Hi, as mentioned in the subject I can't reach the remote IPv6 gateway (2001:4830:1600:364::1). A dump shows only outgoing packets on tunnel and outer interface. Tunnel Information for USJ2-SIXXS/T62301: POP Id : usqas01 IPv6 Local : 2001:4830:1600:364::2/64 IPv6 Remote : 2001:4830:1600:364::1/64 Tunnel Type : ayiya I'm using aiccu (from ports) on a FreeBSD (7.3-RELEASE-p2) behind a NAT. (To anaylse the probleme I also testet from an Ubuntu-System) This is the first setup of the tunnel. Initial I reqested a static tunnel but changed it to AYIYA with the web interface. == aiccu test == "aiccu test" starts failing at stage 6 (see the full log attached) in a short: 1. ping ipv4 local/outer -> works 2. ping remote/PoP -> works 3. traceroute PoP -> works 4. ping IPv6 localhost -> works 5. ping IPv6 local/inner -> works 6. ping IPv6 remote/PoP -> fails 7. and 8. als fail == firewall == firewall and packet filter are disbaled. == ping6 to IPv6 PoP == [root@usx ~]# ping6 2001:4830:1600:364::1 PING6(56=40+8+8 bytes) 2001:4830:1600:364::2 --> 2001:4830:1600:364::1 ^C --- 2001:4830:1600:364::1 ping6 statistics --- 6 packets transmitted, 0 packets received, 100.0% packet loss == tcpdump on outer interface == The dump (with filter for IPv4 PoP) shows only outgoing packets [root@usx ~]# tcpdump -ni le0 host 66.117.47.228 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on le0, link-type EN10MB (Ethernet), capture size 96 bytes 12:09:16.492488 IP 192.168.1.13.52021 > 66.117.47.228.5072: UDP, length 100 12:09:17.492746 IP 192.168.1.13.52021 > 66.117.47.228.5072: UDP, length 100 12:09:17.670389 IP 192.168.1.13.52021 > 66.117.47.228.5072: UDP, length 108 12:09:17.671873 IP 192.168.1.13.52021 > 66.117.47.228.5072: UDP, length 104 12:09:18.492206 IP 192.168.1.13.52021 > 66.117.47.228.5072: UDP, length 100 12:09:18.670403 IP 192.168.1.13.52021 > 66.117.47.228.5072: UDP, length 108 == routing table == [root@usx ~]# netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 192.168.1.1 UGS 0 1253 le0 127.0.0.1 127.0.0.1 UH 0 24 lo0 192.168.1.0/24 link#1 UC 0 0 le0 192.168.1.1 00:50:56:c0:00:02 UHLW 2 0 le0 1189 192.168.1.13 00:0c:29:80:88:21 UHLW 1 18 lo0 Internet6: Destination Gateway Flags Netif Expire default 2001:4830:1600:364::1 UGS tun0 ::1 ::1 UHL lo0 2001:4830:1600:364::1 link#4 UHL tun0 2001:4830:1600:364::2 link#4 UHL lo0 fe80::%lo0/64 fe80::1%lo0 U lo0 fe80::1%lo0 link#3 UHL lo0 fe80::4830:1600:364:2%tun0 link#4 UHL lo0 ff01:3::/32 fe80::1%lo0 UC lo0 ff01:4::/32 link#4 UC tun0 ff02::%lo0/32 fe80::1%lo0 UC lo0 ff02::%tun0/32 link#4 UC tun0 == interface list == [root@usx ~]# ifconfig -a le0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=8<VLAN_MTU> ether 00:0c:29:80:88:21 inet 192.168.1.13 netmask 0xffffff00 broadcast 192.168.1.255 media: Ethernet autoselect status: active plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu 1500 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff000000 tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280 inet6 fe80::4830:1600:364:2%tun0 prefixlen 64 scopeid 0x4 inet6 2001:4830:1600:364::2 --> 2001:4830:1600:364::1 prefixlen 128 Opened by PID 1075 == full aiccu test log== sock_getline() : "200 SixXS TIC Service on nlams04.sixxs.net ready (http://www.sixxs.net)" sock_printf() : "client TIC/draft-00 AICCU/2007.01.15-console-kame FreeBSD/7.3-RELEASE-p2" sock_getline() : "200 Client Identity accepted" sock_printf() : "get unixtime" sock_getline() : "200 1302256823" sock_printf() : "starttls" sock_getline() : "400 This service is not SSL enabled (yet)" TIC Server does not support TLS but TLS is not required, continuing sock_printf() : "username USJ2-SIXXS" sock_getline() : "200 USJ2-SIXXS choose your authentication challenge please" sock_printf() : "challenge md5" sock_getline() : "200 XXX" sock_printf() : "authenticate md5 XXX" sock_getline() : "200 Successfully logged in using md5 as USJ2-SIXXS (Uwe Schwartz)" sock_printf() : "tunnel list" sock_getline() : "201 Listing tunnels" sock_getline() : "T62301 2001:4830:1600:364::2 ayiya usqas01" sock_getline() : "202 <tunnel_id> <ipv6_endpoint> <ipv4_endpoint> <pop_name>" sock_printf() : "tunnel show T62301" sock_getline() : "201 Showing tunnel information for T62301" sock_getline() : "TunnelId: T62301" sock_getline() : "Type: ayiya" sock_getline() : "IPv6 Endpoint: 2001:4830:1600:364::2" sock_getline() : "IPv6 POP: 2001:4830:1600:364::1" sock_getline() : "IPv6 PrefixLength: 64" sock_getline() : "Tunnel MTU: 1280" sock_getline() : "Tunnel Name: My First Tunnel" sock_getline() : "POP Id: usqas01" sock_getline() : "IPv4 Endpoint: ayiya" sock_getline() : "IPv4 POP: 66.117.47.228" sock_getline() : "UserState: enabled" sock_getline() : "AdminState: enabled" sock_getline() : "Password: XXX" sock_getline() : "Heartbeat_Interval: 60" sock_getline() : "202 Done" Succesfully retrieved tunnel information for T62301 sock_printf() : "QUIT Even the spirits are afraid" [tun-start] Trying Configured TUN/TAP interface tun0... [tun-start] Using TUN/TAP interface tun0 [tun-start] Setting TUNSIFHEAD for tun0 route: writing to routing socket: File exists [AYIYA-start] : Anything in Anything (draft-02) heartbeat_socket() - IPv4 : 192.168.1.13 [AYIYA-tun->tundev] : (Socket to TUN) started add net default: gateway 2001:4830:1600:364::1: route already in table Tunnel Information for T62301: POP Id : usqas01 IPv6 Local : 2001:4830:1600:364::2/64 IPv6 Remote : 2001:4830:1600:364::1/64 Tunnel Type : ayiya Adminstate : enabled Userstate : enabled ####### ####### AICCU Quick Connectivity Test ####### ####### [1/8] Ping the IPv4 Local/Your Outer Endpoint (192.168.1.13) ### This should return so called 'echo replies' ### If it doesn't then check your firewall settings ### Your local endpoint should always be pingable ### It could also indicate problems with your IPv4 stack PING 192.168.1.13 (192.168.1.13): 56 data bytes 64 bytes from 192.168.1.13: icmp_seq=0 ttl=64 time=0.031 ms 64 bytes from 192.168.1.13: icmp_seq=1 ttl=64 time=0.036 ms 64 bytes from 192.168.1.13: icmp_seq=2 ttl=64 time=0.033 ms --- 192.168.1.13 ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.031/0.033/0.036/0.002 ms ###### ####### [2/8] Ping the IPv4 Remote/PoP Outer Endpoint (66.117.47.228) ### These pings should reach the PoP and come back to you ### In case there are problems along the route between your ### host and the PoP this could not return replies ### Check your firewall settings if problems occur PING 66.117.47.228 (66.117.47.228): 56 data bytes 64 bytes from 66.117.47.228: icmp_seq=0 ttl=57 time=31.682 ms 64 bytes from 66.117.47.228: icmp_seq=1 ttl=57 time=33.915 ms 64 bytes from 66.117.47.228: icmp_seq=2 ttl=57 time=32.952 ms --- 66.117.47.228 ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 31.682/32.850/33.915/0.914 ms ###### ####### [3/8] Traceroute to the PoP (66.117.47.228) over IPv4 ### This traceroute should reach the PoP ### In case this traceroute fails then you have no connectivity ### to the PoP and this is most probably the problem traceroute to 66.117.47.228 (66.117.47.228), 64 hops max, 40 byte packets 1 192.168.1.1 (192.168.1.1) 0.196 ms 0.269 ms 0.297 ms 2 96.31.75.1 (96.31.75.1) 2.211 ms 3.741 ms 1.975 ms 3 tpa.TG.dc1core.hivelocity.net (69.46.31.117) 0.908 ms 0.866 ms 0.993 ms 4 xe-8-0-0.bar1.Tampa1.Level3.net (4.53.172.1) 0.934 ms 1.193 ms 0.648 ms 5 4.69.148.213 (4.69.148.213) 9.328 ms 5.937 ms 16.996 ms 6 ae-1-100.ebr2.Miami1.Level3.net (4.69.140.138) 17.902 ms 15.941 ms 16.933 ms 7 ae-2-2.ebr2.Atlanta2.Level3.net (4.69.140.142) 18.806 ms 32.430 ms 19.097 ms 8 ae-72-72.csw2.Atlanta2.Level3.net (4.69.148.250) 18.889 ms 18.864 ms 18.874 ms 9 ae-73-73.ebr3.Atlanta2.Level3.net (4.69.148.253) 18.898 ms 19.416 ms 18.843 ms 10 ae-2-2.ebr1.Washington1.Level3.net (4.69.132.86) 33.052 ms 33.795 ms 33.062 ms 11 ae-81-81.csw3.Washington1.Level3.net (4.69.134.138) 31.852 ms 33.776 ms ae-61-61.csw1.Washington1.Level3.net (4.69.134.130) 32.055 ms 12 ae-13-60.car3.Washington1.Level3.net (4.69.149.5) 32.871 ms ae-23-70.car3.Washington1.Level3.net (4.69.149.69) 32.855 ms ae-43-90.car3.Washington1.Level3.net (4.69.149.197) 32.951 ms 13 CARPATHIA-H.car3.Washington1.Level3.net (4.79.169.26) 50.045 ms 52.543 ms 52.179 ms 14 209.222.130.107 (209.222.130.107) 33.710 ms 31.949 ms 32.420 ms 15 iad0-sixxs.hotnic.net (66.117.47.228) 33.306 ms 33.024 ms 32.878 ms ###### ###### [4/8] Checking if we can ping IPv6 localhost (::1) ### This confirms if your IPv6 is working ### If ::1 doesn't reply then something is wrong with your IPv6 stack PING6(56=40+8+8 bytes) ::1 --> ::1 16 bytes from ::1: Echo Request 16 bytes from ::1, icmp_seq=0 hlim=64 dst=::1%3 time=0.274 ms 16 bytes from ::1: Echo Request 16 bytes from ::1, icmp_seq=1 hlim=64 dst=::1%3 time=0.183 ms 16 bytes from ::1: Echo Request 16 bytes from ::1, icmp_seq=2 hlim=64 dst=::1%3 time=2.004 ms --- ::1 ping6 statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.183/0.820/2.004/0.838 ms ###### ###### [5/8] Ping the IPv6 Local/Your Inner Tunnel Endpoint (2001:4830:1600:364::2) ### This confirms that your tunnel is configured ### If it doesn't reply then check your interface and routing tables PING6(56=40+8+8 bytes) 2001:4830:1600:364::2 --> 2001:4830:1600:364::2 16 bytes from 2001:4830:1600:364::2: Echo Request 16 bytes from 2001:4830:1600:364::2, icmp_seq=0 hlim=64 dst=2001:4830:1600:364::2%4 time=0.236 ms 16 bytes from 2001:4830:1600:364::2: Echo Request 16 bytes from 2001:4830:1600:364::2, icmp_seq=1 hlim=64 dst=2001:4830:1600:364::2%4 time=0.160 ms 16 bytes from 2001:4830:1600:364::2: Echo Request 16 bytes from 2001:4830:1600:364::2, icmp_seq=2 hlim=64 dst=2001:4830:1600:364::2%4 time=0.420 ms --- 2001:4830:1600:364::2 ping6 statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.160/0.272/0.420/0.109 ms ###### ###### [6/8] Ping the IPv6 Remote/PoP Inner Tunnel Endpoint (2001:4830:1600:364::1) ### This confirms the reachability of the other side of the tunnel ### If it doesn't reply then check your interface and routing tables ### Don't forget to check your firewall of course ### If the previous test was succesful then this could be both ### a firewalling and a routing/interface problem PING6(56=40+8+8 bytes) 2001:4830:1600:364::2 --> 2001:4830:1600:364::1 --- 2001:4830:1600:364::1 ping6 statistics --- 3 packets transmitted, 0 packets received, 100.0% packet loss ###### ###### [7/8] Traceroute6 to the central SixXS machine (noc.sixxs.net) ### This confirms that you can reach the central machine of SixXS ### If that one is reachable you should be able to reach most IPv6 destinations ### Also check http://www.sixxs.net/ipv6calc/ which should show an IPv6 connection ### If your browser supports IPv6 and uses it of course. traceroute6 to noc.sixxs.net (2001:838:1:1:210:dcff:fe20:7c7c) from 2001:4830:1600:364::2, 64 hops max, 12 byte packets 1 * * * 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * * 31 * * * 32 * * * 33 * * * 34 * * * 35 * * * 36 * * * 37 * * * 38 * * * 39 * * * 40 * * * 41 * * * 42 * * * 43 * * * ###### ###### [8/8] Traceroute6 to (www.kame.net) ### This confirms that you can reach a Japanese IPv6 destination ### If that one is reachable you should be able to reach most IPv6 destinations ### You should also check http://www.kame.net which should display ### a animated kame (turtle), of course only when your browser supports and uses IPv6 traceroute6 to orange.kame.net (2001:200:dff:fff1:216:3eff:feb1:44d7) from 2001:4830:1600:364::2, 64 hops max, 12 byte packets 1 * * * 2 * * * 3 * * * 4 * Regards Uwe Schwartz