Aiccu/Installing Aiccu on Windows Vista

From SixXS Wiki
(Redirected from Configuring Windows Vista)
Jump to: navigation, search

(1) Verify that Windows has all updates installed

  • Run Windows Update and get all updates {including service packs}, rebooting as needed until no more updates are available.

(2) Install CAcert.org Root CA Certificate in Internet Explorer 7 or 8

  • Visit this link: http://www.cacert.org/index.php?id=3
  • Install Class 1 Root cert using the PEM format link, and manually install into the "Trusted Root Certification Authorities" Store for IE
  • Restart IE, and ensure that sites like https://www.ipv4.sixxs.net load properly with no certificate warnings.
  • Not important for connectivity of SixXS/AICCU/IPv6, but needed to access SixXS SSL site.

(3) Create a Free SixXS Account and AYIYA IPv6 Tunnel on SixXS

  • Create an SixXS account
    • Wait for approval of your account via email
  • Rules of tumb
    • Static ip -> Static Tunnel
    • Dynamic ip in DMZ -> Hearbeat Tunnel
    • Dynamic ip NAT -> AYIYA Tunnel
  • PCs with multiple IP addresses
    • If your PC has more than one IP address allocated to the LAN interface and you request a static tunnel, you may need to request a tunnel on the lowest IP. This is because Windows networking may use the lowest IP as the source IP for the v6v4tunnel even if you specify a different IP when creating the tunnel.

(4) Install TAP-Win32/TAP-Win64 Virtual Network Driver

  • Verify that the tap901 driver is installed by running "ipconfig /all", and looking for the network interface
  • Example (Local Area Connection 3) ipconfig output:
 Ethernet adapter Local Area Connection 3:
 Media State . . . . . . . . . . . : Media disconnected
 Connection-specific DNS Suffix  . :
 Description . . . . . . . . . . . : TAP-Win32 Adapter V9
 Physical Address. . . . . . . . . : 00-FF-48-40-04-39
 DHCP Enabled. . . . . . . . . . . : Yes
 Autoconfiguration Enabled . . . . : Yes

(5) Install AICCU Win32 Console Utility

(6) Setup AICCU Configuration File

  • Create a text file named "aiccu.conf" in the same directory as where the aiccu.exe binary is located.
  • Use notepad.exe to edit aiccu.conf
    • Setup "username NICHANDLE-SIXXS" where NICHANDLE-SIXXS is the name of your NIC handle assigned during step 3
    • Setup "password mypassword" where mypassword is your password setup during step 3
    • Setup "tunnel_id TXXXXX" where TXXXXX is the tunnel id given from sixxs during step 3 and on https://www.sixxs.net/home
    • Add "verbose true" to the configuration file
    • Add "automatic true" to configuration file
  • Example aiccu.conf file contents:
 username NICHANDLE-SIXXS
 password mypassword
 tunnel_id TXXXXX
 verbose true
 automatic true

If one has configured a per-tunnel password aka TIC password then one can use: 

 username NICHANDLE-SIXXS/Txxxxx
 password TICPASSWORD

The TIC password is specific per tunnel.

(7) Setup Vista/Win7 Specific IPv6 parameters

  • Run the following commands as an administrator to work-around the issue with Vista/Win7 and AICCU IPv6 "AAAA" DNS lookups with a virtual interface:
 netsh int ipv6 add address "Local Area Connection" 2002:81a8:102::
    • Make sure to replace "Local Area Connection" with your actual physical ethernet (wired or wireless) network interface name if the name is different on your computer.
    • You can see your network interface names by running "netsh interface show interface" at a command prompt
    • Note: See http://technet.microsoft.com/en-us/library/bb727035.aspx for more information on DNS for Vista/Win7
  • If you run VirtualBox or otherwise have a non-routable private network adapter with IPv6 capability, set the metric of this interface to be higher than the SixXS adapter so that IPv6 traffic goes out the SixXS interface first rather than getting stuck in the VirtualBox adapter. In the elevated command prompt run:
 netsh interface ipv6 show interface

The "Met" column is the metric of the interface. Lower metrics are routed to first. If your output of the above command shows something like this: 

 Idx     Met         MTU          State                Name
 ---  ----------  ----------  ------------  ---------------------------
   1          50  4294967295  connected     Loopback Pseudo-Interface 1
  11          30        1500  connected     Wireless Network Connection
  12          10        1500  connected     Local Area Connection
  25          10        1500  connected     VirtualBox Host-Only Network
  24          30        1500  connected     sixxs

Notice the metric of the VirtualBox Host-Only Network is less than the metric of the sixxs. Update the metric from 10 to something like 200 in the elevated command prompt: 

 netsh interface ipv6 set interface "VirtualBox Host-Only Network" metric=200

(8) Test your upstream DNS Server for IPv6 "AAAA" lookups

  • Open an elevated Command prompt (created in Step 4)
  • Run the following command
 nslookup -type=AAAA www.ipv6.sixxs.net
  • The response should look something like this:
 Non-authoritative answer:
 Name:    ipv6.nginx.sixxs.net
 Addresses:  2001:838:2:1::30:67
           2001:838:2:1:2a0:24ff:feab:3b53
           2001:1af8:4050::2
           2001:960:800::2
 Aliases:  www.ipv6.sixxs.net
  • If you do not get a successful response (no IPv6 address), you may need to switch your DNS configuration to use a more capable resolver. There are well-known public DNS servers that are IPv6-capable. Google's public DNS servers are 8.8.8.8 and 8.8.4.4, and OpenDNS provides 208.67.222.222 and 208.67.220.220, just to name a couple.

(9) Start AICCU Utility

  • Run Elevated Command prompt created in step 4
  • Change to the Windows Desktop Directory (e.g. cd \Users\username\Desktop)
  • Run the following command every time you want to start the tunnel:
 aiccu-<version>-windows-console.exe start
  • You should see some diagnostic output showing "adminstate enabled" and "userstate enabled" if successful
  • If you use OpenVPN on your system and followed the instructions in this Wiki there are high chances you have two Tap32 adapters on your systems. Aiccu won't start in this case, raising an error about an improperly configured Tap adapter.
  • To work around this problem you can just issue the following command, from the elevated command prompt:
 netsh interface set interface name=”Local Area Connection X” newname=”sixxs”
  • X is the number of the second Tap interface on your system
  • Then you add the following line to your aiccu.conf file
 ipv6_interface sixxs
  • Now you are ready to issue the Aiccu console start command as shown above
  • NOTE: If you have only one Tap interface on your system, AICCU will rename the tap901 interface to "sixxs" instead of the default "Local Area Connection X" after first run. If you have more than one Tap interface, renaming won't work (see above)
  • Note: Windows Firewall will ask if you want this to be a public or private network (This may take a minute, and will only happen the very first time you connect with your tunnel). It is recommended to select Public since it is the public IPv6 internet.

(10) Test your IPv6 Connectivity using command line tools

  • Run Elevated Command prompt created in step 4
  • Run "ping -6 www.kame.net"
  • Run "ping -6 ipv6.google.com"
  • Run "tracert -6 www.kame.net"
  • Run "tracert -6 ipv6.google.com"
  • If issues arise, try running aiccu with the command line of "autotest" to diagnose.

(11) Test your IPv6 Connectivity with Internet Explorer

  • Open IE and load the following URLS
 http://www.kame.net
  • Note: Look for the animated turtle (IPv6), or non-animated turtle (IPv4) on www.kame.net
 http://ipv6.google.com
 http://www.ipv6.sixxs.net
  • Note: Both of these urls are IPv6 ONLY, and will fail with an IPv4 only connection
 http://www.sixxs.net/tools/ipv6calc/


(12) If you have issues with your IPv6 connectivity

  • Note: If you have a Firewall other than Windows Firewall or Windows OneCare, it may not work with IPv6 properly.
    • If you have problems, uninstall the third-party firewall (disabling does not work in most cases), and use Windows Firewall.
    • Norton Firewall has been reported as having issues with IPv6. - Solution: Uninstall, and use Windows Firewall
    • Panda AV has been reported as having issues with IPv6. - Solution: Uninstall and use Windows OneCare
  • Note: Windows aiccu (as of 2011-12-05 version) does not currently support routing a subnet via aiccu due to TUN/TAP. This may end up being fixed in a newer version, but until then, use another O/S for your routing needs.


  • Run Elevated Command prompt created in step 4
  • Run the following command
 netsh int ipv6 reset
  • Then reboot the computer, and repeat steps 8-13
  • If this does not work, post the results of the following commands while still connected with AICCU(normal run with "aiccu-<version>-windows-console.exe start")
 netsh int ipv6 show address
 netsh int ipv6 show route
 ipconfig /all
  • Then stop aiccu, and execute again with the command line parameter of "autotest" and redirect the output to a file e.g. :
 aiccu-<version>-windows-console.exe autotest >autotest.txt

(13) Misc Windows Settings

See http://technet.microsoft.com/en-us/magazine/2007.08.cableguy.aspx for a good primer on Windows IPv6 auto configuration

  • Disable temporary IPv6 addresses for outbound connections
 netsh int ipv6 set privacy disabled
  • Disable non EUI-64 IPv6 interface identifiers 
 netsh int ipv6 set global randomizeidentifiers=disabled store=persistent

For more information:

http://www.microsoft.com/technet/network/ipv6/introipv6.mspx (IPv6 Introduction) http://technet.microsoft.com/en-us/network/bb530961.aspx (IPv6 Resources at Microsoft) http://www.microsoft.com/technet/network/ipv6/ipv6faq.mspx (IPv6 Microsoft FAQ)

(14) Installing AICCU Utility as a Service

Method A

The console version of the AICCU utility does not provide it's own method of installing itself as a service, but this can be achieved using some tools from Microsoft.

  • Download the Windows 2003 Resource Kit and install it.
  • Run Elevated Command prompt created in step 4
  • Change to the directory where you installed the Resource Kit tools (by default it is \Program Files (x86)\Windows Resource Kit\Tools\)
  • Run the following command
    • If you have 64-bit Vista:
 instsrv.exe AICCU "c:\Program Files (x86)\Windows Resource Kits\Tools\srvany.exe"
    • If you have 32-bit Vista:
 instsrv.exe AICCU "c:\Program Files\Windows Resource Kits\Tools\srvany.exe"
  • This will create a new "blank" service that we can use to set up the AICCU utility.
  • Edit the registry by running the following command:
 regedit
  • Navigate to the following registry entry:
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AICCU
  • Add a new key by going to 'Edit' > 'New' > 'Key'.
  • Name the new key "Parameters"
  • Under the new "Parameters" key, add a new String Value.
  • Name the new String Value "Application"
  • Set the value of the "Application" string to the full path to your AICCU console executable, such as:
 c:\aiccu\aiccu.exe start

You should now have a service that starts automatically when your computer starts. No more annoying console window just to have a tunnel!

  • Works with 64 bit Windows 7 too.
  • Additional info on the srvany program:
 http://support.microsoft.com/kb/137890

Method B

If the above method won't work for some , here is an alternative I found that seems to work fine .


  • First, create a .vbs file with the following content:

Set WshShell = CreateObject("WScript.Shell")


WshShell.Run "E:\home\David\sixxs\aiccu-2008-03-15-windows-console.exe start", 0


Set WshShell = Nothing

Obviously you’ll have to change the path in the second line to the location of your console software.


  • Now create a registry entry (string value) that calls the .vbs file within 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • If someone doesn't want to use the registry method , you can use the application AlwaysUp which is easier but unfortunately shareware.
Retrieved from "http://www.sixxs.net/wiki/?title=Aiccu/Installing_Aiccu_on_Windows_Vista&oldid=4677"