| 
Linux, router and problem with IPv6 ![[fi]](/s/countries/fi.gif) Carmen Sandiego on Friday, 17 October 2003 02:43:59 
I don't seem to get the tunnel working, no matter what scripts I use. I've used Gentoo's scripts, the iproute2 scripts, the one that has been posted here and so on. Anyway, the problem isn't with those commands, but with something else. The Linux is working as a router/NAT for the W2K machine and that's working fine. But I don't get the IPv6 to work. I've replaced the home-IP with XXX.XXX.XX.101, rest is pretty much as it was. What's there still to add? I've compiled the kernel with IP tunnelin, advanced router, netfilter and IPv6 (etc). Something missing? Traceroute leads to nowhere, ping6 leads to nowhere. SIXXS's NOC claims tunnel is enabled, but certainly I don't get it to work ;)
eth0      Link encap:Ethernet  HWaddr 00:10:A7:02:FE:32  
          inet addr:XXX.XXX.XX.101  Bcast:XXX.XXX.XX.255  Mask:255.255.240.0
          inet6 addr: fe80::210:a7ff:fe02:fe32/10 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:17977089 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3145637 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:203861190 (194.4 Mb)  TX bytes:2580585152 (2461.0 Mb)
          Interrupt:11 Base address:0x4000 
eth0:0    Link encap:Ethernet  HWaddr 00:10:A7:02:FE:32  
          inet addr:10.0.0.4  Bcast:10.255.255.255  Mask:255.0.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1449 errors:0 dropped:0 overruns:0 frame:0
          TX packets:189 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:142968 (139.6 Kb)  TX bytes:17388 (16.9 Kb)
          Interrupt:11 Base address:0x4000 
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:4055 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4055 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:445670 (435.2 Kb)  TX bytes:445670 (435.2 Kb)
sit0      Link encap:IPv6-in-IPv4  
          inet6 addr: ::127.0.0.1/96 Scope:Unknown
          inet6 addr: ::XXX.XXX.XX.101/96 Scope:Compat
          inet6 addr: ::10.0.0.4/96 Scope:Compat
          UP RUNNING NOARP  MTU:1280  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
sit1      Link encap:IPv6-in-IPv4  
          inet6 addr: fe80::82e9:1565/10 Scope:Link
          inet6 addr: 2001:960::2/64 Scope:Global
          inet6 addr: fe80::a00:4/10 Scope:Link
          UP POINTOPOINT RUNNING NOARP  MTU:1280  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:327 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:39508 (38.5 Kb)
  - Yak
 
Linux, router and problem with IPv6 ![[nl]](/s/countries/nl.gif) Carmen Sandiego on Friday, 17 October 2003 11:02:22 
What commands / scripts are you using?
What I cannot see here is if you set up the routes okay (ip -6 route show), or if the tunnel end-point is set okay.
Are you sure you have 2001:960::2/64??
I assume you are trying IPv6 from your linux router and not (yet) from your win2k machine.
First set up IPv6 for the router, then go to w2k (which can work with ipv6 as well).
BTW, I am using Linux (RedHat 9).
 
Linux, router and problem with IPv6 ![[fi]](/s/countries/fi.gif) Carmen Sandiego on Friday, 17 October 2003 19:17:10 
Ouh, I'm not trying to get IPv6 to work with XP yet. First I would like the router to have it's connection working, before sharing anything ;). This is what the SIXXS emailed:
  SixXS IPv6   : 2001:960:2:87::1/64
  Your IPv6    : 2001:960:2:87::2/64
This is the first script I've tried.. as adviced in the Gentoo's documentation:
#!/bin/sh
# Add a tunnel to the SIXXS IPv4 address
ifconfig sit0 up
ifconfig sit0 inet6 tunnel ::YYY.204.YYY.2 
# Route all IPv6 traffic through the 'sit1' device
ifconfig sit1 up
ifconfig sit1 inet6 add 2001:960:2:87::1/64
route -A inet6 add ::/0 dev sit1
# Create a tunnel between the local IPv4 and SIXXS remote IPv4 address
ip tunnel add sixbone mode sit remote YYY.204.YYY.2 local XXX.XXX.XX.101 ttl 255
# Bring the tunnel up, and assign the IPv6 address to it
ip link set sixbone up
ip addr add 2001:960:2:87::2/64 dev sixbone
# Route all IPv6 address through our 'sixbone' tunnel device
ip route add 2001:960:2:87::1 dev sixbone
  - Yak
 
Linux, router and problem with IPv6 SIXXS's NOC claims tunnel is enabled, but certainly I don't get it to workNo, that the tunnel is enabled and configured, not that you got it to work.
When it pings and the graphs show it, then it works.
Who gave you the idea of using sit0, sit1 and then also 'sixbone' :)
You know have configured a prefix on sit1 but the tunnel on sit0....
Next to that x-ing out your IP is useless as anybody can look it up using whois.
Read the FAQ and use that script as the above is totally wrong.
You might want to understand what the scripts do instead of just running them :) 
Linux, router and problem with IPv6 ![[fi]](/s/countries/fi.gif) Carmen Sandiego on Saturday, 18 October 2003 07:42:48 
Anyway, using the FAQs scripts give me the same results. The tunnel just doesn't work. And yes, they can whois my IPv6, but not IPv4. Anyway, if someone really wants to find out my IP, that's their problem and shouldn't be too difficult, but I don't like posting it to open forums.
However, here's two another scripts I've tried and neither one works. So, while I might have little bit fucked up scripting in the first one (which I did based on a sample), the others give me a non-working tunnel also.
#!/bin/sh
ip tunnel add sixxs mode sit local XXX.XXX.XX.101 remote YYY.YYY.YYY.2
ip link set sixxs up
ip link set mtu 1280 dev sixxs
ip tunnel change sixxs ttl 64
ip -6 addr add 2001:960:2:87::2/64 dev sixxs
ip -6 ro add default via 2001:960:2:87::1 dev sixxs
Or the one mentioned earlier in this forum:
#!/bin/sh
# Please fill in the following variable
#
###
BROKER="SIXXS" # Name of your broker (cosmetic purpose)
Loc_IPv4="XXX.XXX.XX.101" # Local IPv4 address.
PoP_IPv4="YYY.YYY.YYY.2" # PoP's IPv4 address.
Loc_IPv6="2001:960::2/64" # Local IPv6 endpoint address.
PoP_IPv6="2001:960::1" # PoP's IPv6 endpoint address.
Not_local="2000::/3" # Ipv6 address ~= ipv4 0.0.0.0
Interface_local="sit0" # which sit devices to use
Interface_remote="sit1" #
MTU="1280" # Tunnel's MTU size
IFCONFIG="/sbin/ifconfig" # Binary locations
ROUTE="/sbin/route" #
IPTUNNEL="/sbin/iptunnel" #
###############################################################################
#
# DO NOT CHANGE ANYTHING BEYOND HERE !!!
#
###
case "$1" in
start)
# Test if we really got IPv6 support in the kernel. If not present,
# this script tries to load the kernel module else it bails out with a
# warning.
#
###
if ! [ -f /proc/net/if_inet6 ]
then echo "ERROR: No IPv6 support in you kernel. Trying to load kernel module." 1>&2; modprobe ipv6;
fi
if ! [ -f /proc/net/if_inet6 ]
then echo "ERROR: No IPv6 support. Sorry I can't continue." 1>&2; exit 1;
fi
# Test if tunnel is not already up
#
###
up=`(set \`"$IFCONFIG" | grep "$Interface_remote"\`;echo $1)` 1>&2
if [ "$up" = "$Interface_remote" ]
then echo "ERROR: Tunnel already up using: $Interface_remote" 1>&2; exit 1;
fi
# Setting up the tunnel.
#
###
$IFCONFIG sit0 tunnel ::$PoP_IPv4 mtu 1280 up && \
$IFCONFIG sit1 add $Loc_IPv6 mtu 1280 up && \
$ROUTE -A inet6 add $Not_local gw $PoP_IPv6 dev sit1 && \
echo "Tunnel to $BROKER establised." || \
{ echo "ERROR: Failed to establise a tunnel to $BROKER." 1>&2; $0 stop; exit 1; }
;;
stop)
# Bringing the tunnel down.
#
###
$IFCONFIG sit1 down
$IFCONFIG sit0 down && \
echo "IPv6 tunnel deleted." || \
{ echo "ERROR: Failed to bring IPv6 tunnel with $Interface_remote down." 1>&2; exit 1; }
;;
restart|reload)
$0 stop && $0 start
;;
*)
echo "GNU (C)2003 Robert Nagtegaal.";echo
echo "Usage: $0 {start|stop|restart|reload}"
exit 1
esac
exit 0
  - Yak
 
Linux, router and problem with IPv6 
Trust me... it is all your fault, using stupid scripts without showing what the output is doesn't work.
For arguments sake, this one works, after you have cleansed your machine from old tunnels and routes ofcourse:
# ip tunnel add sixxs mode sit local 130.233.21.101 remote 213.204.193.2
# ip link set sixxs up
# ip link set mtu 1280 dev sixxs
# ip tunnel change sixxs ttl 64
# ip -6 addr add 2001:960:2:87::2/64 dev sixxs
# ip -6 ro add default via 2001:960:2:87::1 dev sixxs
If it doesn't, check and verify the settings:
# ip tun sho
# ip -6 ro sho
# ip -6 addr sho
and ofcourse use the rest of the forum to do some diagnosis. Also it might just be that your IPv4 path is broken ofcourse :)
You might also have read that the second script is using the old sit0/sit1 setup which is wrong
 And yes, they can whois my IPv6, but not IPv4.$ whois -h whois.sixxs.net 2001:960:2:87::2
inet6num:     2001:960:2:87::/64
netname:      SIXXS-NLAMS04-TUN136
descr:        IPv6 in IPv4 tunnel from 213.204.193.2 to 130.233.21.101
descr:        Tunnel T1388 goes to an endpoint of MB18-6BONE.
country:      FI
"You can run, but you can't hide from us...."
Everything is public, we made sure that people can find you thus making abuse faster to solve. Many network administrators like and use this to check if someone isn't suddenly hiding in IPv6. If you do have something to hide you are at the wrong place. 
Linux, router and problem with IPv6 ![[fi]](/s/countries/fi.gif) Carmen Sandiego on Sunday, 19 October 2003 10:51:09 For arguments sake, this one works, after you have cleansed your machine from old tunnels and routes ofcourse:Or then it won't ;), I rebooted the whole machine just to check it's not fucked up, and without initializing NAT-routing. Ran the script.. and
root@amidala router # ip tun sho
tunl0: ip/ip  remote any  local any  ttl inherit  nopmtudisc
sit0: ipv6/ip  remote any  local any  ttl 64  nopmtudisc
sixxs: ipv6/ip  remote 213.204.193.2  local 130.233.21.101  ttl 64 
root@amidala router # ip -6 ro sho
2001:960:2:87::/64 via :: dev sixxs  proto kernel  metric 256  mtu 1280 advmss 1220
fe80::/10 dev eth0  proto kernel  metric 256  mtu 1500 advmss 1220
fe80::/10 via :: dev sixxs  proto kernel  metric 256  mtu 1280 advmss 1220
ff00::/8 dev eth0  proto kernel  metric 256  mtu 1500 advmss 1220
ff00::/8 dev sixxs  proto kernel  metric 256  mtu 1280 advmss 1220
default dev eth0  proto kernel  metric 256  mtu 1500 advmss 1220
default via 2001:960:2:87::1 dev sixxs  metric 1024  mtu 1280 advmss 1220
unreachable default dev lo  metric -1  error -101 advmss 1220
root@amidala router # ip6 -6 addr sho
bash: ip6: command not found
root@amidala router # ip -6 addr sho
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 
    inet6 ::1/128 scope host 
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    inet6 fe80::210:a7ff:fe02:fe32/10 scope link 
5: sixxs@NONE: <POINTOPOINT,NOARP,UP> mtu 1280 qdisc noqueue 
    inet6 fe80::82e9:1565/128 scope link 
    inet6 2001:960:2:87::2/64 scope global 
And here we are again. Nothing apparently works for me.. puuh ;) Also it might just be that your IPv4 path is broken ofcourse :)Unlikely,  at least I can ping the POP. Everything is public, we made sure that people can find you thus making abuse faster to solve.I don't see how finding out IPv4 makes it easier to resolve abuse. Perhaps this is for IRC-only-users to prevent them from hiding behind IPv6-address and that kiddos flood their IPv4 address instead of your IPv4-POP. For any other reason, I don't know. Gotta do a kernel recompile, maybe there's something wrong ;)
  - Yak 
Linux, router and problem with IPv6 default dev eth0 proto kernel metric 256 mtu 1500 advmss 1220Remove that one, it will help. > Everything is public, we made sure that people can find you thus making abuse faster to solve. I don't see how finding out IPv4 makes it easier to resolve abuse. Perhaps this is for IRC-only-users to prevent them from hiding behind IPv6-address and that kiddos flood their IPv4 address instead of your IPv4-POP. For any other reason, I don't know.That is indeed one of the main reasons, next to that tunnels should be
documented in this way in either one of the various registries.
It also allows people to find abusers of eg web and other services. Gotta do a kernel recompile, maybe there's something wrongAnd after that do some tcpdumping, setup the tunnel and start in this order:
One shell:
# tcpdump -i eth0 -Xns 1500 not port <ssh/web/other common things>
Other shell:
# ping6 <your IPv6 endpoint>
# ping6 <POP IPv6 endpoint>
# ping6 noc.sixxs.net
And you should see the packets going out and coming back.
Or at least see some errors etc :)
Btw it is quite funny to see that your tunnel nicely pings over IPv6 and that the graphs also show that. Check your userhome and then check the tunnel information.
64 bytes from 2001:960:2:87::2: icmp_seq=1 ttl=60 time=44.5 ms :) 
 |