SixXS::Sunset 2017-06-06

Static tunnel did not ping remote endpoint, but heartbeat does
[br] Shadow Hawkins on Wednesday, 14 May 2014 12:50:30
Hello folks, My handle: LDR7-SIXXS Tunnel ID: T146729 I am having some difficulties with my first static tunnel. I followed the steps given in https://www.sixxs.net/faq/connectivity/?faq=worksnt, but I could not figure out why the static tunel does not ping the remote endpoint. Using another heartbeat tunnel works flawlessly, but the static tunnel allways return: PING 2001:1291:200:617::1(2001:1291:200:617::1) 56 data bytes From 2001:1291:200:617::2 icmp_seq=2 Destination unreachable: Address unreachable The OS is Ubuntu 12.04 LTS Server. Ufw is disabled. The server's clock is NTP synced. There is a firewall in the route, but the needed ports and protocol 41 are forwarded (the machine is in a DMZ with a NATed 1:1 public IPv4). My aiccu.conf: # AICCU Configuration # Login information (defaults: none) username LDR7-SIXXS/T146729 password <my password> # Protocol and server to use for setting up the tunnel (defaults: none) #protocol <tic|tsp|l2tp> #server <server to use> # Interface names to use (default: aiccu) # ipv6_interface is the name of the interface that will be used as a tunnel interface. # On *BSD the ipv6_interface should be set to gifX (eg gif0) for proto-41 tunnels # or tunX (eg tun0) for AYIYA tunnels. ipv6_interface sixxs # The tunnel_id to use (default: none) # (only required when there are multiple tunnels in the list) tunnel_id T146729 # Be verbose? (default: false) verbose true # Daemonize? (default: true) # Set to false if you want to see any output # When true output goes to syslog # # WARNING: never run AICCU from DaemonTools or a similar automated # 'restart' tool/script. When AICCU does not start, it has a reason # not to start which it gives on either the stdout or in the (sys)log # file. The TIC server *will* automatically disable accounts which # are detected to run in this mode. # daemonize false # Automatic Login and Tunnel activation? automatic true # Require TLS? # When set to true, if TLS is not supported on the server # the TIC transaction will fail. # When set to false, it will try a starttls, when that is # not supported it will continue. # In any case if AICCU is build with TLS support it will # try to do a 'starttls' to the TIC server to see if that # is supported. requiretls false # PID File #pidfile /var/run/aiccu.pid # Add a default route (default: true) #defaultroute true # Script to run after setting up the interfaces (default: none) #setupscript /usr/local/etc/aiccu-subnets.sh # Make heartbeats (default true) # In general you don't want to turn this off # Of course only applies to AYIYA and heartbeat tunnels not to static ones makebeats false # Don't configure anything (default: false) noconfigure true # Behind NAT (default: false) # Notify the user that a NAT-kind network is detected # behindnat true # Local IPv4 Override (default: none) # Overrides the IPv4 parameter received from TIC # This allows one to configure a NAT into "DMZ" mode and then # forwarding the proto-41 packets to an internal host. # # This is only needed for static proto-41 tunnels! # AYIYA and heartbeat tunnels don't require this. local_ipv4_override <my local DMZ IPv4> ****************** My /etc/network/interfaces auto eth0 iface eth0 inet static <...stripped configuration...> auto sixxs iface sixxs inet6 v4tunnel address 2001:1291:200:617::2 netmask 64 endpoint 201.48.254.14 ttl 64 mtu 1280 gateway 2001:1291:200:617::1 ****************** my routing v6 table: Kernel IPv6 routing table Destination Next Hop Flag Met Ref Use If 2001:1291:200:617::1/128 :: U 1024 0 1 sixxs 2001:1291:200:617::/64 :: Un 256 0 0 sixxs fe80::/64 :: U 256 0 0 eth0 ::/0 2001:1291:200:617::1 UG 1024 0 0 sixxs ::/0 :: !n -1 1 2035 lo ::1/128 :: Un 0 1 22 lo 2001:1291:200:617::2/128 :: Un 0 1 3045 lo fe80::ac10:219/128 :: Un 0 1 0 lo fe80::c0a8:1001/128 :: Un 0 1 0 lo fe80::baca:3aff:fef1:b3fd/128 :: Un 0 1 0 lo ff00::/8 :: U 256 0 0 eth0 ff00::/8 :: U 256 0 0 sixxs ::/0 :: !n -1 1 2035 lo AICCU get connected and gives no error (lastly it has been blocked by TIC because my tests, I have made too many conections). I swapped the static tunnel with a heartbeat one, and the heartbeat worked with no issues. Actually I am stucked waiting for TIC timeout be reached. Can someone point me something I forgot?
Static tunnel did not ping remote endpoint, but heartbeat does
[ch] Jeroen Massar SixXS Staff on Wednesday, 14 May 2014 14:16:42
PING 2001:1291:200:617::1(2001:1291:200:617::1) 56 data bytes
From 2001:1291:200:617::2 icmp_seq=2 Destination unreachable: Address unreachable
That is your local host telling you that the remote cannot be reached. Routing table looks okay (even though there are a few odd ::/0 entries, which can likely be ignored) How many local IPv4 addresses does the host have and how are the tunnel endpoints configured?
There is a firewall in the route, but the needed ports and protocol 41 are forwarded (the machine is in a DMZ with a NATed 1:1 public IPv4).
Are you sure that connection tracking works properly for protocol 41? It might be that the extra UDP heartbeat packet creates enough state in your setup that it passes properly.
AICCU get connected and gives no error
Why are you using AICCU when you already have configured the tunnel through /etc/network/interfaces? It is not unlikely that AICCU will use the wrong local IP, as it uses the public IP address for the local tunnel endpoint. There is an option for overriding that, but, when one has /etc/network/interfaces then one does not need AICCU.
Static tunnel did not ping remote endpoint, but heartbeat does
[br] Shadow Hawkins on Wednesday, 14 May 2014 17:49:52
Jeroen Massar wrote:
> PING 2001:1291:200:617::1(2001:1291:200:617::1) 56 data bytes
From 2001:1291:200:617::2 icmp_seq=2 Destination unreachable: Address unreachable
That is your local host telling you that the remote cannot be reached. Yeah! Routing table looks okay (even though there are a few odd ::/0 entries, which can likely be ignored) Linuz thinghy... ;) How many local IPv4 addresses does the host have and how are the tunnel endpoints configured? The host has only one eth0 IPv4 within DMZ (i.e. 172.16.XXX.YYY)
There is a firewall in the route, but the needed ports and protocol 41 are forwarded (the machine is in a DMZ with a NATed 1:1 public IPv4).
Are you sure that connection tracking works properly for protocol 41? It might be that the extra UDP heartbeat packet creates enough state in your setup that it passes properly. I am suspecting this too. The firewall is a Fortigate (from Fortinet). The IT people is helping me with firewall configuration. They double checked the forwardings, but I don't remember if they checked connection tracking as well. I will notify them about.
AICCU get connected and gives no error
Why are you using AICCU when you already have configured the tunnel through /etc/network/interfaces? Ooops... I will be more clear: "when using heartbeat, AICCU gets connected..." :P It is not unlikely that AICCU will use the wrong local IP, as it uses the public IP address for the local tunnel endpoint. There is an option for overriding that, but, when one has /etc/network/interfaces then one does not need AICCU.
If you configure the static tunnel manually, you do not need to access TIC server for getting config info. Is this understanding correct? Thank you for your time Jeroen. I am sure one million people asked the same thing several times.
Static tunnel did not ping remote endpoint, but heartbeat does
[ch] Jeroen Massar SixXS Staff on Wednesday, 14 May 2014 17:56:04
[..]
If you configure the static tunnel manually, you do not need to access TIC server for getting config info.
Is this understanding correct?
Yes, because you already have all that information and there are no moving bits. Hence, you can just fill them in once in /etc/network/interfaces and presto. With AYIYA and heartbeat one needs the TIC server primarily because of the heartbeat password that is used and next to that AICCU then actually moves packets (AYIYA) or sends heartbeats. For static tunnels, AICCU just configs (which is of course easier especially on the platforms it supports) and then exits.
Thank you for your time Jeroen. I am sure one million people asked the same thing several times.
Nope, the questions varies all the time.
Static tunnel did not ping remote endpoint, but heartbeat does
[br] Shadow Hawkins on Wednesday, 14 May 2014 18:20:31
Jeroen Massar wrote:
If you configure the static tunnel manually, one does not need to access TIC server for getting config info. Is this understanding correct?
I believe I found the issue. The output packets were tagged with wrong IP (i.e. input packets to server match the IP 187.32.41.88), but output packets were tagged as coming from 187.32.41.86 by our antispam policy. Waiting for the new firewall commit...
Static tunnel did not ping remote endpoint, but heartbeat does
[br] Shadow Hawkins on Wednesday, 14 May 2014 19:13:27
[SOLVED] Issue resolved. Wrong mappings in firewall, as suspected. Tunnel up and running!

Please note Posting is only allowed when you are logged in.
Static Sunset Edition of SixXS
©2001-2017 SixXS - IPv6 Deployment & Tunnel Broker