• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

problem with Tunnel 6in4 tunnel between 2 Linux servers

Started by Ahmed M. H. Alzaeem, September 10, 2015, 03:15:15 PM

Previous topic - Next topic

Ahmed M. H. Alzaeem

Hi ,
i have linux server that already contacin ipv6 address/64 and able to reach ipv6 destination without any problem.

but i want to cut some ips of that main server and give it to other server by tunnel so that other server be able to reach ipv6  websites .

i was able to do the tunnel between them and ping all the networks/ips between them.
my main problem is , the remote server that has  some ips cutted from the /64 and put in it as /128 , is unable to reach internet .
and seems like the traceroute die on the main server and dont exit it .
hope you can help me .
let me explain what i did so far :
====================
server1-which is the main server has :
inet addr:162.250.189.177
inet6 addr: 2602:ffd5:1:112:999::1/64 Scope:Global
we can say 2602:ffd5:1:112::/64  subnet
==========================

server2-which is the remote server that will use the main server as ipv6 gateway has :
67.212.83.32
==========================

here below i will post the settings i useed for  tunnel :

server1-main one :
ip tunnel add IPV6 mode sit remote 67.212.83.32 local 162.250.189.177 ttl 255
ip link set IPV6  up
ifconfig IPV6  inet add 2602:ffd5:1:dddd:bbbb::1/64
ip route add 2602:ffd5:1:112:112::/80 dev IPV6

server2-client one :
ip tunnel add IPV6 mode sit remote 162.250.189.177 local 67.212.83.32 ttl 255
ip link set IPV6 up
ip route add ::/0 dev IPV6
ifconfig IPV6 inet add 2602:ffd5:1:dddd:bbbb::2/64
ifconfig lo inet add 2602:ffd5:1:112:112::aaa/128

=======================

as we see above we have the tunnel point-point subnet as 2602:ffd5:1:dddd:bbbb::0/64
and i cut the ip from /64 to be 2602:ffd5:1:112:112::aaa/128 on the remte server so that it go with it the internet
and i let the clietn to use the main server as default gateway.
=============
ping between two servers all working :

1-ping from the main to client server :
[root@localhost ~]# ping6 2602:ffd5:1:dddd:bbbb::2
PING 2602:ffd5:1:dddd:bbbb::2(2602:ffd5:1:dddd:bbbb::2) 56 data bytes
64 bytes from 2602:ffd5:1:dddd:bbbb::2: icmp_seq=1 ttl=64 time=1.50 ms
64 bytes from 2602:ffd5:1:dddd:bbbb::2: icmp_seq=2 ttl=64 time=0.886 ms
^C
--- 2602:ffd5:1:dddd:bbbb::2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1454ms
rtt min/avg/max/mdev = 0.886/1.193/1.501/0.309 ms
[root@localhost ~]# ping6 2602:ffd5:1:dddd:bbbb::1
PING 2602:ffd5:1:dddd:bbbb::1(2602:ffd5:1:dddd:bbbb::1) 56 data bytes
64 bytes from 2602:ffd5:1:dddd:bbbb::1: icmp_seq=1 ttl=64 time=0.056 ms
64 bytes from 2602:ffd5:1:dddd:bbbb::1: icmp_seq=2 ttl=64 time=0.087 ms
^C
--- 2602:ffd5:1:dddd:bbbb::1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1512ms
rtt min/avg/max/mdev = 0.056/0.071/0.087/0.017 ms
[root@localhost ~]# ping6 2602:ffd5:1:112:112::aaa
PING 2602:ffd5:1:112:112::aaa(2602:ffd5:1:112:112::aaa) 56 data bytes
64 bytes from 2602:ffd5:1:112:112::aaa: icmp_seq=1 ttl=64 time=1.58 ms
64 bytes from 2602:ffd5:1:112:112::aaa: icmp_seq=2 ttl=64 time=1.02 ms
^C
--- 2602:ffd5:1:112:112::aaa ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1750ms
rtt min/avg/max/mdev = 1.023/1.303/1.583/0.280 ms
[root@localhost ~]# ping6 google.com -n
PING google.com(2607:f8b0:4006:80c::1000) 56 data bytes
64 bytes from 2607:f8b0:4006:80c::1000: icmp_seq=1 ttl=58 time=20.1 ms
64 bytes from 2607:f8b0:4006:80c::1000: icmp_seq=2 ttl=58 time=19.4 ms
^C
--- google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1507ms
rtt min/avg/max/mdev = 19.420/19.776/20.133/0.383 ms
[root@localhost ~]#


as we see , server main is able to reach all ips on server2 and reach internet
====================
2-ping from server 2

root@ca:~# ping6 2602:ffd5:1:dddd:bbbb::2
PING 2602:ffd5:1:dddd:bbbb::2(2602:ffd5:1:dddd:bbbb::2) 56 data bytes
64 bytes from 2602:ffd5:1:dddd:bbbb::2: icmp_seq=1 ttl=64 time=0.027 ms
^C
--- 2602:ffd5:1:dddd:bbbb::2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.027/0.027/0.027/0.000 ms
root@ca:~# ping6 2602:ffd5:1:dddd:bbbb::1
PING 2602:ffd5:1:dddd:bbbb::1(2602:ffd5:1:dddd:bbbb::1) 56 data bytes
64 bytes from 2602:ffd5:1:dddd:bbbb::1: icmp_seq=1 ttl=64 time=1.40 ms
^C
--- 2602:ffd5:1:dddd:bbbb::1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.409/1.409/1.409/0.000 ms
root@ca:~# ping6 google.com -n
PING google.com(2607:f8b0:400d:c06::71) 56 data bytes




^C
--- google.com ping statistics ---
13 packets transmitted, 0 received, 100% packet loss, time 12095ms

root@ca:~# traceroute6 google.com
traceroute to google.com (2607:f8b0:400d:c06::8b), 30 hops max, 80 byte packets
1  * * *
2  * * *
3  * * *
4  * * *
5  * * *
6  *


root@ca:~# ip -6 route show
unreachable 2602:ffd5:1:112:112::aaa dev lo  proto kernel  metric 256  error -101
2602:ffd5:1:dddd::/64 dev IPV6  proto kernel  metric 256
fe80::/64 dev eth0  proto kernel  metric 256
fe80::/64 dev IPV6  proto kernel  metric 256
default dev IPV6  metric 1024
root@ca:~#


agian the gateway of the client is the main , server  , but it cant exit the maon sever to internet

where could be possible my mistake ???

note that all ipv4,ipv6 & selinux are disabled on both servers.

cheers


julcaro

Up, I also have the same problem, interrested getting an answer as well.

Thanks

broquea

Where did you pull 2602:ffd5:1:dddd:bbbb::/64 from? You can't just randomly use valid space unless that was actually allocated and routed to you. That is probably your issue, that the client machine was sourcing from that address range, and if it isn't routed to your main server, then sourcing from it won't work.

Also make certain you enabled ipv6 packet forwarding in linux's sysctl

julcaro

I'm not using the same ips as the thread op, but my ranges are routed to the main server, and not randomly assigned.

I'm able to get them up in the main server and are reachable from the internet. But not able to route them like I do with v4 on GRE.

Let's say I have this ipv6 (2620:d3:c004:ac13:3f93:f26e:eb30:5fe) assigned from my provider to one server.
I want to route this ip to a second server.

Here's my configuration:

Server where ips are assigned:
ip tunnel add v6night mode sit remote 170.28.90.13 local 36.15.222.162 ttl 255
ip link set v6night up
ip addr add 2000:470:1c:3e9::1/64 dev v6night
ip route add ::/0 dev v6night
sysctl -w net.ipv6.conf.all.forwarding=1


Client (where I want to route the ip):
ip tunnel add v6night mode sit remote 36.15.222.162 local 170.28.90.13 ttl 255
ip link set v6night up
ip addr add 2000:470:1c:3e9::2/64 dev v6night
ip route add ::/0 via 2000:470:1c:3e9::1 dev v6night
sysctl -w net.ipv6.conf.all.forwarding=1
ifconfig eth0 inet6 add 2620:d3:c004:ac13:3f93:f26e:eb30:5fe



Ips is not pingable from the internet.

broquea

I'll start by guessing you used our space as an example, and not for real. Don't obfuscate and instead use the documentation prefix if you want to provide examples without real world IPs, or use the real IPs for actual troubleshooting purposes. If you really are using it in practice, know that we have reverse path filtering in place to stop exactly what you are trying to do: access another provider's IP space behind one of our non-BGP tunnels.

As for your issue: Your "server" either thinks/knows 2620:d3:c004:ac13::/64 is on its NIC, or hasn't been told to find a route for it over your tunnel to your "client". At least, you didn't specify a static route to it over the tunnel in those example commands. Also you've set default route on either side, to point to the other side. That is a route-loop. The "server" needs its default route out via the proper WAN path that supplies it with IPv6 connectivity.

julcaro

Hi, thanks for pointing me that out, I was thinking that there was a class C similar to ipv4 for creating the tunnel into v6. I was wrong. Also yes I did changed the ips in order to keep them private.

But as I see I better post the real exemple.

BASE block: 2620:d4:c003::1/48
server ip: 31.13.222.162
client to be forwarded to : 173.234.122.66

Based on what you told me I did the configuration with the following commands:

server:
ip tunnel add sit5 mode sit ttl 255 remote 173.234.122.66 local 31.13.222.162
ip link set dev sit5 up
ip -6 addr add 2620:d4:c003::1/64 dev sit5
ip -6 route add 2620:d4:c003::1/64 via 2620:d4:c003::2 dev sit5 metric 1
echo "1" >/proc/sys/net/ipv6/conf/all/forwarding
ip -6 route add 2620:d4:c003:11:8875:4ea2:182a:a574 dev sit5 metric 1

client:
ip tunnel add sit1 mode sit ttl 255 remote 31.13.222.162 local 173.234.122.66
ip link set dev sit1 up
ip -6 addr add 2620:d4:c003::2/64 dev sit1
ip route add ::/0 via 2620:d4:c003::1
ifconfig eth0 inet6 add 2620:d4:c003:11:8875:4ea2:182a:a574

I can ping the ip (2620:d4:c003:11:8875:4ea2:182a:a574) from both end but the ip is not reachable from the internet, still same problem as before.

I tested a lot of other variants but i didn't logged them. I don,t know what I did wrong since this way with traceroute6 I don't get a route loop.

Thanks again :)

broquea

First issue or question is, is that an on-link /48 or statically routed. If on-link, you'll need to dive into the wonderful/horrible world of proxy ndp. If statically routed, then your life is easier.

Based on the info you've provided, this is how I'd do it assuming a statically routed /48.

server:
ip tunnel add sit5 mode sit ttl 255 remote 173.234.122.66 local 31.13.222.162
ip link set dev sit5 up
ip a a 2620:d4:c003::1/64 dev sit5
echo "1" >/proc/sys/net/ipv6/conf/all/forwarding
ip r a 2620:d4:c003:11::/64 via 2620:d4:c003::2


client:
ip tunnel add sit1 mode sit ttl 255 remote 31.13.222.162 local 173.234.122.66
ip link set dev sit1 up
ip a a 2620:d4:c003::2/64 dev sit1
ip r a ::/0 via 2620:d4:c003::1
ip a a 2620:d4:c003:11:8875:4ea2:182a:a574/64 dev eth0


If your /48 is on-link see if they can statically route it to you, or sort out proxy ndp.

julcaro

Hi broquea, in fact the latest commands I was typing was right to build the tunnel and forward ips.

But... the ips doesn't seems to be statically routed as you said. Many Many thanks for this as I soon as I used proxy ndp it worked like a charm !!!


sysctl -w net.ipv6.conf.all.proxy_ndp=1
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
ip neigh add proxy 2620:d4:c003:11:8875:4ea2:182a:a574 dev eth0

and then bingo ips was pinging, and all services accessible.

Thanks again

Ahmed M. H. Alzaeem

Hi ,
im still hang with the same problem .

i have the same issue above :

server1------------server2 (2001:19f0:6001:a5::6666)

SERVER 1 can access everything
server 1 can ping server 2 ip 2001:19f0:6001:a5::6666
but when internet traffic want the (2001:19f0:6001:a5::6666)
there is no reply !!!
=============
here is tcpdump on sever 1 when someone need 2001:19f0:6001:a5::6666 , but unfortunately no traffic Hit server 2
===========




12:22:29.203289 IP6 (hlim 245, next-header ICMPv6 (58) payload length: 40) 2a02:348:82:cb69::6 > 2001:19f0:6001:a5::6666: [icmp6 sum ok] ICMP6, echo request, seq 0
12:22:30.202522 IP6 (hlim 245, next-header ICMPv6 (58) payload length: 40) 2a02:348:82:cb69::6 > 2001:19f0:6001:a5::6666: [icmp6 sum ok] ICMP6, echo request, seq 1
12:22:31.202464 IP6 (hlim 245, next-header ICMPv6 (58) payload length: 40) 2a02:348:82:cb69::6 > 2001:19f0:6001:a5::6666: [icmp6 sum ok] ICMP6, echo request, seq 2
12:22:32.202451 IP6 (hlim 245, next-header ICMPv6 (58) payload length: 40) 2a02:348:82:cb69::6 > 2001:19f0:6001:a5::6666: [icmp6 sum ok] ICMP6, echo request, seq 3
12:22:34.213657 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::fc00:ff:fe2a:fa33 > 2001:19f0:6001:a5::6666: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2001:19f0:6001:a5::6666
          source link-address option (1), length 8 (1): fe:00:00:2a:fa:33
            0x0000:  fe00 002a fa33
12:22:34.213804 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) v6-01 > fe80::fc00:ff:fe2a:fa33: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is 2001:19f0:6001:a5::6666, Flags [solicited]
12:22:39.228727 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) v6-01 > fe80::fc00:ff:fe2a:fa33: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::fc00:ff:fe2a:fa33
          source link-address option (1), length 8 (1): 56:00:00:2a:fa:33
            0x0000:  5600 002a fa33
12:22:39.228843 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::fc00:ff:fe2a:fa33 > v6-01: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is fe80::fc00:ff:fe2a:fa33, Flags [router, solicited]

=================================================
on swerver 1 i had :
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
####
#net.ipv6.conf.eth0.accept_ra=0
net.ipv6.conf.all.proxy_ndp=1
[root@v6-01 ~]#



also i added proxy arp to the (server 1)
ip neigh add proxy 2001:19f0:6001:a5::6666 dev eth0


[root@v6-01 ~]# ip nei show
2001:19f0:6001:a5::6666 dev eth0  FAILED
fe80::fc00:ff:fe2a:fa33 dev eth0 lladdr fe:00:00:2a:fa:33


but it show failed !!
=============

plz help me

Ahmed M. H. Alzaeem