Windows 7 / Windows Server 2008 R2
Shadow Hawkins on Monday, 24 August 2009 19:47:30
Hi,
I was trying to establish a connection using Windows Server 2008 R2 and AICCU, unfortunately, it does not work.
First of all, I requested a tunnel (6in4-static) and added a new TAP-Device (OpenVPN 2.1 RC19). I named the device "SixxS". In parallel, I am running OpenVPN using other TAP-devices.
The configuration file (C:\WINDOWS\Aiccu.conf) looks like:
username DST4-SIXXS
password XXXXXXXX
protocol tic
server tic.sixxs.net
ipv6_interface SixxS
tunnel_id TXXXXX
automatic true
noconfigure false
requiretls false
verbose true
daemonize true
behindnat false
makebeats true
When I run "aiccu start", It prints out:
sock_getline() : "200 SixXS TIC Service on noc.sixxs.net ready (http://www.sixxs
.net)"
sock_printf() : "client TIC/draft-00 AICCU/2008.03.15-console-win32 WinNT/6.1.7
600"
sock_getline() : "200 Client Identity accepted"
sock_printf() : "get unixtime"
sock_getline() : "200 1251135815"
sock_printf() : "username DST4-SIXXS"
sock_getline() : "200 Choose your authentication challenge please"
sock_printf() : "challenge md5"
sock_getline() : "200 XXXXXXXXXXXXXXXXXXXXXXXXXXXX"
sock_printf() : "authenticate md5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
sock_getline() : "200 Succesfully logged in using md5 as DST4-SIXXS (Daniel Scha
ll) from 2001:7b8:3:4f:202:b3ff:fe46:bec"
sock_printf() : "tunnel show T22817"
sock_getline() : "201 Showing tunnel information for TXXXXX"
sock_getline() : "TunnelId: TXXXXX"
sock_getline() : "Type: 6in4-static"
sock_getline() : "IPv6 Endpoint: 2a01:198:200:5db::2"
sock_getline() : "IPv6 POP: 2a01:198:200:5db::1"
sock_getline() : "IPv6 PrefixLength: 64"
sock_getline() : "Tunnel MTU: 1280"
sock_getline() : "Tunnel Name: My First Tunnel"
sock_getline() : "POP Id: dedus01"
sock_getline() : "IPv4 Endpoint: 89.163.144.187"
sock_getline() : "IPv4 POP: 91.184.37.98"
sock_getline() : "UserState: enabled"
sock_getline() : "AdminState: enabled"
sock_getline() : "202 Done"
Succesfully retrieved tunnel information for T22817
sock_printf() : "QUIT Running Down That Hill"
Tunnel Information for TXXXXX:
PoP Id : dedus01
IPv6 Local : 2a01:198:200:5db::2/64
IPv6 Remote : 2a01:198:200:5db::1/64
Tunnel Type : 6in4-static
Adminstate : enabled
Userstate : enabled
Name : My First Tunnel
Flag: HAS_IFHEAD not present
Flag: NEED_IFHEAD not present
The program terminates and I don't have IPv6 connectivity. The TAP adapter is still in disconnected state and the IP-Address has not been assigned.
What am I doing wrong?
Best regards,
Daniel
Windows 7 / Windows Server 2008 R2
Jeroen Massar on Monday, 24 August 2009 21:35:45
Check the Wiki for the Vista instructions, those should match Win7/Win2008 (I don't have a Win7/Win2008 install, thus can't test for you).
Either you don't have the proper permissions (aka run as administrator), or because you are running OpenVPN already something might go wrong in selecting the tun/tap adapter. It should work though, as it first tries to open the adapter as you named it in the configuration file and then if that fails
Oddly you don't even get the output of the Registry Keys.
What you can try is:
aiccu listtaps
that should list all the available adapters.
.....
But now I see in the output that you have a 6in4-static tunnel. Keeping the above just in case somebody runs into something like the above.
As you have a static tunnel you don't need any of the tun/tap stuff for AICCU. It is thus not that strange that AICCU exits without any errors as the only thing it needs to do is setup a normal v6-in-v4 (proto-41) tunnel. It does this by calling the relevant netsh commands. As you manually named a tun/tap adapter 'SixxS' (note that it is spelled SixXS normally) it will fail though as that is not a v6-in-v4 interface. Better delete that interface and try again; or just change the name of the adapter, either of the adapter or in the config.
Windows 7 / Windows Server 2008 R2
Shadow Hawkins on Monday, 24 August 2009 22:12:23
Thank you for your answer Jeroen,
this could be the "problem" indeed.
Unfortunately, I need a virtual adapter like TAP, because several windows services (like DNS Server) can't see the v6in4 interface.
Could I change the tunnel settings to a value, where AICCU and TAP would be supported?
Windows 7 / Windows Server 2008 R2
Jeroen Massar on Monday, 24 August 2009 22:19:54 Unfortunately, I need a virtual adapter like TAP, because several windows services (like DNS Server) can't see the v6in4 interface.
How do you define that it can't "see" the v6inv4 interface?
I am not aware of any restrictions there, but I would not be surprised that if there is a restriction on which interfaces one can run services it is to avoid people from running it on tunneled links as that is generally a bad idea. One should be getting native connectivity. Then again one could easily setup another router in front of the box and the box itself would not know that the next hop is actually tunneling the traffic, which is also why I think that there is most likely no such restriction.
Could it maybe be that one needs an IPv4 address also configured on the Interface before it is recognized by these services?
Could I change the tunnel settings to a value, where AICCU and TAP would be supported?
You would need to change the tunneltype to AYIYA.
AICCU is just the tool that configures it, it can do proto-41, proto-41-heartbeat and AYIYA.
Windows 7 / Windows Server 2008 R2
Shadow Hawkins on Tuesday, 25 August 2009 10:52:13 How do you define that it can't "see" the v6inv4 interface?
The virtual interface does not appear in the list of bindings, so DNS won't listen to the tunnel's ip.
In the meantime, I found out, that should not be the problem, since you assigned a 64-bit subnet to me and I can bind other interfaces to adresses of this subnet.
Thanks for your help, my tunnel's up and running :-)
Windows 7 / Windows Server 2008 R2
Jeroen Massar on Tuesday, 25 August 2009 11:03:54 In the meantime, I found out, that should not be the problem since you assigned a 64-bit subnet to me and I can bind other interfaces to adresses of this subnet.
Actually subnets are /48s, tunnels are /64s and in the tunnel only <tun>::2 is routed to your end of the point-to-point tunnel. <tun>::1 is the PoP and the rest of the /64 remains there too, this to avoid routing loop-weirdness.
Windows 7 / Windows Server 2008 R2
Shadow Hawkins on Wednesday, 26 August 2009 12:02:15 Actually subnets are /48s, tunnels are /64s and in the tunnel only <tun>::2 is routed to your end of the point-to-point tunnel.
Yeah, I just discovered that the hard way..
Well, then I have to wait until I can request my own subnet. Pretty exciting :D
But why do you assign /64 bit subnets to a p2p tunnel, instead of smaller subnets?
As far as I remeber, in good old IPv4, one could define p2p-subnets with exactly two host in it (MASK 255.255.255.252).
Daniel
Windows 7 / Windows Server 2008 R2
Shadow Hawkins on Wednesday, 26 August 2009 12:42:14
to repeat myself..
See: RFC3627 - Use of /127 Prefix
Length Between Routers Considered Harmful
basically, the largest prefix in IPv6 is /64 .. period..
Posting is only allowed when you are logged in. |