$ sysctl kern.version kern.version=OpenBSD 4.4-current (GENERIC) #1133: Fri Oct 24 13:09:18 MDT 2008 deraadt@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC $ cat aiccu.conf username ARL15-RIPE password ******** ipv6_interface gif0 verbose true daemonize false automatic true requiretls false $ sudo /usr/local/sbin/aiccu autotest ./aiccu.conf add net default: gateway 2a01:348:6:70::1: File exists Tunnel Information for T13763: POP Id : gblon02 IPv6 Local : 2a01:348:6:70::2/64 IPv6 Remote : 2a01:348:6:70::1/64 Tunnel Type : 6in4-heartbeat Adminstate : enabled Userstate : enabled ####### ####### AICCU Quick Connectivity Test ####### ####### [1/8] Ping the IPv4 Local/Your Outer Endpoint (86.18.90.66) ### This should return so called 'echo replies' ### If it doesn't then check your firewall settings ### Your local endpoint should always be pingable ### It could also indicate problems with your IPv4 stack PING 86.18.90.66 (86.18.90.66): 56 data bytes 64 bytes from 86.18.90.66: icmp_seq=0 ttl=255 time=0.301 ms 64 bytes from 86.18.90.66: icmp_seq=1 ttl=255 time=0.183 ms 64 bytes from 86.18.90.66: icmp_seq=2 ttl=255 time=0.117 ms --- 86.18.90.66 ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.117/0.200/0.301/0.076 ms ###### ####### [2/8] Ping the IPv4 Remote/PoP Outer Endpoint (77.75.104.126) ### These pings should reach the PoP and come back to you ### In case there are problems along the route between your ### host and the PoP this could not return replies ### Check your firewall settings if problems occur PING 77.75.104.126 (77.75.104.126): 56 data bytes 64 bytes from 77.75.104.126: icmp_seq=0 ttl=57 time=19.197 ms 64 bytes from 77.75.104.126: icmp_seq=1 ttl=57 time=16.778 ms 64 bytes from 77.75.104.126: icmp_seq=2 ttl=57 time=15.705 ms --- 77.75.104.126 ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 15.705/17.226/19.197/1.468 ms ###### ####### [3/8] Traceroute to the PoP (77.75.104.126) over IPv4 ### This traceroute should reach the PoP ### In case this traceroute fails then you have no connectivity ### to the PoP and this is most probably the problem traceroute to 77.75.104.126 (77.75.104.126), 64 hops max, 40 byte packets 1 10.56.136.1 (10.56.136.1) 7.491 ms 7.993 ms 7.591 ms 2 swin-t2cam1-b-ge98.network.virginmedia.net (81.110.128.153) 8.534 ms 8.419 ms 7.679 ms 3 brhm-t3core-1b-ge-016-0.network.virginmedia.net (195.182.180.225) 11.219 ms 9.976 ms 10.349 ms 4 bir-bb-b-so-020-0.network.virginmedia.net (213.105.174.5) 10.201 ms 10.546 ms 10.179 ms 5 win-bb-a-so-220-0.network.virginmedia.net (62.253.188.145) 13.680 ms 14.472 ms 13.883 ms 6 bre-bb-b-so-100-0.network.virginmedia.net (213.105.172.234) 17.452 ms 18.590 ms 18.41 ms 7 telc-ic-1-as0-0.network.virginmedia.net (62.253.185.74) 18.608 ms 41.164 ms 17.168 ms 8 ae0-461.rt0.sov.uk.goscomb.net (195.66.226.226) 16.451 ms 16.513 ms 15.849 ms 9 ae0-1624.rt2.the.uk.goscomb.net (77.75.109.161) 15.818 ms 16.938 ms 15.712 ms 10 gblon02.sixxs.net (77.75.104.126) 16.41 ms 30.943 ms 15.928 ms ###### ###### [4/8] Checking if we can ping IPv6 localhost (::1) ### This confirms if your IPv6 is working ### If ::1 doesn't reply then something is wrong with your IPv6 stack PING6(56=40+8+8 bytes) ::1 --> ::1 16 bytes from ::1: Echo Request 16 bytes from ::1, icmp_seq=0 hlim=64 dst=::1%5 time=0.308 ms 16 bytes from ::1: Echo Request 16 bytes from ::1, icmp_seq=1 hlim=64 dst=::1%5 time=0.267 ms 16 bytes from ::1: Echo Request 16 bytes from ::1, icmp_seq=2 hlim=64 dst=::1%5 time=0.202 ms --- ::1 ping6 statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.202/0.259/0.308/0.044 ms ###### ###### [5/8] Ping the IPv6 Local/Your Inner Tunnel Endpoint (2a01:348:6:70::2) ### This confirms that your tunnel is configured ### If it doesn't reply then check your interface and routing tables PING6(56=40+8+8 bytes) 2a01:348:6:70::2 --> 2a01:348:6:70::2 16 bytes from 2a01:348:6:70::2: Echo Request 16 bytes from 2a01:348:6:70::2, icmp_seq=0 hlim=64 dst=2a01:348:6:70::2%5 time=0.335 ms 16 bytes from 2a01:348:6:70::2: Echo Request 16 bytes from 2a01:348:6:70::2, icmp_seq=1 hlim=64 dst=2a01:348:6:70::2%5 time=0.286 ms 16 bytes from 2a01:348:6:70::2: Echo Request 16 bytes from 2a01:348:6:70::2, icmp_seq=2 hlim=64 dst=2a01:348:6:70::2%5 time=0.159 ms --- 2a01:348:6:70::2 ping6 statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.159/0.260/0.335/0.074 ms ###### ###### [6/8] Ping the IPv6 Remote/PoP Inner Tunnel Endpoint (2a01:348:6:70::1) ### This confirms the reachability of the other side of the tunnel ### If it doesn't reply then check your interface and routing tables ### Don't forget to check your firewall of course ### If the previous test was succesful then this could be both ### a firewalling and a routing/interface problem --- 2a01:348:6:70::1 ping6 statistics --- 3 packets transmitted, 0 packets received, 100.0% packet loss ###### ###### [7/8] Traceroute6 to the central SixXS machine (noc.sixxs.net) ### This confirms that you can reach the central machine of SixXS ### If that one is reachable you should be able to reach most IPv6 destinations ### Also check http://www.sixxs.net/ipv6calc/ which should show an IPv6 connection ### If your browser supports IPv6 and uses it of course. traceroute6 to noc.sixxs.net (2001:838:1:1:210:dcff:fe20:7c7c) from 2a01:348:6:70::2, 64 hops max, 12 byte packets 1 * * * 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * * 31 * * * 32 * * * 33 * * * 34 * * * 35 * * * 36 * * * 37 * * * 38 * * * 39 * * * 40 * * * 41 * * * 42 * * * 43 * * * 44 * * * 45 * * * 46 * * * 47 * * * 48 * * * 49 * * * 50 * * * 51 * * * 52 * * * 53 * * * 54 * * * 55 * * * 56 * * * 57 * * * 58 * * * 59 * * * 60 * * * 61 * * * 62 * * * 63 * * * 64 * * * ###### ###### [8/8] Traceroute6 to (www.kame.net) ### This confirms that you can reach a Japanese IPv6 destination ### If that one is reachable you should be able to reach most IPv6 destinations ### You should also check http://www.kame.net which should display ### a animated kame (turtle), of course only when your browser supports and uses IPv6 traceroute6 to www.kame.net (2001:200:0:8002:203:47ff:fea5:3085) from 2a01:348:6:70::2, 64 hops max, 12 byte packets 1 * * * 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * * 31 * * * 32 * * * 33 * * * 34 * * * 35 * * * 36 * * * 37 * * * 38 * * * 39 * * * 40 * * * 41 * * * 42 * * * 43 * * * 44 * * * 45 * * * 46 * * * 47 * * * 48 * * * 49 * * * 50 * * * 51 * * * 52 * * * 53 * * * 54 * * * 55 * * * 56 * * * 57 * * * 58 * * * 59 * * * 60 * * * 61 * * * 62 * * * 63 * * * 64 * * * ###### ###### ACCU Quick Connectivity Test (done) ### Either the above all works and gives no problems ### or it shows you where what goes wrong ### Check the SixXS FAQ (http://www.sixxs.net/faq/ ### for more information and possible solutions or hints ### Don't forget to check the Forums (http://www.sixxs.net/forum/) ### for a helping hand. ### Passing the output of 'aiccu autotest >aiccu.log' is a good idea. $ ifconfig gif0 gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280 groups: gif egress physical address inet 86.18.90.66 --> 77.75.104.126 inet6 fe80::240:63ff:fec2:c2f3%gif0 -> prefixlen 64 scopeid 0x6 inet6 2a01:348:6:70::2 -> 2a01:348:6:70::1 prefixlen 128 $ netstat -rnf inet6 Routing tables Internet6: Destination Gateway Flags Refs Use Mtu Prio Iface ::/104 ::1 UGRS 0 0 - 8 lo0 ::/96 ::1 UGRS 0 0 - 8 lo0 default 2a01:348:6:70::1 UGS 0 976 - 8 gif0 ::1 ::1 UH 14 593 33204 4 lo0 ::127.0.0.0/104 ::1 UGRS 0 0 - 8 lo0 ::224.0.0.0/100 ::1 UGRS 0 0 - 8 lo0 ::255.0.0.0/104 ::1 UGRS 0 0 - 8 lo0 ::ffff:0.0.0.0/96 ::1 UGRS 0 0 - 8 lo0 2002::/24 ::1 UGRS 0 0 - 8 lo0 2002:7f00::/24 ::1 UGRS 0 0 - 8 lo0 2002:e000::/20 ::1 UGRS 0 0 - 8 lo0 2002:ff00::/24 ::1 UGRS 0 0 - 8 lo0 2a01:348:6:70::1 2a01:348:6:70::2 UH 2 280 - 4 gif0 2a01:348:6:70::2 link#6 UHL 0 12 - 4 lo0 2a01:348:134::/64 link#3 UC 2 0 - 4 fxp1 2a01:348:134::/64 link#3 UC 0 0 - 48 fxp1 2a01:348:134::1 00:08:c7:08:95:19 UHL 7 4770 - 4 lo0 2a01:348:134::f 00:12:bf:91:16:34 UHLc 0 112 - 4 fxp1 2a01:348:134::22 00:08:c7:bb:73:9b UHLc 0 65 - 4 fxp1 2a01:348:134::102 fe80::%gif1 UGHS 0 30 - 8 gif1 2a01:348:134:1::/64 link#1 UC 0 0 - 4 vr0 2a01:348:134:1::/64 link#1 UC 0 0 - 48 vr0 2a01:348:134:1::100 00:40:63:c2:c2:f3 UHL 0 0 - 4 lo0 fe80::/10 ::1 UGRS 0 0 - 8 lo0 fe80::%vr0/64 link#1 UC 0 0 - 4 vr0 fe80::240:63ff:fec2:c2f3%vr0 00:40:63:c2:c2:f3 UHL 0 0 - 4 lo0 fe80::%fxp0/64 link#2 UC 0 0 - 4 fxp0 fe80::208:c7ff:fe08:9518%fxp0 00:08:c7:08:95:18 UHL 0 0 - 4 lo0 fe80::%fxp1/64 link#3 UC 0 0 - 4 fxp1 fe80::208:c7ff:fe08:9519%fxp1 00:08:c7:08:95:19 UHL 0 0 - 4 lo0 fe80::%lo0/64 fe80::1%lo0 U 0 0 - 4 lo0 fe80::1%lo0 link#5 UHL 0 0 - 4 lo0 fe80::%gif0/64 link#6 UC 0 0 - 4 gif0 fe80::240:63ff:fec2:c2f3%gif0 link#6 UHL 0 0 - 4 lo0 fe80::%gif1/64 link#7 UC 1 0 - 4 gif1 fe80::240:63ff:fec2:c2f3%gif1 link#7 UHL 0 0 - 4 lo0 fe80::2e0:4cff:feaa:4202%gif1 link#7 UHLc 0 38 - 4 gif1 fec0::/10 ::1 UGRS 0 0 - 8 lo0 ff01::/16 ::1 UGRS 0 0 - 8 lo0 ff01::%vr0/32 link#1 UC 0 0 - 4 vr0 ff01::%fxp0/32 link#2 UC 0 0 - 4 fxp0 ff01::%fxp1/32 link#3 UC 0 0 - 4 fxp1 ff01::%lo0/32 ::1 UC 0 0 - 4 lo0 ff01::%gif0/32 link#6 UC 0 0 - 4 gif0 ff01::%gif1/32 link#7 UC 0 0 - 4 gif1 ff02::/16 ::1 UGRS 0 0 - 8 lo0 ff02::%vr0/32 link#1 UC 0 0 - 4 vr0 ff02::%fxp0/32 link#2 UC 0 0 - 4 fxp0 ff02::%fxp1/32 link#3 UC 0 0 - 4 fxp1 ff02::%lo0/32 ::1 UC 0 0 - 4 lo0 ff02::%gif0/32 link#6 UC 0 0 - 4 gif0 ff02::%gif1/32 link#7 UC 0 0 - 4 gif1 $ sudo pfctl -sr scrub in all fragment reassemble block return log all pass in log quick on fxp0 inet proto ipv6 from <sixxs> to 86.18.90.66 keep state pass out log quick on fxp0 inet proto ipv6 from 86.18.90.66 to <sixxs> keep state block drop log quick from <bruteforce> block drop log quick on fxp0 proto tcp from any to any port = epmap block drop log quick on fxp0 proto tcp from any to any port = netbios-ns block drop log quick on fxp0 proto tcp from any to any port = netbios-dgm block drop log quick on fxp0 proto tcp from any to any port = netbios-ssn block drop log quick on fxp0 proto tcp from any to any port = microsoft-ds block drop log quick on fxp0 proto udp from any to any port = epmap block drop log quick on fxp0 proto udp from any to any port = netbios-ns block drop log quick on fxp0 proto udp from any to any port = netbios-dgm block drop log quick on fxp0 proto udp from any to any port = netbios-ssn block drop log quick on fxp0 proto udp from any to any port = microsoft-ds block drop in log quick on fxp0 inet from any to 255.255.255.255 block drop in log quick on fxp0 from <privnets> to any block drop out log quick on fxp0 from any to <privnets> pass out on egress proto tcp all flags S/SA keep state pass out on egress proto udp all keep state pass in on egress proto tcp from any to any port = ssh flags S/SA keep state (source-track rule, max-src-conn-rate 3/10, overload <bruteforce> flush global, src.track 10) pass in on fxp0 inet proto tcp from any to (fxp0) port = domain flags S/SA keep state pass in on fxp0 inet proto tcp from any to (fxp0) port = auth flags S/SA keep state pass in on fxp0 inet proto tcp from any to (fxp0) port = www flags S/SA keep state pass in on fxp0 inet proto tcp from any to (fxp0) port = imaps flags S/SA keep state pass in on fxp0 inet proto tcp from any to (fxp0) port = https flags S/SA keep state pass in on gif inet6 proto tcp from any to any port = domain flags S/SA keep state pass in on gif inet6 proto tcp from any to any port = auth flags S/SA keep state pass in on gif inet6 proto tcp from any to any port = www flags S/SA keep state pass in on gif inet6 proto tcp from any to any port = imaps flags S/SA keep state pass in on gif inet6 proto tcp from any to any port = https flags S/SA keep state pass in log on egress proto tcp from any to (egress) port = smtp flags S/SA keep state pass out log on egress proto tcp from any to any port = smtp flags S/SA keep state pass in on fxp0 inet proto udp from any to (fxp0) port = domain keep state pass in on gif inet6 proto udp from any to any port = domain keep state pass on fxp0 inet proto icmp all keep state pass on gif inet6 proto ipv6-icmp all keep state $ sudo tcpdump -nes1500 -i gif0 tcpdump: listening on gif0, link-type NULL 09:01:16.600230 fe80::240:63ff:fec2:c2f3.521 > ff02::9.521: ripng-resp 2: 2a01:348:134:1::/64 (1) 2a01:348:134::/64 (1) 09:01:16.730150 2a01:348:6:70::2 > 2a01:348:6:70::1: icmp6: echo request 09:01:17.730198 2a01:348:6:70::2 > 2a01:348:6:70::1: icmp6: echo request 09:01:18.730239 2a01:348:6:70::2 > 2a01:348:6:70::1: icmp6: echo request 09:01:19.730238 2a01:348:6:70::2 > 2a01:348:6:70::1: icmp6: echo request 09:01:29.730598 2a01:348:6:70::2 > 2a01:348:6:70::1: icmp6: echo request 09:01:30.730665 2a01:348:6:70::2 > 2a01:348:6:70::1: icmp6: echo request 09:01:31.730663 2a01:348:6:70::2 > 2a01:348:6:70::1: icmp6: echo request 09:01:32.731663 2a01:348:6:70::2 > 2a01:348:6:70::1: icmp6: echo request $ sudo tcpdump -nes1500 -i fxp0 icmp or icmp6 tcpdump: listening on fxp0, link-type EN10MB 09:01:50.747100 00:14:f1:19:0f:01 00:08:c7:08:95:18 0800 118: 77.75.104.126 > 86.18.90.66: icmp: 77.75.104.126 protocol 41 port 0 unreachable [tos 0x80] 09:01:51.747613 00:14:f1:19:0f:01 00:08:c7:08:95:18 0800 118: 77.75.104.126 > 86.18.90.66: icmp: 77.75.104.126 protocol 41 port 0 unreachable [tos 0x80] 09:01:52.754995 00:14:f1:19:0f:01 00:08:c7:08:95:18 0800 118: 77.75.104.126 > 86.18.90.66: icmp: 77.75.104.126 protocol 41 port 0 unreachable [tos 0x80] 09:01:53.747090 00:14:f1:19:0f:01 00:08:c7:08:95:18 0800 118: 77.75.104.126 > 86.18.90.66: icmp: 77.75.104.126 protocol 41 port 0 unreachable [tos 0x80] 09:01:54.747425 00:14:f1:19:0f:01 00:08:c7:08:95:18 0800 118: 77.75.104.126 > 86.18.90.66: icmp: 77.75.104.126 protocol 41 port 0 unreachable [tos 0x80] $ ^D