From owner-freebsd-net@freebsd.org Mon May 23 03:49:05 2016 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AB656B46895 for ; Mon, 23 May 2016 03:49:05 +0000 (UTC) (envelope-from stdin@niklaas.eu) Received: from box-fra-01.niklaas.eu (box-fra-01.niklaas.eu [46.165.253.68]) by mx1.freebsd.org (Postfix) with ESMTP id 79BF212E7 for ; Mon, 23 May 2016 03:49:04 +0000 (UTC) (envelope-from stdin@niklaas.eu) Received: by box-fra-01.niklaas.eu (Postfix, from userid 1001) id B0CAD61FE8; Mon, 23 May 2016 05:48:55 +0200 (CEST) Date: Mon, 23 May 2016 05:48:55 +0200 From: Niklaas Baudet von Gersdorff To: freebsd-net@freebsd.org Subject: tinc and IPv6 routing, or: how to set up a local IPv6 Message-ID: <20160523034855.GA37797@box-fra-01.niklaas.eu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 May 2016 03:49:05 -0000 Hello, I alread consulted freebsd-questions@ [1] but I have remained unsuccessful to solve the following issue. In case this is something obvious, please bear with me. I am not a professional, it's just my hobby to play around with computers. 1: http://docs.freebsd.org/cgi/mid.cgi?20160519124446.GB2444 I am trying to set up a tinc VPN that connects two servers. In fact, the VPN is working for IPv4, but I cannot get it work for IPv6. Because of this, I assume it's rather a routing problem with IPv6 than a problem with tinc. To be honest, I don't have any experience setting up a local IPv6; so I guess that I'm doing something wrong here. What's working though is public IPv6 connectivity for both machines. The main aim is to connect several jails that are running on two different machines. The jails are in IPv4 networks 10.1.0.0/16 (machine A) and 10.2.0.0/16 (machine B), and in IPv6 networks fd16:dcc0:f4cc:0:0:1::/96 (machine A) and fd16:dcc0:f4cc:0:0:2::/96 (machine B) respectively. Both on lo1. What follows is, first, system related configuration; and, second, tinc related configuration. The mail is rather lenghty but this should get all important information in place. With tinc's current configuration I end up with the following routing tables: A $ netstat -rn | grep -e 'fd16' -e '10\.' 10.0.0.0/8 link#4 U tap0 10.1.0.1 link#4 UHS lo0 10.1.1.1 link#3 UH lo1 10.2.0.0/16 10.1.0.1 UGS tap0 10.2.0.1 10.1.0.1 UGHS tap0 fd16:dcc0:f4cc::/80 link#4 U tap0 fd16:dcc0:f4cc::1:0:0/96 link#3 U lo1 fd16:dcc0:f4cc::1:0:1 link#4 UHS lo0 fd16:dcc0:f4cc::1:1:1 link#3 UHS lo0 fd16:dcc0:f4cc::2:0:0/96 fd16:dcc0:f4cc::1:0:1 UGS lo1 fd16:dcc0:f4cc::2:0:1 fd16:dcc0:f4cc::1:0:1 UGHS lo1 ff01::%lo1/32 fd16:dcc0:f4cc::1:1:1 U lo1 ff01::%tap0/32 fd16:dcc0:f4cc::1:0:1 U tap0 ff02::%lo1/32 fd16:dcc0:f4cc::1:1:1 U lo1 ff02::%tap0/32 fd16:dcc0:f4cc::1:0:1 U tap0 B $ netstat -rn | grep -e 'fd16' -e '10\.' 10.0.0.0/8 link#4 U tap0 10.1.0.0/16 10.2.0.1 UGS tap0 10.1.0.1 10.2.0.1 UGHS tap0 10.2.0.1 link#4 UHS lo0 10.2.1.1 link#3 UH lo1 fd16:dcc0:f4cc::/80 link#4 U tap0 fd16:dcc0:f4cc::1:0:0/96 fd16:dcc0:f4cc::2:0:1 UGS lo1 fd16:dcc0:f4cc::1:0:1 fd16:dcc0:f4cc::2:0:1 UGHS lo1 fd16:dcc0:f4cc::2:0:0/96 link#3 U lo1 fd16:dcc0:f4cc::2:0:1 link#4 UHS lo0 fd16:dcc0:f4cc::2:1:1 link#3 UHS lo0 ff01::%lo1/32 fd16:dcc0:f4cc::2:1:1 U lo1 ff01::%tap0/32 fd16:dcc0:f4cc::2:0:1 U tap0 ff02::%lo1/32 fd16:dcc0:f4cc::2:1:1 U lo1 ff02::%tap0/32 fd16:dcc0:f4cc::2:0:1 U tap0 Note: 10.{1,2}.1.1 are two jails running on machine A and B respectively. These jails have also assigned IPv6 addresses fd16:dcc0:f4cc::{1,2}:1:1 respectively. 10.{1,2}.0.1 and fd16:dcc0:f4cc::{1,2}:0:1 are manually assigned because tinc's documentation asks you to do so, see configuration below. So, on both machines I can `ping 10.{1,2}.{0,1}.1` and I get a response. But if I `ping6 fd16:dcc0:f4cc::{1,2}:{0,1}:1` I only get a response from the machine the ping6 originates from; that is, routing over the VPN seems to work for IPv4 but not for IPv6. This is how the interfaces look like: A $ ifconfig tap0 tap0: flags=8843 metric 0 mtu 1500 options=80000 ether 00:bd:6b:e5:19:00 inet6 fd16:dcc0:f4cc::1:0:1 prefixlen 80 inet6 fe80::2bd:6bff:fee5:1900%tap0 prefixlen 64 scopeid 0x4 inet 10.1.0.1 netmask 0xff000000 broadcast 10.255.255.255 nd6 options=23 media: Ethernet autoselect status: active Opened by PID 6110 B $ ifconfig tap0 tap0: flags=8843 metric 0 mtu 1500 options=80000 ether 00:bd:60:ca:17:00 inet6 fd16:dcc0:f4cc::2:0:1 prefixlen 80 inet6 fe80::2bd:60ff:feca:1700%tap0 prefixlen 64 scopeid 0x4 inet 10.2.0.1 netmask 0xff000000 broadcast 10.255.255.255 nd6 options=23 media: Ethernet autoselect status: active Opened by PID 16037 I have ipv6_gateway_enable="YES" /etc/rc.conf. See also: A $ sysctl net.inet6.ip6.forwarding net.inet6.ip6.forwarding: 1 B $ sysctl net.inet6.ip6.forwarding net.inet6.ip6.forwarding: 1 I don't think it's a firewall problem because I have set skip on { lo0 tap0 } in /etc/pf.conf, and IPv4 VPN is working. Further, I've already tried disabling the firewall without any success: IPv4 worked while IPv6 didn't. The following is the tinc-up script on each machine that assignes IP addresses and creates routes. I commented out some variations that I tried but haven't had success with either: A $ cat /usr/local/etc/tinc/klaas/tinc-up ifconfig $INTERFACE inet6 fd16:dcc0:f4cc:0:0:1:0:1 prefixlen 80 route -6 add -host fd16:dcc0:f4cc:0:0:2:0:1 fd16:dcc0:f4cc:0:0:1:0:1 route -6 add -net fd16:dcc0:f4cc:0:0:2::/96 fd16:dcc0:f4cc:0:0:1:0:1 #route -6 add -ifp $INTERFACE -host fd16:dcc0:f4cc::2:0:1 fd16:dcc0:f4cc::1:0:1 #route -6 add -ifp $INTERFACE -net fd16:dcc0:f4cc::2:0:0/96 fd16:dcc0:f4cc::1:0:1 ifconfig $INTERFACE 10.1.0.1 netmask 255.0.0.0 route -4 add -host 10.2.0.1 10.1.0.1 route -4 add -net 10.2.0.0/16 10.1.0.1 This looks pretty the same on machine B. $INTERFACE gets expanded to the interface that is set in tinc.conf: tap0. I tried the variants with explicitly setting `-ifp $INTERFACE` because I realised that vvv fd16:dcc0:f4cc::1:0:0/96 link#3 U lo1 although vvvv 10.2.0.0/16 10.1.0.1 UGS tap0 Explicitly setting the interface changes the first entry above to tap0. Still I cannot ping the other machine over the VPN via IPv6 though. Whether routing for the IPv6 network is set on lo1 or tap0 also depends on whether I start the jails or the tinc daemon first. I don't know whether that is an important issue. Furhter, I am not sure whether I need to have rtadv running, and if I have to, on which interface, lo1 or tap0? I tried to do so but I get errors, and still couldn't ping the other side of the VPN: A $ cat /etc/rtadvd.conf tap0:\ :addrs#1:addr="fd16:dcc0:f4cc:0:0::":prefixlen#80:tc=ether: A $ cat /etc/rc.conf rtadvd_enable="YES" rtadvd_interfaces="tap0" A $ grep rtadvd /var/log/messages May 19 10:36:18 A rtadvd[76279]: inet_pton failed for fd16:dcc0:f4cc:0:0:1: May 19 10:36:18 A rtadvd[76279]: inet_pton failed for fd16:dcc0:f4cc:0:0:1: May 19 10:36:34 A rtadvd[76279]: non-zero lifetime RA on RA receiving interface tap0. Ignored. May 19 10:41:24 A rtadvd[77128]: inet_pton failed for fd16:dcc0:f4cc:0:0:1: May 19 10:41:40 A rtadvd[77128]: non-zero lifetime RA on RA receiving interface tap0. Ignored. May 19 10:43:12 A rtadvd[77441]: inet_pton failed for fd16:dcc0:f4cc:0:0:1: May 19 10:43:28 A rtadvd[77441]: non-zero lifetime RA on RA receiving interface tap0. Ignored. May 19 10:52:50 A rtadvd[77441]: non-zero lifetime RA on RA receiving interface tap0. Ignored. May 19 12:19:19 A rtadvd[95216]: inet_pton failed for fd16:dcc0:f4cc:0:0:1: May 19 12:19:35 A rtadvd[95216]: non-zero lifetime RA on RA receiving interface tap0. Ignored. For those that know tinc: This is tinc.conf on machine A: Name = A ConnectTo = B BindToAddress = BindToAddress = Device = /dev/tap0 It looks pretty the same for machine B. Since the tinc daemons can connect, I assume everything is set up correctly here. This is the host configuration file for A: Address = A.domain.tld Subnet = fd16:dcc0:f4cc:0:0:1::/96 Subnet = 10.1.0.0/16 -----BEGIN RSA PUBLIC KEY----- -----END RSA PUBLIC KEY----- Again, the configuration file for machine B looks pretty the same. Except that the subnets are the ones mentioned above. Any help is very much appreciated! Niklaas