accept_source_route = 0
   net.ipv4.conf.default.accept_source_route = 0
   net.ipv4.conf.all.send_redirects = 0
   net.ipv4.conf.default.send_redirects = 0
   net.ipv4.tcp_syncookies = 1
   net.ipv4.tcp_max_syn_backlog = 2048
   net.ipv4.tcp_synack_retries = 2
   net.ipv4.tcp_syn_retries = 5
   net.ipv4.conf.all.log_martians = 1
   net.ipv4.icmp_ignore_bogus_error_responses = 1
   net.ipv4.conf.all.accept_redirects = 0
   net.ipv4.conf.default.accept_redirects =  0
   net.ipv4.icmp_echo_ignore_all = 1
   net.ipv4.ip_forward=1
   net.ipv6.conf.all.accept_source_route = 0
   net.ipv6.conf.default.accept_source_route = 0
   net.ipv6.conf.all.accept_redirects = 0
   net.ipv6.conf.default.accept_redirects = 0
   net.ipv6.conf.all.autoconf = 1
   net.ipv6.conf.all.accept_ra = 2
   net.ipv6.conf.all.forwarding=1
   net.ipv6.conf.eth0.forwarding=0
3. /etc/network/interfaces
Code: [Select]
  iface eth0 inet static
        address 123.123.123.3
        netmask 255.255.255.248
        network 123.123.123.0
        broadcast 123.123.123.7
        gateway 123.123.123.1
        dns-nameservers 8.8.8.8 8.8.4.4
        dns-search localdomain
   iface eth0 inet6 static
        address 2001:123:124:123::123:3
        netmask 64
        gateway 2001:123:124:123::1
4. /etc/ipsec.conf
Code: [Select]
  version 2.0     # conforms to second version of ipsec.conf specification
   config setup
   dumpdir=/var/run/pluto/
   nat_traversal=yes
   virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
   oe=off
   protostack=netkey
   conn L2TP
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        ikelifetime=8h
        keylife=1h
        type=transport
        #fill in server and nexthop IP below
        left=123.123.123.3
        leftnexthop=123.123.123.1
        #fill in server and nexthop IP above
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any
5. /etc/xl2tpd/xl2tpd.conf
Code: [Select]
  [global]
   ipsec saref = yes
   access control = yes
   force userspace = yes
   [lns default]                                                   ; Our fallthrough LNS definition
   ppp debug = no
   pppoptfile = /etc/ppp/options.xl2tpd
   refuse pap = yes
   assign ip = yes
   hostname = vpn
   ip range = 172.23.0.244-172.23.0.254
   local ip = 172.23.0.1
   lac = 0.0.0.0-255.255.255.255
   require authentication = yes
   length bit = yes
6. /etc/ppp/options.xl2tpd
Code: [Select]
ipcp-accept-local
ipcp-accept-remote
noccp
require-mschap-v2
nodefaultroute
ms-dns 8.8.8.8
ms-dns 8.8.4.4
#ms-wins 8.8.8.8
asyncmap 0
auth
noipx
mru 1500
mtu 1410
crtscts
hide-password
modem
name l2tpd
connect-delay 5000
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
+ipv6 ipv6cp-use-ipaddr
ipv6cp-use-persistent
ipv6cp-accept-local
lock
connect /etc/ppp/ipv6-up
disconnect /etc/ppp/ipv6-down
6. /etc/ppp/chap-secret
Code: [Select]
# client    server  secret          IPaddrs
   testuser    l2tpd   TestP@ssw0rd    *
7. /etc/ipsec.secrets
Code: [Select]
123.123.123.3 %any: PSK "My-T8st#Key"8. /etc/ppp/ipv6-up.d/local
Code: [Select]
  #!/bin/sh
   # need to disable forwarding to receive RAs
   sysctl -w net.ipv6.conf.$PPP_IFACE.forwarding=0
   ip -6 route add default via $PPP_REMOTE dev $PPP_IFACE
9. /etc/ppp/ipv6-up.local
Code: [Select]
#!/bin/bash
#
# This script is called with the following parameters:
# interface tty speed local-address remote-address ipparam
#
DEVICE="$1"

CFGFILE="/etc/radvd.conf-$DEVICE"
PIDFILE="/var/run/radvd-$DEVICE.pid"
EXEFILE="/usr/sbin/radvd"

HE_NET='2001:470:f30c:abc'
PREFIX=64
GWADDR=1

if [[ "$DEVICE" = ppp[0-9] ]]
then
    eval IPV6=$HE_NET${DEVICE/ppp/}
fi
#echo 1 > /proc/sys/net/ipv6/conf/$DEVICE/autoconf
/sbin/ifconfig $DEVICE add $IPV6::$GWADDR/$PREFIX mtu 1500
/sbin/route -6 add $IPV6::/$PREFIX dev $DEVICE
/etc/init.d/radvd reload
10. /etc/ppp/ipv6-down.local
Code: [Select]
#!/bin/sh
#
# This script is called with the following parameters:
# interface tty speed local-address remote-address ipparam
#


# Kill the router advertisement daemon on this interface.
# The killing procedure is copied from RedHat 6.0 initscripts.

DEVICE="$1"

echo 0 > /proc/sys/net/ipv6/conf/$DEVICE/autoconf
/etc/init.d/radvd reload
11. radvd.conf
Code: [Select]
interface ppp0
{
   AdvSendAdvert on;
   MaxRtrAdvInterval 30;
   MaxRtrAdvInterval 100;
   IgnoreIfMissing on;
   #UnicastOnly on;

   prefix 2001:123:f123:abc0::/64
   {
        AdvOnLink on;
        AdvAutonomous on;
        AdvRouterAddr off;
   };

   RDNSS 2001:4860:4860::8888 {};
};

interface ppp1
{
   AdvSendAdvert on;
   MaxRtrAdvInterval 30;
   MaxRtrAdvInterval 100;
   IgnoreIfMissing on;
   #UnicastOnly on;

   prefix 2001:123:f123:abc1::/64
   {
        AdvOnLink on;
        AdvAutonomous on;
        AdvRouterAddr off;
   };

   RDNSS 2001:4860:4860::8888 {};
};

interface ppp2
{
   AdvSendAdvert on;
   MaxRtrAdvInterval 30;
   MaxRtrAdvInterval 100;
   IgnoreIfMissing on;
   #UnicastOnly on;

   prefix 2001:123:f123:abc2::/64
   {
        AdvOnLink on;
        AdvAutonomous on;
        AdvRouterAddr off;
   };

   RDNSS 2001:4860:4860::8888 {};
};

interface ppp3
{
   AdvSendAdvert on;
   MaxRtrAdvInterval 30;
   MaxRtrAdvInterval 100;
   IgnoreIfMissing on;
   #UnicastOnly on;

   prefix 2001:123:f123:abc3::/64
   {
        AdvOnLink on;
        AdvAutonomous on;
        AdvRouterAddr off;
   };

   RDNSS 2001:4860:4860::8888 {};
};

interface ppp4
{
   AdvSendAdvert on;
   MaxRtrAdvInterval 30;
   MaxRtrAdvInterval 100;
   IgnoreIfMissing on;
   #UnicastOnly on;

   prefix 2001:123:f123:abc4::/64
   {
        AdvOnLink on;
        AdvAutonomous on;
        AdvRouterAddr off;
   };

   RDNSS 2001:4860:4860::8888 {};
};

interface ppp5
{
   AdvSendAdvert on;
   MaxRtrAdvInterval 30;
   MaxRtrAdvInterval 100;
   IgnoreIfMissing on;
   #UnicastOnly on;

   prefix 2001:123:f123:abc5::/64
   {
        AdvOnLink on;
        AdvAutonomous on;
        AdvRouterAddr off;
   };

   RDNSS 2001:4860:4860::8888 {};
};

interface ppp6
{
   AdvSendAdvert on;
   MaxRtrAdvInterval 30;
   MaxRtrAdvInterval 100;
   IgnoreIfMissing on;
   #UnicastOnly on;

   prefix 2001:123:f123:abc6::/64
   {
        AdvOnLink on;
        AdvAutonomous on;
        AdvRouterAddr off;
   };

   RDNSS 2001:4860:4860::8888 {};
};

interface ppp7
{
   AdvSendAdvert on;
   MaxRtrAdvInterval 30;
   MaxRtrAdvInterval 100;
   IgnoreIfMissing on;
   #UnicastOnly on;

   prefix 2001:123:f123:abc7::/64
   {
        AdvOnLink on;
        AdvAutonomous on;
        AdvRouterAddr off;
   };

   RDNSS 2001:4860:4860::8888 {};
};

interface ppp8
{
   AdvSendAdvert on;
   MaxRtrAdvInterval 30;
   MaxRtrAdvInterval 100;
   IgnoreIfMissing on;
   #UnicastOnly on;

   prefix 2001:123:f123:abc8::/64
   {
        AdvOnLink on;
        AdvAutonomous on;
        AdvRouterAddr off;
   };

   RDNSS 2001:4860:4860::8888 {};
};

interface ppp9
{
   AdvSendAdvert on;
   MaxRtrAdvInterval 30;
   MaxRtrAdvInterval 100;
   IgnoreIfMissing on;
   #UnicastOnly on;

   prefix 2001:123:f123:abc9::/64
   {
        AdvOnLink on;
        AdvAutonomous on;
        AdvRouterAddr off;
   };

   RDNSS 2001:4860:4860::8888 {};
};

Config - VPN Client - Mac (C)
After connecting to VPN, perform one the following:
1. Type in the following in terminal:
Code: [Select]
sudo -s
ifconfig       {<= this is to mark down the ppp0 link local addr}
ifconfig ppp0 inet6 delete fe80::xxxx:xxxx:xxxx:xxxx%ppp0
ifconfig ppp0 inet6 2001:123:f123:abc0::100
route add -inet6 default 2001:123:f123:abc0::1%ppp0
or
2. add /etc/ppp/ip-up with the following contents (and chmod 755 /etc/ppp/ip-up)
Code: [Select]
/usr/sbin/sysctl -w net.inet6.ip6.use_tempaddr=0
/usr/sbin/ipconfig set $1 AUTOMATIC-V6
/sbin/route add -inet6 default -interface $1

Now pinging to ipv6.google.com from client, or ssh to Mac using IPv6 is possible
Can anyone guide me through setting up IPv6 for mobile devices such as iPhone/iPad/Android phone please? Many thanks.
« Last Edit: May 17, 2013, 09:46:12 PM by tkchan »
Logged

kasperd

  • Founder, Netiter ApS
  • Hero Member
  • *****
  • Posts: 952
Re: setup L2TP tunnel with IPv6 inside a KVM VM?
« Reply #1 on: May 14, 2013, 04:54:38 AM »

I would test what is working one step at a time. First step would be to try bring up the L2TP connection and assign link-local IPv6 addresses to the interfaces. Can you ping the other end of the L2TP connection with IPv6 link-local addresses after doing this?
Logged

tkchan

  • Newbie
  • *
  • Posts: 9
Re: setup L2TP tunnel with IPv6 inside a KVM VM?
« Reply #2 on: May 14, 2013, 05:40:29 AM »

Hi kasperd,

Now the setup is as follows:
Code: [Select]

  +===================+
 [[  KVM VM01 (Ubuntu) ]]
  +===================+
         | fe80::c02:abcd:527c:ae06%ppp0
    ppp0 |
         | fe80::22c9:cdef:fe7a:3fcd%ppp0
 +===================+
[[ VPN Client 1 (Mac) ]]
 +===================+

And the results are as follows:

On Ubuntu
Code: [Select]
ppp0      Link encap:Point-to-Point Protocol  
          inet addr:172.23.0.1  P-t-P:172.23.0.244  Mask:255.255.255.255
          inet6 addr: fe80::c02:abcd:527c:ae06/10 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1410  Metric:1
          RX packets:187 errors:0 dropped:0 overruns:0 frame:0
          TX packets:153 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:23625 (23.6 KB)  TX bytes:34436 (34.4 KB)
1. ping6 fe80::22c9:cdef:fe7a:3fcd%ppp0
Code: [Select]
PING fe80::22c9:cdef:fe7a:3fcd%ppp0(fe80::22c9:cdef:fe7a:3fcd) 56 data bytes
64 bytes from fe80::22c9:cdef:fe7a:3fcd: icmp_seq=1 ttl=64 time=173 ms
64 bytes from fe80::22c9:cdef:fe7a:3fcd: icmp_seq=2 ttl=64 time=173 ms
64 bytes from fe80::22c9:cdef:fe7a:3fcd: icmp_seq=3 ttl=64 time=173 ms
64 bytes from fe80::22c9:cdef:fe7a:3fcd: icmp_seq=4 ttl=64 time=175 ms
2. ssh -l macclient fe80::22c9:cdef:fe7a:3fcd%ppp0
Code: [Select]
Password:
Last login: Tue May 14 20:30:08 2013
Mac01:~ macclient$
3. ssh -l linux fe80::c02:abcd:527c:ae06%ppp0
Code: [Select]
linux@fe80::c02:abcd:527c:ae06%ppp0's password:
Welcome to Ubuntu 12.04.2 LTS (GNU/Linux 3.5.0-28-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

  System information as of Tue May 14 20:13:17 HKT 2013

...

  Graph this data and manage this system at https://landscape.canonical.com/

0 packages can be updated.
0 updates are security updates.

linux $


On Mac
Code: [Select]
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
inet6 fe80::22c9:cdef:fe7a:3fcd%ppp0 prefixlen 64 scopeid 0x7
inet 172.23.0.244 --> 172.23.0.1 netmask 0xffff0000
1. ping6 fe80::c02:abcd:527c:ae06%ppp0
Code: [Select]
PING fe80::c02:abcd:527c:ae06%ppp0(fe80::c02:abcd:527c:ae06) 56 data bytes
64 bytes from fe80::c02:abcd:527c:ae06: icmp_seq=1 ttl=64 time=173 ms
64 bytes from fe80::c02:abcd:527c:ae06: icmp_seq=2 ttl=64 time=173 ms
64 bytes from fe80::c02:abcd:527c:ae06: icmp_seq=3 ttl=64 time=174 ms
64 bytes from fe80::c02:abcd:527c:ae06: icmp_seq=4 ttl=64 time=173 ms
2. ssh -l linux fe80::c02:abcd:527c:ae06%ppp0
Code: [Select]
linux@fe80::c02:abcd:527c:ae06%ppp0's password:
Welcome to Ubuntu 12.04.2 LTS (GNU/Linux 3.5.0-28-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

  System information as of Tue May 14 20:13:17 HKT 2013

...

  Graph this data and manage this system at https://landscape.canonical.com/

0 packages can be updated.
0 updates are security updates.

linux $

3. ssh -l macclient fe80::22c9:cdef:fe7a:3fcd%ppp0
Code: [Select]
Password:
Last login: Tue May 14 20:32:12 2013
Mac01:~ macclient$

Waiting for your further guidance, thanks.
« Last Edit: May 14, 2013, 05:56:56 AM by tkchan »
Logged

snarked

  • Hero Member
  • *****
  • Posts: 741
Re: setup L2TP tunnel with IPv6 inside a KVM VM?
« Reply #3 on: May 14, 2013, 09:39:33 AM »

Obviously, if host B can access IPv6 addresses without problems, host A is NOT the problem.

Could it be that with host B, your lack of use of iptables, thus no NAT, is the problem?  172.16.0.0/12 is not a globally routable network.
Logged

kasperd

  • Founder, Netiter ApS
  • Hero Member
  • *****
  • Posts: 952
Re: setup L2TP tunnel with IPv6 inside a KVM VM?
« Reply #4 on: May 14, 2013, 09:45:43 AM »

You have at least three different IPv6 links in your setup, each of which should be configured with a /64 prefix. The two /64s allocated by default for a tunnel won't be enough for that. So you need to request a /48, if you haven't already done so.

If you have two PPP clients running simultaneously, do they show up as two separate ppp interfaces on the vserver? I guess they will show up as different interfaces, in which case there will be two static links as well as a number of links showing up dynamically.

Once you have received a /48 you need to route a static prefix from that to the vserver. If for example you received 2001:db8:c001::/48 from HE, you could choose to route 2001:db8:c001::/56 to the vserver.
Logged

tkchan

  • Newbie
  • *
  • Posts: 9
Re: setup L2TP tunnel with IPv6 inside a KVM VM?
« Reply #5 on: May 14, 2013, 09:14:51 PM »

I have requested a /48 and with 2 PPP clients running simultaneously, there are 2 separate ppp interfaces ppp0 & ppp1 on the vserver.

Below are the configuration changes I have made, but I think I may have set the /48 up incorrectly:

Machine A (Physical Server)
1. Modified /etc/radvd.conf:
Code: [Select]
   interface br0
   {
        AdvSendAdvert on;
        MinRtrAdvInterval 3;
        MaxRtrAdvInterval 300;
        AdvLinkMTU 1280;

        prefix 2001:123:123:123::/64
        {
                AdvOnLink on;
                AdvAutonomous on;
                AdvRouterAddr on;
        };
       
        route 2001:123:f123::/48 {
        };
    };
2. Modified /etc/network/interfaces:
Code: [Select]
  auto lo
   iface lo inet loopback
   auto eth0
   iface eth0 inet manual
   auto br0
   iface br0 inet static
        address 123.123.123.2
        netmask 255.255.255.248
        network 123.123.123.0
        broadcast 123.123.123.7
        gateway 123.123.123.1
        dns-nameservers 8.8.8.8 8.8.4.4
        dns-search localdomain
        bridge_ports eth0
        bridge_fd 9
        bridge_hello 2
        bridge_maxage 12
        bridge_stp off
        post-up ifconfig br0 up promisc
   auto he-ipv6
   iface he-ipv6 inet6 v4tunnel
        address 2001:123:123:123::2
        netmask 48
        endpoint 66.220.18.42
        up /sbin/ip -6 route add default dev he-ipv6
        up /sbin/ip -6 addr add 2001:123:124:123::1/64 dev br0
        up /sbin/ip -6 addr add 2001:123:f123::1/48 dev br0
        pre-down /sbin/ip -6 addr del 2001:123:f123::1/48 dev br0
        pre-down /sbin/ip -6 addr del 2001:123:124:123::1/64 dev br0
        pre-down /sbin/ip -6 route del default dev he-ipv6
        dns-nameservers 2001:4860:4860::8888 2001:4860:4860::8844

Machine B (VM server)
1. Modified options.xl2tpd
Code: [Select]
   ipcp-accept-local
   ipcp-accept-remote
   noccp
   require-mschap-v2
   nodefaultroute
   ms-dns 8.8.8.8
   ms-dns 8.8.4.4
   ms-wins 8.8.8.8
   asyncmap 0
   auth
   noipx
   mru 1500
   mtu 1410
   crtscts
   hide-password
   modem
   name l2tpd
   noproxyarp
   nobsdcomp
   nodeflate
   lcp-echo-interval 30
   lcp-echo-failure 4
   +ipv6 ipv6cp-use-ipaddr
   ipv6cp-accept-local
   lock
   connect /etc/ppp/ipv6-up
   disconnect /etc/ppp/ipv6-down
2. /etc/ppp/ipv6-up.local
Code: [Select]
#!/bin/sh
#
# This script is called with the following parameters:
# interface tty speed local-address remote-address ipparam
#
DEVICE="$1"

CFGFILE="/etc/radvd.conf-$DEVICE"
PIDFILE="/var/run/radvd-$DEVICE.pid"
EXEFILE="/usr/sbin/radvd"


PPP0='2001:123:f123:abc0::99/64'
PPP1='2001:123:f123:abc1::99/64'
PPP2='2001:123:f123:abc2::99/64'
PPP3='2001:123:f123:abc3::99/64'
PPP4='2001:123:f123:abc4::99/64'
PPP5='2001:123:f123:abc5::99/64'
PPP6='2001:123:f123:abc6::99/64'
PPP7='2001:123:f123:abc7::99/64'
PPP8='2001:123:f123:abc8::99/64'
PPP9='2001:123:f123:abc9::99/64'

case $DEVICE in
        "ppp0")
                IPV6=$PPP0
        ;;
        "ppp1")
                IPV6=$PPP1
        ;;
        "ppp2")
                IPV6=$PPP2
        ;;
        "ppp3")
                IPV6=$PPP3
        ;;
        "ppp4")
                IPV6=$PPP4
        ;;
        "ppp5")
                IPV6=$PPP5
        ;;
        "ppp6")
                IPV6=$PPP6
        ;;
        "ppp7")
                IPV6=$PPP7
        ;;
        "ppp8")
                IPV6=$PPP8
        ;;
        "ppp9")
                IPV6=$PPP9
        ;;
esac

#echo 1 > /proc/sys/net/ipv6/conf/$DEVICE/autoconf
/sbin/ifconfig $DEVICE add $IPV6 mtu 1500

# Start router advertisements on this link.
# Based on radvd 0.5.0 behaviour

if [ -x "$EXEFILE" -a -f "$CFGFILE" ]; then
    touch "$PIDFILE"
    if [ ! -f "$PIDFILE" ]; then
echo "error: $PIDFILE is not a regular file. Aborting"
exit 0
    fi

    PID="$(cat "$PIDFILE")"
    if [ -n "$PID" ]; then
ps h "$PID" >/dev/null 2>&1 && exit 0
    fi

    # radvd 0.5.0 doesn't write a pid-file so we do it here
    # enabling debugging keeps radvd in foreground, putting it
    # on background gives us the PID.
    "$EXEFILE" -d 1 -C "$CFGFILE" &
    echo $! >"$PIDFILE"
fi
3. /etc/ppp/ipv6-down.local
Code: [Select]
#!/bin/sh
#
# This script is called with the following parameters:
# interface tty speed local-address remote-address ipparam
#


# Kill the router advertisement daemon on this interface.
# The killing procedure is copied from RedHat 6.0 initscripts.

DEVICE="$1"

PIDFILE="/var/run/radvd-$DEVICE.pid"

[ -f "$PIDFILE" ] || exit 0

PID="$(cat "$PIDFILE")"
if [ "$PID" != "" ]; then
    if ps h "$PID" >/dev/null 2>&1; then
kill -TERM "$PID"
usleep 10000
if ps h "$PID" >/dev/null 2>&1; then
    sleep 1
    if ps h "$PID" >/dev/null 2>&1; then
kill -KILL "$PID"
    fi
fi
    fi
fi

rm -f "$PIDFILE"
4. radvd.conf-pppX
Code: [Select]
interface pppX
{
   AdvSendAdvert on;
   MaxRtrAdvInterval 30;
   MaxRtrAdvInterval 100;
   UnicastOnly on;

   prefix 2001:123:f123:abcX::/64
   {
        AdvOnLink on;
        AdvAutonomous on;
        AdvRouterAddr off;
   };
};


Now, on vserver (machine B), when there are 2 simultaneous L2TP connections, the ifconfig shows:
Code: [Select]
ppp0      Link encap:Point-to-Point Protocol 
          inet addr:172.23.0.1  P-t-P:172.23.0.244  Mask:255.255.255.255
          inet6 addr: fe80::188e:2be1:6ee5:acc1/10 Scope:Link
          inet6 addr: 2001:123:f123:abc0::99/64 Scope:Global
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:2675 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1906 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:505986 (505.9 KB)  TX bytes:645246 (645.2 KB)

ppp1      Link encap:Point-to-Point Protocol 
          inet addr:172.23.0.1  P-t-P:172.23.0.245  Mask:255.255.255.255
          inet6 addr: fe80::920:317a:b8f:5672/10 Scope:Link
          inet6 addr: 2001:123:f123:abc1::99/64 Scope:Global
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:18 errors:0 dropped:0 overruns:0 frame:0
          TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:922 (922.0 B)  TX bytes:897 (897.0 B)


On the client, ie) PPP0, the ifconfig still only shows:
Code: [Select]
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
inet6 fe80::22c9:d0ff:fe7a:3fcd%ppp0 prefixlen 64 scopeid 0x7
inet 172.23.0.244 --> 172.23.0.1 netmask 0xffff0000

I wonder what I have done wrong?
Logged

kasperd

  • Founder, Netiter ApS
  • Hero Member
  • *****
  • Posts: 952
Re: setup L2TP tunnel with IPv6 inside a KVM VM?
« Reply #6 on: May 15, 2013, 12:00:41 AM »

Code: [Select]
        route 2001:123:f123::/48 {
        };
I have no idea what this would mean to the router advertisement daemon. You probably don't need it.

Code: [Select]
         up /sbin/ip -6 addr add 2001:123:f123::1/48 dev br0
You are missing a gateway specification on this route. Had it been a point to point link, that wouldn't have made a difference. But br0 uses Ethernet on the link layer. So append gw <IP of L2TP vm>, and the route should work.

Code: [Select]
PPP0='2001:123:f123:abc0::99/64'
PPP1='2001:123:f123:abc1::99/64'
PPP2='2001:123:f123:abc2::99/64'
PPP3='2001:123:f123:abc3::99/64'
PPP4='2001:123:f123:abc4::99/64'
PPP5='2001:123:f123:abc5::99/64'
PPP6='2001:123:f123:abc6::99/64'
PPP7='2001:123:f123:abc7::99/64'
PPP8='2001:123:f123:abc8::99/64'
PPP9='2001:123:f123:abc9::99/64'
Are you sure you want to have this list instead of just generating each of them?

Code: [Select]
case $DEVICE in
        "ppp0")
                IPV6=$PPP0
        ;;
        "ppp1")
                IPV6=$PPP1
        ;;
        "ppp2")
                IPV6=$PPP2
        ;;
        "ppp3")
                IPV6=$PPP3
        ;;
        "ppp4")
                IPV6=$PPP4
        ;;
        "ppp5")
                IPV6=$PPP5
        ;;
        "ppp6")
                IPV6=$PPP6
        ;;
        "ppp7")
                IPV6=$PPP7
        ;;
        "ppp8")
                IPV6=$PPP8
        ;;
        "ppp9")
                IPV6=$PPP9
        ;;
esac
I think the entire case can be replaced with this much shorter version
Code: [Select]
if [[ "$DEVICE" = ppp[0-9] ]]
then
    eval IPv6=\$${DEVICE/ppp/PPP}
fi

On the client, ie) PPP0, the ifconfig still only shows:
Code: [Select]
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
inet6 fe80::22c9:d0ff:fe7a:3fcd%ppp0 prefixlen 64 scopeid 0x7
inet 172.23.0.244 --> 172.23.0.1 netmask 0xffff0000
I don't know if auto configuration of IPv6 addresses on PPP links is supposed to be done using router advertisements, or if it is supposed to be done during the PPP setup. For a start I would try to manually configure the IPv6 address on the PPP client in order to test if the rest of the configuration works.
Logged

tkchan

  • Newbie
  • *
  • Posts: 9
Re: setup L2TP tunnel with IPv6 inside a KVM VM?
« Reply #7 on: May 15, 2013, 02:11:31 AM »

I have changed the ipv6 portion of /etc/network/interfaces file on Primary Server (A) to the following:
Code: [Select]
iface he-ipv6 inet6 v4tunnel
        address 2001:123:123:123::2
        netmask 48
        endpoint 66.220.18.42
        up /sbin/ip -6 route add default dev he-ipv6
        up /sbin/ip -6 addr add 2001:123:124:123::1/64 dev br0
        up /sbin/route -A inet6 add 2001:123:f123::1/48 gw 2001:123:124:123::123:3
        pre-down /sbin/route -A inet6 del 2001:123:f123::1/48 gw 2001:123:124:123::123:3
        pre-down /sbin/ip -6 addr del 2001:123:124:123::1/64 dev br0
        pre-down /sbin/ip -6 route del default dev he-ipv6
        dns-nameservers 2001:4860:4860::8888 2001:4860:4860::8844

I have also removed the "route" portion of the /etc/radvd.conf on machine A.

When the client (C) is connected to the VPN server (B), the following appears:
Machine B - VPN server
Code: [Select]
ppp0      Link encap:Point-to-Point Protocol 
          inet addr:172.23.0.1  P-t-P:172.23.0.244  Mask:255.255.255.255
          inet6 addr: 2001:123:f123:abc0::99/64 Scope:Global
          inet6 addr: fe80::ba9d:76bf:afc5:b4cc/10 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1410  Metric:1
          RX packets:1195 errors:0 dropped:0 overruns:0 frame:0
          TX packets:869 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:178773 (178.7 KB)  TX bytes:268769 (268.7 KB)

Client - Mac (C)
Code: [Select]
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
inet6 fe80::22c9:abef:fe7a:3fcd%ppp0 prefixlen 64 scopeid 0x7
inet 172.23.0.244 --> 172.23.0.1 netmask 0xffff0000
I have also setup manual IPv6 on the Mac (C) with the following:
   Router: 2001:123:f123:abc0::99
   IPv6 address: 2001:123:f123:abc0::100
   Prefix: 64

While I can now ping 2001:123:f123:abc0::99 (of B) remotely from a totally separate network as long as the vpn is connected, but the problem is I cannot ping 2001:123:f123:abc0::100 anywhere, not even on the VM (B).

Waiting for your further advice, thanks.
Logged

kasperd

  • Founder, Netiter ApS
  • Hero Member
  • *****
  • Posts: 952
Re: setup L2TP tunnel with IPv6 inside a KVM VM?
« Reply #8 on: May 15, 2013, 04:52:30 AM »

I cannot ping 2001:123:f123:abc0::100 anywhere, not even on the VM (B).
Am I understanding correctly, that B and C can ping each other using link-local addresses, but not using the global addresses, you got from HE?
Logged

tkchan

  • Newbie
  • *
  • Posts: 9
Re: setup L2TP tunnel with IPv6 inside a KVM VM?
« Reply #9 on: May 15, 2013, 08:10:08 AM »

Am I understanding correctly, that B and C can ping each other using link-local addresses, but not using the global addresses, you got from HE?

Yes, that's correct
Logged

kasperd

  • Founder, Netiter ApS
  • Hero Member
  • *****
  • Posts: 952
Re: setup L2TP tunnel with IPv6 inside a KVM VM?
« Reply #10 on: May 15, 2013, 08:22:24 AM »

Am I understanding correctly, that B and C can ping each other using link-local addresses, but not using the global addresses, you got from HE?

Yes, that's correct
In that case the next steps must be to figure out why this is happening. I would expect the PPP connection to behave the same way regardless of the scope of the addresses, you are using. Try to run tcpdump on each end of the PPP connection while you try to do a ping with each kind of address, and then compare the results.
Logged

tkchan

  • Newbie
  • *
  • Posts: 9
Re: setup L2TP tunnel with IPv6 inside a KVM VM?
« Reply #11 on: May 15, 2013, 07:54:24 PM »

In that case the next steps must be to figure out why this is happening. I would expect the PPP connection to behave the same way regardless of the scope of the addresses, you are using. Try to run tcpdump on each end of the PPP connection while you try to do a ping with each kind of address, and then compare the results.

I think I know what happened, but I am not sure if there is a way to "fix" it (ie. let client get ipv6 address automatically), here is what I have done:

On the Mac client (C), I have performed the following in command line:
Code: [Select]
sudo -s
ifconfig ppp0 inet6 delete fe80::22c9:cdef:fe7a:3fcd%ppp0
ifconfig ppp0 inet6 2001:123:f123:abc0::100
route add -inet6 default 2001:123:f123:abc0::100%ppp0

Now the ifconfig result is as follows:
Code: [Select]
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
inet 172.23.0.244 --> 172.23.0.1 netmask 0xffff0000
inet6 fe80::22c9:cdef:fe7a:3fcd%ppp0 prefixlen 64 scopeid 0x7
inet6 2001:123:f123:abc0::100 prefixlen 64
And I can finally ping and access ipv6.google.com.

But this does not work if it is a mobile device such as iphone or iPad  :-X
I wonder if there is a way to fix this
« Last Edit: May 15, 2013, 07:56:46 PM by tkchan »
Logged

kcochran

  • Sr. Network Engineer, Hurricane Electric
  • Administrator
  • Sr. Member
  • *****
  • Posts: 413
Re: setup L2TP tunnel with IPv6 inside a KVM VM?
« Reply #12 on: May 16, 2013, 04:36:13 AM »

PPP for IPv6 only will let you define link-layer addresses in the initial connection.  That's the extend of IPCPv6's direct support.  From there you have to define statics, or use RA to deliver the appropriate prefix information to clients which either don't require statics, or can't configure statics.
Logged

kasperd

  • Founder, Netiter ApS
  • Hero Member
  • *****
  • Posts: 952
Re: setup L2TP tunnel with IPv6 inside a KVM VM?
« Reply #13 on: May 16, 2013, 08:06:07 AM »

From there you have to define statics, or use RA to deliver the appropriate prefix information to clients which either don't require statics, or can't configure statics.
RA was tried previously. But maybe the radvd.conf-pppx configuration files weren't correct.

My first three guesses for why it didn't work are:
  • radvd is misconfigured and either doesn't start or doesn't respond properly.
  • the client doesn't ask for a router in the first place. Perhaps PPP need to assign a link-local address in order to enable IPv6 on the interface.
  • Maybe there is some race condition caused by both radvd and client being started as the device is brought up, and perhaps some initial packets are send before the other end is ready to receive them.

A tcpdump on the ppp interface might be interesting, but it would be difficult to get that tcpdump command started as early, as you'd like it to be.

Static addresses would work on some clients, but that would require the server to recognize the client and assign the same /64 to the client regardless of which ppp interface it got.
Logged

tkchan

  • Newbie
  • *
  • Posts: 9
Re: setup L2TP tunnel with IPv6 inside a KVM VM?
« Reply #14 on: May 16, 2013, 08:38:44 AM »


A tcpdump on the ppp interface might be interesting, but it would be difficult to get that tcpdump command started as early, as you'd like it to be.


# tcpdump -i ppp0 -vv ip6
tcpdump: WARNING: ppp0: no IPv4 address assigned
tcpdump: listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes

23:35:40.438689 IP6 (hlim 1, next-header Options (0) payload length: 36) fe80::abcd:ff:fe58:8a56 > ff02::16: HBH (rtalert: 0x0000) (padn)[icmp6 sum ok] ICMP6, multicast listener report v2, 1 group record(s) [gaddr ip6-allrouters to_ex { }]

That is all I can get
Logged
Pages: [1] 2