• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

setup L2TP tunnel with IPv6 inside a KVM VM?

Started by tkchan, May 13, 2013, 09:47:23 PM

Previous topic - Next topic

tkchan

Hi,

I am having trouble trying to configure VPN client to use HE's IPv6 and would like to seek assistance from you.

[UPDATED: The following setup is working if Client C is a Mac machine, but this would not work if it is a mobile device such as iPhone/iPad/Android phone as there is no way to add a static route, any help on using RA to deliver the ipv6 addr to clients would be highly appreciated]

First, my setup is as follows:

         |
        |
 +=============+
[[  isp router ]]
 +=============+
  123.123.123.1                          
        |
        |
+===================+
[[physical server (A)]]
+===================+
br0:123.123.123.2
he-ipv6: 2001:123:123:123::2 (endpoint 66.220.18.42)
        2001:123:124:123::1/64
        |
        |
 +===============+
[[  KVM VM01 (B) ]]
 +===============+
eth0:123.123.123.3
ipv6:2001:123:124:123::123:3
pppX:172.23.0.1 (openswan 2.6.37-1,xl2tpd 1.3.1+dfsg-1,ppp 2.4.5-5ubuntu1)
        |------------------------------------------------------+
   ppp0 |2001:123:f123:abc0::1                            ppp1 | 2001:123:f123:abc1::1
        |                                                      |
        |                                                      |
+==================+                               +==================+
[[ VPN Client 1 (C) ]] {NOT OK!!}                   [[ VPN Client 2 (D) ]] {OK}
+==================+                               +==================+
Mac or iPhone or iPad or Android phone               Windows 8
172.23.0.244 (via ppp0)                             172.23.0.245 (via ppp1)
??no ipv6 access??                                  2001:123:f123:abc1::100
                                                   (L2TP VPN, Allow CHAP, MSCHAPv2, Obtain IPv4/IPv6 automatically, use default gateway on remote)


Host A, B, D can access ipv6.google.com without any issues, however, I am unable to ping ipv6.google.com from Host C.

My settings are as follows:
Config - Host (A)
Ubuntu 12.04.2 LTS Server
1. no IPTABLES / IP6TABLES entries
2. sysctl.conf
  net.ipv4.icmp_echo_ignore_broadcasts = 1
  net.ipv4.conf.all.send_redirects = 0
  net.ipv4.conf.default.send_redirects = 0
  net.ipv4.tcp_syncookies = 1
  net.ipv4.tcp_max_syn_backlog = 2048
  net.ipv4.tcp_synack_retries = 2
  net.ipv4.tcp_syn_retries = 5
  net.ipv4.conf.all.log_martians = 1
  net.ipv4.icmp_ignore_bogus_error_responses = 1
  net.ipv4.conf.all.accept_redirects = 1
  net.ipv4.icmp_echo_ignore_all = 1
  net.ipv4.ip_forward=1
  net.ipv6.conf.all.accept_redirects = 1
  net.ipv6.conf.all.accept_source_route = 1
  net.ipv6.conf.all.forwarding=1
  net.ipv6.conf.default.forwarding = 1

3. radvd.conf
   interface br0
  {
       AdvSendAdvert on;
       MinRtrAdvInterval 3;
       MaxRtrAdvInterval 300;
       AdvLinkMTU 1280;

       prefix 2001:123:123:123::/64
       {
               AdvOnLink on;
               AdvAutonomous on;
               AdvRouterAddr on;
       };
   };

4. /etc/network/interfaces
  auto lo
  iface lo inet loopback
  auto eth0
  iface eth0 inet manual
  auto br0
  iface br0 inet static
       address 123.123.123.2
       netmask 255.255.255.248
       network 123.123.123.0
       broadcast 123.123.123.7
       gateway 123.123.123.1
       dns-nameservers 8.8.8.8 8.8.4.4
       dns-search localdomain
       bridge_ports eth0
       bridge_fd 9
       bridge_hello 2
       bridge_maxage 12
       bridge_stp off
       post-up ifconfig br0 up promisc
  auto he-ipv6
  iface he-ipv6 inet6 v4tunnel
       address 2001:123:123:123::2
       netmask 64
       endpoint 66.220.18.42
       up /sbin/ip -6 route add default dev he-ipv6
       up /sbin/ip -6 addr add 2001:123:124:123::1/64 dev br0
       up /sbin/route -A inet6 add 2001:123:f123::1/48 gw 2001:123:124:123::123:3
pre-down /sbin/route -A inet6 del 2001:123:f123::1/48 gw 2001:123:124:123::123:3
       pre-down /sbin/ip -6 addr del 2001:123:124:123::1/64 dev br0
       pre-down /sbin/ip -6 route del default dev he-ipv6
       dns-nameservers 2001:4860:4860::8888 2001:4860:4860::8844


Config - Host (B)
Ubuntu 12.04.2 LTS Server
1. no IPTABLES / IP6TABLES entries
2. sysctl.conf
  net.ipv4.conf.default.rp_filter=1
  net.ipv4.conf.all.rp_filter=1
  net.ipv4.icmp_echo_ignore_broadcasts = 1
  net.ipv4.conf.all.accept_source_route = 0
  net.ipv4.conf.default.accept_source_route = 0
  net.ipv4.conf.all.send_redirects = 0
  net.ipv4.conf.default.send_redirects = 0
  net.ipv4.tcp_syncookies = 1
  net.ipv4.tcp_max_syn_backlog = 2048
  net.ipv4.tcp_synack_retries = 2
  net.ipv4.tcp_syn_retries = 5
  net.ipv4.conf.all.log_martians = 1
  net.ipv4.icmp_ignore_bogus_error_responses = 1
  net.ipv4.conf.all.accept_redirects = 0
  net.ipv4.conf.default.accept_redirects =  0
  net.ipv4.icmp_echo_ignore_all = 1
  net.ipv4.ip_forward=1
  net.ipv6.conf.all.accept_source_route = 0
  net.ipv6.conf.default.accept_source_route = 0
  net.ipv6.conf.all.accept_redirects = 0
  net.ipv6.conf.default.accept_redirects = 0
  net.ipv6.conf.all.autoconf = 1
  net.ipv6.conf.all.accept_ra = 2
  net.ipv6.conf.all.forwarding=1
  net.ipv6.conf.eth0.forwarding=0

3. /etc/network/interfaces
  iface eth0 inet static
       address 123.123.123.3
       netmask 255.255.255.248
       network 123.123.123.0
       broadcast 123.123.123.7
       gateway 123.123.123.1
       dns-nameservers 8.8.8.8 8.8.4.4
       dns-search localdomain
  iface eth0 inet6 static
       address 2001:123:124:123::123:3
       netmask 64
       gateway 2001:123:124:123::1

4. /etc/ipsec.conf
  version 2.0     # conforms to second version of ipsec.conf specification
  config setup
  dumpdir=/var/run/pluto/
  nat_traversal=yes
  virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
  oe=off
  protostack=netkey
  conn L2TP
       authby=secret
       pfs=no
       auto=add
       keyingtries=3
       ikelifetime=8h
       keylife=1h
       type=transport
       #fill in server and nexthop IP below
       left=123.123.123.3
       leftnexthop=123.123.123.1
       #fill in server and nexthop IP above
       leftprotoport=17/1701
       right=%any
       rightprotoport=17/%any

5. /etc/xl2tpd/xl2tpd.conf

  [global]
  ipsec saref = yes
  access control = yes
  force userspace = yes
  [lns default]                                                   ; Our fallthrough LNS definition
  ppp debug = no
  pppoptfile = /etc/ppp/options.xl2tpd
  refuse pap = yes
  assign ip = yes
  hostname = vpn
  ip range = 172.23.0.244-172.23.0.254
  local ip = 172.23.0.1
  lac = 0.0.0.0-255.255.255.255
  require authentication = yes
  length bit = yes

6. /etc/ppp/options.xl2tpd
ipcp-accept-local
ipcp-accept-remote
noccp
require-mschap-v2
nodefaultroute
ms-dns 8.8.8.8
ms-dns 8.8.4.4
#ms-wins 8.8.8.8
asyncmap 0
auth
noipx
mru 1500
mtu 1410
crtscts
hide-password
modem
name l2tpd
connect-delay 5000
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
+ipv6 ipv6cp-use-ipaddr
ipv6cp-use-persistent
ipv6cp-accept-local
lock
connect /etc/ppp/ipv6-up
disconnect /etc/ppp/ipv6-down

6. /etc/ppp/chap-secret
# client    server  secret          IPaddrs
  testuser    l2tpd   TestP@ssw0rd    *

7. /etc/ipsec.secrets
123.123.123.3 %any: PSK "My-T8st#Key"
8. /etc/ppp/ipv6-up.d/local
  #!/bin/sh
  # need to disable forwarding to receive RAs
  sysctl -w net.ipv6.conf.$PPP_IFACE.forwarding=0
  ip -6 route add default via $PPP_REMOTE dev $PPP_IFACE

9. /etc/ppp/ipv6-up.local

#!/bin/bash
#
# This script is called with the following parameters:
# interface tty speed local-address remote-address ipparam
#
DEVICE="$1"

CFGFILE="/etc/radvd.conf-$DEVICE"
PIDFILE="/var/run/radvd-$DEVICE.pid"
EXEFILE="/usr/sbin/radvd"

HE_NET='2001:470:f30c:abc'
PREFIX=64
GWADDR=1

if [[ "$DEVICE" = ppp[0-9] ]]
then
   eval IPV6=$HE_NET${DEVICE/ppp/}
fi
#echo 1 > /proc/sys/net/ipv6/conf/$DEVICE/autoconf
/sbin/ifconfig $DEVICE add $IPV6::$GWADDR/$PREFIX mtu 1500
/sbin/route -6 add $IPV6::/$PREFIX dev $DEVICE
/etc/init.d/radvd reload

10. /etc/ppp/ipv6-down.local

#!/bin/sh
#
# This script is called with the following parameters:
# interface tty speed local-address remote-address ipparam
#


# Kill the router advertisement daemon on this interface.
# The killing procedure is copied from RedHat 6.0 initscripts.

DEVICE="$1"

echo 0 > /proc/sys/net/ipv6/conf/$DEVICE/autoconf
/etc/init.d/radvd reload

11. radvd.conf

interface ppp0
{
  AdvSendAdvert on;
  MaxRtrAdvInterval 30;
  MaxRtrAdvInterval 100;
  IgnoreIfMissing on;
  #UnicastOnly on;

  prefix 2001:123:f123:abc0::/64
  {
       AdvOnLink on;
       AdvAutonomous on;
       AdvRouterAddr off;
  };

  RDNSS 2001:4860:4860::8888 {};
};

interface ppp1
{
  AdvSendAdvert on;
  MaxRtrAdvInterval 30;
  MaxRtrAdvInterval 100;
  IgnoreIfMissing on;
  #UnicastOnly on;

  prefix 2001:123:f123:abc1::/64
  {
       AdvOnLink on;
       AdvAutonomous on;
       AdvRouterAddr off;
  };

  RDNSS 2001:4860:4860::8888 {};
};

interface ppp2
{
  AdvSendAdvert on;
  MaxRtrAdvInterval 30;
  MaxRtrAdvInterval 100;
  IgnoreIfMissing on;
  #UnicastOnly on;

  prefix 2001:123:f123:abc2::/64
  {
       AdvOnLink on;
       AdvAutonomous on;
       AdvRouterAddr off;
  };

  RDNSS 2001:4860:4860::8888 {};
};

interface ppp3
{
  AdvSendAdvert on;
  MaxRtrAdvInterval 30;
  MaxRtrAdvInterval 100;
  IgnoreIfMissing on;
  #UnicastOnly on;

  prefix 2001:123:f123:abc3::/64
  {
       AdvOnLink on;
       AdvAutonomous on;
       AdvRouterAddr off;
  };

  RDNSS 2001:4860:4860::8888 {};
};

interface ppp4
{
  AdvSendAdvert on;
  MaxRtrAdvInterval 30;
  MaxRtrAdvInterval 100;
  IgnoreIfMissing on;
  #UnicastOnly on;

  prefix 2001:123:f123:abc4::/64
  {
       AdvOnLink on;
       AdvAutonomous on;
       AdvRouterAddr off;
  };

  RDNSS 2001:4860:4860::8888 {};
};

interface ppp5
{
  AdvSendAdvert on;
  MaxRtrAdvInterval 30;
  MaxRtrAdvInterval 100;
  IgnoreIfMissing on;
  #UnicastOnly on;

  prefix 2001:123:f123:abc5::/64
  {
       AdvOnLink on;
       AdvAutonomous on;
       AdvRouterAddr off;
  };

  RDNSS 2001:4860:4860::8888 {};
};

interface ppp6
{
  AdvSendAdvert on;
  MaxRtrAdvInterval 30;
  MaxRtrAdvInterval 100;
  IgnoreIfMissing on;
  #UnicastOnly on;

  prefix 2001:123:f123:abc6::/64
  {
       AdvOnLink on;
       AdvAutonomous on;
       AdvRouterAddr off;
  };

  RDNSS 2001:4860:4860::8888 {};
};

interface ppp7
{
  AdvSendAdvert on;
  MaxRtrAdvInterval 30;
  MaxRtrAdvInterval 100;
  IgnoreIfMissing on;
  #UnicastOnly on;

  prefix 2001:123:f123:abc7::/64
  {
       AdvOnLink on;
       AdvAutonomous on;
       AdvRouterAddr off;
  };

  RDNSS 2001:4860:4860::8888 {};
};

interface ppp8
{
  AdvSendAdvert on;
  MaxRtrAdvInterval 30;
  MaxRtrAdvInterval 100;
  IgnoreIfMissing on;
  #UnicastOnly on;

  prefix 2001:123:f123:abc8::/64
  {
       AdvOnLink on;
       AdvAutonomous on;
       AdvRouterAddr off;
  };

  RDNSS 2001:4860:4860::8888 {};
};

interface ppp9
{
  AdvSendAdvert on;
  MaxRtrAdvInterval 30;
  MaxRtrAdvInterval 100;
  IgnoreIfMissing on;
  #UnicastOnly on;

  prefix 2001:123:f123:abc9::/64
  {
       AdvOnLink on;
       AdvAutonomous on;
       AdvRouterAddr off;
  };

  RDNSS 2001:4860:4860::8888 {};
};


Config - VPN Client - Mac (C)
After connecting to VPN, perform one the following:
1. Type in the following in terminal:

sudo -s
ifconfig       {<= this is to mark down the ppp0 link local addr}
ifconfig ppp0 inet6 delete fe80::xxxx:xxxx:xxxx:xxxx%ppp0
ifconfig ppp0 inet6 2001:123:f123:abc0::100
route add -inet6 default 2001:123:f123:abc0::1%ppp0

or
2. add /etc/ppp/ip-up with the following contents (and chmod 755 /etc/ppp/ip-up)

/usr/sbin/sysctl -w net.inet6.ip6.use_tempaddr=0
/usr/sbin/ipconfig set $1 AUTOMATIC-V6
/sbin/route add -inet6 default -interface $1


Now pinging to ipv6.google.com from client, or ssh to Mac using IPv6 is possible
Can anyone guide me through setting up IPv6 for mobile devices such as iPhone/iPad/Android phone please? Many thanks.

kasperd

I would test what is working one step at a time. First step would be to try bring up the L2TP connection and assign link-local IPv6 addresses to the interfaces. Can you ping the other end of the L2TP connection with IPv6 link-local addresses after doing this?

tkchan

#2
Hi kasperd,

Now the setup is as follows:


 +===================+
[[  KVM VM01 (Ubuntu) ]]
 +===================+
        | fe80::c02:abcd:527c:ae06%ppp0
   ppp0 |
        | fe80::22c9:cdef:fe7a:3fcd%ppp0
+===================+
[[ VPN Client 1 (Mac) ]]
+===================+


And the results are as follows:

On Ubuntu

ppp0      Link encap:Point-to-Point Protocol  
         inet addr:172.23.0.1  P-t-P:172.23.0.244  Mask:255.255.255.255
         inet6 addr: fe80::c02:abcd:527c:ae06/10 Scope:Link
         UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1410  Metric:1
         RX packets:187 errors:0 dropped:0 overruns:0 frame:0
         TX packets:153 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:3
         RX bytes:23625 (23.6 KB)  TX bytes:34436 (34.4 KB)

1. ping6 fe80::22c9:cdef:fe7a:3fcd%ppp0

PING fe80::22c9:cdef:fe7a:3fcd%ppp0(fe80::22c9:cdef:fe7a:3fcd) 56 data bytes
64 bytes from fe80::22c9:cdef:fe7a:3fcd: icmp_seq=1 ttl=64 time=173 ms
64 bytes from fe80::22c9:cdef:fe7a:3fcd: icmp_seq=2 ttl=64 time=173 ms
64 bytes from fe80::22c9:cdef:fe7a:3fcd: icmp_seq=3 ttl=64 time=173 ms
64 bytes from fe80::22c9:cdef:fe7a:3fcd: icmp_seq=4 ttl=64 time=175 ms

2. ssh -l macclient fe80::22c9:cdef:fe7a:3fcd%ppp0

Password:
Last login: Tue May 14 20:30:08 2013
Mac01:~ macclient$

3. ssh -l linux fe80::c02:abcd:527c:ae06%ppp0

linux@fe80::c02:abcd:527c:ae06%ppp0's password:
Welcome to Ubuntu 12.04.2 LTS (GNU/Linux 3.5.0-28-generic x86_64)

* Documentation:  https://help.ubuntu.com/

 System information as of Tue May 14 20:13:17 HKT 2013

...

 Graph this data and manage this system at https://landscape.canonical.com/

0 packages can be updated.
0 updates are security updates.

linux $



On Mac

ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
inet6 fe80::22c9:cdef:fe7a:3fcd%ppp0 prefixlen 64 scopeid 0x7
inet 172.23.0.244 --> 172.23.0.1 netmask 0xffff0000

1. ping6 fe80::c02:abcd:527c:ae06%ppp0

PING fe80::c02:abcd:527c:ae06%ppp0(fe80::c02:abcd:527c:ae06) 56 data bytes
64 bytes from fe80::c02:abcd:527c:ae06: icmp_seq=1 ttl=64 time=173 ms
64 bytes from fe80::c02:abcd:527c:ae06: icmp_seq=2 ttl=64 time=173 ms
64 bytes from fe80::c02:abcd:527c:ae06: icmp_seq=3 ttl=64 time=174 ms
64 bytes from fe80::c02:abcd:527c:ae06: icmp_seq=4 ttl=64 time=173 ms

2. ssh -l linux fe80::c02:abcd:527c:ae06%ppp0

linux@fe80::c02:abcd:527c:ae06%ppp0's password:
Welcome to Ubuntu 12.04.2 LTS (GNU/Linux 3.5.0-28-generic x86_64)

* Documentation:  https://help.ubuntu.com/

 System information as of Tue May 14 20:13:17 HKT 2013

...

 Graph this data and manage this system at https://landscape.canonical.com/

0 packages can be updated.
0 updates are security updates.

linux $


3. ssh -l macclient fe80::22c9:cdef:fe7a:3fcd%ppp0

Password:
Last login: Tue May 14 20:32:12 2013
Mac01:~ macclient$


Waiting for your further guidance, thanks.

snarked

Obviously, if host B can access IPv6 addresses without problems, host A is NOT the problem.

Could it be that with host B, your lack of use of iptables, thus no NAT, is the problem?  172.16.0.0/12 is not a globally routable network.

kasperd

You have at least three different IPv6 links in your setup, each of which should be configured with a /64 prefix. The two /64s allocated by default for a tunnel won't be enough for that. So you need to request a /48, if you haven't already done so.

If you have two PPP clients running simultaneously, do they show up as two separate ppp interfaces on the vserver? I guess they will show up as different interfaces, in which case there will be two static links as well as a number of links showing up dynamically.

Once you have received a /48 you need to route a static prefix from that to the vserver. If for example you received 2001:db8:c001::/48 from HE, you could choose to route 2001:db8:c001::/56 to the vserver.

tkchan

I have requested a /48 and with 2 PPP clients running simultaneously, there are 2 separate ppp interfaces ppp0 & ppp1 on the vserver.

Below are the configuration changes I have made, but I think I may have set the /48 up incorrectly:

Machine A (Physical Server)
1. Modified /etc/radvd.conf:
   interface br0
   {
        AdvSendAdvert on;
        MinRtrAdvInterval 3;
        MaxRtrAdvInterval 300;
        AdvLinkMTU 1280;

        prefix 2001:123:123:123::/64
        {
                AdvOnLink on;
                AdvAutonomous on;
                AdvRouterAddr on;
        };
       
        route 2001:123:f123::/48 {
        };
    };

2. Modified /etc/network/interfaces:
  auto lo
   iface lo inet loopback
   auto eth0
   iface eth0 inet manual
   auto br0
   iface br0 inet static
        address 123.123.123.2
        netmask 255.255.255.248
        network 123.123.123.0
        broadcast 123.123.123.7
        gateway 123.123.123.1
        dns-nameservers 8.8.8.8 8.8.4.4
        dns-search localdomain
        bridge_ports eth0
        bridge_fd 9
        bridge_hello 2
        bridge_maxage 12
        bridge_stp off
        post-up ifconfig br0 up promisc
   auto he-ipv6
   iface he-ipv6 inet6 v4tunnel
        address 2001:123:123:123::2
        netmask 48
        endpoint 66.220.18.42
        up /sbin/ip -6 route add default dev he-ipv6
        up /sbin/ip -6 addr add 2001:123:124:123::1/64 dev br0
        up /sbin/ip -6 addr add 2001:123:f123::1/48 dev br0
        pre-down /sbin/ip -6 addr del 2001:123:f123::1/48 dev br0
        pre-down /sbin/ip -6 addr del 2001:123:124:123::1/64 dev br0
        pre-down /sbin/ip -6 route del default dev he-ipv6
        dns-nameservers 2001:4860:4860::8888 2001:4860:4860::8844


Machine B (VM server)
1. Modified options.xl2tpd
   ipcp-accept-local
   ipcp-accept-remote
   noccp
   require-mschap-v2
   nodefaultroute
   ms-dns 8.8.8.8
   ms-dns 8.8.4.4
   ms-wins 8.8.8.8
   asyncmap 0
   auth
   noipx
   mru 1500
   mtu 1410
   crtscts
   hide-password
   modem
   name l2tpd
   noproxyarp
   nobsdcomp
   nodeflate
   lcp-echo-interval 30
   lcp-echo-failure 4
   +ipv6 ipv6cp-use-ipaddr
   ipv6cp-accept-local
   lock
   connect /etc/ppp/ipv6-up
   disconnect /etc/ppp/ipv6-down

2. /etc/ppp/ipv6-up.local

#!/bin/sh
#
# This script is called with the following parameters:
# interface tty speed local-address remote-address ipparam
#
DEVICE="$1"

CFGFILE="/etc/radvd.conf-$DEVICE"
PIDFILE="/var/run/radvd-$DEVICE.pid"
EXEFILE="/usr/sbin/radvd"


PPP0='2001:123:f123:abc0::99/64'
PPP1='2001:123:f123:abc1::99/64'
PPP2='2001:123:f123:abc2::99/64'
PPP3='2001:123:f123:abc3::99/64'
PPP4='2001:123:f123:abc4::99/64'
PPP5='2001:123:f123:abc5::99/64'
PPP6='2001:123:f123:abc6::99/64'
PPP7='2001:123:f123:abc7::99/64'
PPP8='2001:123:f123:abc8::99/64'
PPP9='2001:123:f123:abc9::99/64'

case $DEVICE in
        "ppp0")
                IPV6=$PPP0
        ;;
        "ppp1")
                IPV6=$PPP1
        ;;
        "ppp2")
                IPV6=$PPP2
        ;;
        "ppp3")
                IPV6=$PPP3
        ;;
        "ppp4")
                IPV6=$PPP4
        ;;
        "ppp5")
                IPV6=$PPP5
        ;;
        "ppp6")
                IPV6=$PPP6
        ;;
        "ppp7")
                IPV6=$PPP7
        ;;
        "ppp8")
                IPV6=$PPP8
        ;;
        "ppp9")
                IPV6=$PPP9
        ;;
esac

#echo 1 > /proc/sys/net/ipv6/conf/$DEVICE/autoconf
/sbin/ifconfig $DEVICE add $IPV6 mtu 1500

# Start router advertisements on this link.
# Based on radvd 0.5.0 behaviour

if [ -x "$EXEFILE" -a -f "$CFGFILE" ]; then
    touch "$PIDFILE"
    if [ ! -f "$PIDFILE" ]; then
echo "error: $PIDFILE is not a regular file. Aborting"
exit 0
    fi

    PID="$(cat "$PIDFILE")"
    if [ -n "$PID" ]; then
ps h "$PID" >/dev/null 2>&1 && exit 0
    fi

    # radvd 0.5.0 doesn't write a pid-file so we do it here
    # enabling debugging keeps radvd in foreground, putting it
    # on background gives us the PID.
    "$EXEFILE" -d 1 -C "$CFGFILE" &
    echo $! >"$PIDFILE"
fi

3. /etc/ppp/ipv6-down.local

#!/bin/sh
#
# This script is called with the following parameters:
# interface tty speed local-address remote-address ipparam
#


# Kill the router advertisement daemon on this interface.
# The killing procedure is copied from RedHat 6.0 initscripts.

DEVICE="$1"

PIDFILE="/var/run/radvd-$DEVICE.pid"

[ -f "$PIDFILE" ] || exit 0

PID="$(cat "$PIDFILE")"
if [ "$PID" != "" ]; then
    if ps h "$PID" >/dev/null 2>&1; then
kill -TERM "$PID"
usleep 10000
if ps h "$PID" >/dev/null 2>&1; then
    sleep 1
    if ps h "$PID" >/dev/null 2>&1; then
kill -KILL "$PID"
    fi
fi
    fi
fi

rm -f "$PIDFILE"

4. radvd.conf-pppX

interface pppX
{
   AdvSendAdvert on;
   MaxRtrAdvInterval 30;
   MaxRtrAdvInterval 100;
   UnicastOnly on;

   prefix 2001:123:f123:abcX::/64
   {
        AdvOnLink on;
        AdvAutonomous on;
        AdvRouterAddr off;
   };
};



Now, on vserver (machine B), when there are 2 simultaneous L2TP connections, the ifconfig shows:

ppp0      Link encap:Point-to-Point Protocol 
          inet addr:172.23.0.1  P-t-P:172.23.0.244  Mask:255.255.255.255
          inet6 addr: fe80::188e:2be1:6ee5:acc1/10 Scope:Link
          inet6 addr: 2001:123:f123:abc0::99/64 Scope:Global
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:2675 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1906 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:505986 (505.9 KB)  TX bytes:645246 (645.2 KB)

ppp1      Link encap:Point-to-Point Protocol 
          inet addr:172.23.0.1  P-t-P:172.23.0.245  Mask:255.255.255.255
          inet6 addr: fe80::920:317a:b8f:5672/10 Scope:Link
          inet6 addr: 2001:123:f123:abc1::99/64 Scope:Global
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:18 errors:0 dropped:0 overruns:0 frame:0
          TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:922 (922.0 B)  TX bytes:897 (897.0 B)


On the client, ie) PPP0, the ifconfig still only shows:

ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
inet6 fe80::22c9:d0ff:fe7a:3fcd%ppp0 prefixlen 64 scopeid 0x7
inet 172.23.0.244 --> 172.23.0.1 netmask 0xffff0000


I wonder what I have done wrong?

kasperd

Quote from: tkchan on May 14, 2013, 09:14:51 PM        route 2001:123:f123::/48 {
        };
I have no idea what this would mean to the router advertisement daemon. You probably don't need it.

Quote from: tkchan on May 14, 2013, 09:14:51 PM         up /sbin/ip -6 addr add 2001:123:f123::1/48 dev br0
You are missing a gateway specification on this route. Had it been a point to point link, that wouldn't have made a difference. But br0 uses Ethernet on the link layer. So append gw <IP of L2TP vm>, and the route should work.

Quote from: tkchan on May 14, 2013, 09:14:51 PMPPP0='2001:123:f123:abc0::99/64'
PPP1='2001:123:f123:abc1::99/64'
PPP2='2001:123:f123:abc2::99/64'
PPP3='2001:123:f123:abc3::99/64'
PPP4='2001:123:f123:abc4::99/64'
PPP5='2001:123:f123:abc5::99/64'
PPP6='2001:123:f123:abc6::99/64'
PPP7='2001:123:f123:abc7::99/64'
PPP8='2001:123:f123:abc8::99/64'
PPP9='2001:123:f123:abc9::99/64'
Are you sure you want to have this list instead of just generating each of them?

Quote from: tkchan on May 14, 2013, 09:14:51 PMcase $DEVICE in
        "ppp0")
                IPV6=$PPP0
        ;;
        "ppp1")
                IPV6=$PPP1
        ;;
        "ppp2")
                IPV6=$PPP2
        ;;
        "ppp3")
                IPV6=$PPP3
        ;;
        "ppp4")
                IPV6=$PPP4
        ;;
        "ppp5")
                IPV6=$PPP5
        ;;
        "ppp6")
                IPV6=$PPP6
        ;;
        "ppp7")
                IPV6=$PPP7
        ;;
        "ppp8")
                IPV6=$PPP8
        ;;
        "ppp9")
                IPV6=$PPP9
        ;;
esac
I think the entire case can be replaced with this much shorter versionif [[ "$DEVICE" = ppp[0-9] ]]
then
    eval IPv6=\$${DEVICE/ppp/PPP}
fi


Quote from: tkchan on May 14, 2013, 09:14:51 PMOn the client, ie) PPP0, the ifconfig still only shows:

ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
inet6 fe80::22c9:d0ff:fe7a:3fcd%ppp0 prefixlen 64 scopeid 0x7
inet 172.23.0.244 --> 172.23.0.1 netmask 0xffff0000
I don't know if auto configuration of IPv6 addresses on PPP links is supposed to be done using router advertisements, or if it is supposed to be done during the PPP setup. For a start I would try to manually configure the IPv6 address on the PPP client in order to test if the rest of the configuration works.

tkchan

I have changed the ipv6 portion of /etc/network/interfaces file on Primary Server (A) to the following:

iface he-ipv6 inet6 v4tunnel
        address 2001:123:123:123::2
        netmask 48
        endpoint 66.220.18.42
        up /sbin/ip -6 route add default dev he-ipv6
        up /sbin/ip -6 addr add 2001:123:124:123::1/64 dev br0
        up /sbin/route -A inet6 add 2001:123:f123::1/48 gw 2001:123:124:123::123:3
        pre-down /sbin/route -A inet6 del 2001:123:f123::1/48 gw 2001:123:124:123::123:3
        pre-down /sbin/ip -6 addr del 2001:123:124:123::1/64 dev br0
        pre-down /sbin/ip -6 route del default dev he-ipv6
        dns-nameservers 2001:4860:4860::8888 2001:4860:4860::8844


I have also removed the "route" portion of the /etc/radvd.conf on machine A.

When the client (C) is connected to the VPN server (B), the following appears:
Machine B - VPN server

ppp0      Link encap:Point-to-Point Protocol 
          inet addr:172.23.0.1  P-t-P:172.23.0.244  Mask:255.255.255.255
          inet6 addr: 2001:123:f123:abc0::99/64 Scope:Global
          inet6 addr: fe80::ba9d:76bf:afc5:b4cc/10 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1410  Metric:1
          RX packets:1195 errors:0 dropped:0 overruns:0 frame:0
          TX packets:869 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:178773 (178.7 KB)  TX bytes:268769 (268.7 KB)


Client - Mac (C)

ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
inet6 fe80::22c9:abef:fe7a:3fcd%ppp0 prefixlen 64 scopeid 0x7
inet 172.23.0.244 --> 172.23.0.1 netmask 0xffff0000

I have also setup manual IPv6 on the Mac (C) with the following:
   Router: 2001:123:f123:abc0::99
   IPv6 address: 2001:123:f123:abc0::100
   Prefix: 64

While I can now ping 2001:123:f123:abc0::99 (of B) remotely from a totally separate network as long as the vpn is connected, but the problem is I cannot ping 2001:123:f123:abc0::100 anywhere, not even on the VM (B).

Waiting for your further advice, thanks.

kasperd

Quote from: tkchan on May 15, 2013, 02:11:31 AMI cannot ping 2001:123:f123:abc0::100 anywhere, not even on the VM (B).
Am I understanding correctly, that B and C can ping each other using link-local addresses, but not using the global addresses, you got from HE?

tkchan

Quote from: kasperd on May 15, 2013, 04:52:30 AM
Am I understanding correctly, that B and C can ping each other using link-local addresses, but not using the global addresses, you got from HE?

Yes, that's correct

kasperd

Quote from: tkchan on May 15, 2013, 08:10:08 AM
Quote from: kasperd on May 15, 2013, 04:52:30 AM
Am I understanding correctly, that B and C can ping each other using link-local addresses, but not using the global addresses, you got from HE?

Yes, that's correct
In that case the next steps must be to figure out why this is happening. I would expect the PPP connection to behave the same way regardless of the scope of the addresses, you are using. Try to run tcpdump on each end of the PPP connection while you try to do a ping with each kind of address, and then compare the results.

tkchan

#11
Quote from: kasperd on May 15, 2013, 08:22:24 AM
In that case the next steps must be to figure out why this is happening. I would expect the PPP connection to behave the same way regardless of the scope of the addresses, you are using. Try to run tcpdump on each end of the PPP connection while you try to do a ping with each kind of address, and then compare the results.

I think I know what happened, but I am not sure if there is a way to "fix" it (ie. let client get ipv6 address automatically), here is what I have done:

On the Mac client (C), I have performed the following in command line:

sudo -s
ifconfig ppp0 inet6 delete fe80::22c9:cdef:fe7a:3fcd%ppp0
ifconfig ppp0 inet6 2001:123:f123:abc0::100
route add -inet6 default 2001:123:f123:abc0::100%ppp0


Now the ifconfig result is as follows:

ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
inet 172.23.0.244 --> 172.23.0.1 netmask 0xffff0000
inet6 fe80::22c9:cdef:fe7a:3fcd%ppp0 prefixlen 64 scopeid 0x7
inet6 2001:123:f123:abc0::100 prefixlen 64

And I can finally ping and access ipv6.google.com.

But this does not work if it is a mobile device such as iphone or iPad  :-X
I wonder if there is a way to fix this

kcochran

PPP for IPv6 only will let you define link-layer addresses in the initial connection.  That's the extend of IPCPv6's direct support.  From there you have to define statics, or use RA to deliver the appropriate prefix information to clients which either don't require statics, or can't configure statics.

kasperd

Quote from: kcochran on May 16, 2013, 04:36:13 AMFrom there you have to define statics, or use RA to deliver the appropriate prefix information to clients which either don't require statics, or can't configure statics.
RA was tried previously. But maybe the radvd.conf-pppx configuration files weren't correct.

My first three guesses for why it didn't work are:

  • radvd is misconfigured and either doesn't start or doesn't respond properly.
  • the client doesn't ask for a router in the first place. Perhaps PPP need to assign a link-local address in order to enable IPv6 on the interface.
  • Maybe there is some race condition caused by both radvd and client being started as the device is brought up, and perhaps some initial packets are send before the other end is ready to receive them.

A tcpdump on the ppp interface might be interesting, but it would be difficult to get that tcpdump command started as early, as you'd like it to be.

Static addresses would work on some clients, but that would require the server to recognize the client and assign the same /64 to the client regardless of which ppp interface it got.

tkchan

Quote from: kasperd on May 16, 2013, 08:06:07 AM

A tcpdump on the ppp interface might be interesting, but it would be difficult to get that tcpdump command started as early, as you'd like it to be.


# tcpdump -i ppp0 -vv ip6
tcpdump: WARNING: ppp0: no IPv4 address assigned
tcpdump: listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes

23:35:40.438689 IP6 (hlim 1, next-header Options (0) payload length: 36) fe80::abcd:ff:fe58:8a56 > ff02::16: HBH (rtalert: 0x0000) (padn)[icmp6 sum ok] ICMP6, multicast listener report v2, 1 group record(s) [gaddr ip6-allrouters to_ex { }]

That is all I can get