SIXxS aiccu IPv6 Tunnel

[owine]

Has anyone had success setting up a SIXxS IPv6 tunnel using aiccu on AsusWRT or the RMerlin builds? I followed the instructions at http://wl500g.info/showthread.php?1685-HOWTO-use-your-WL-500g-as-IPv6-router (using the Entware package, not ipkg) but was not able to achieve connectivity. Has anyone been able to do this?

 

[owine]

Ok, I am able to get aiccu connected on my router and I am able to ping6 to IPv6 addresses successfully from the router, but my clients are unable to pull IPv6 addresses and connect to IPv6 themselves. Any guidance is appreciated.

 

[frriction]

It is working for me. Here is something from top of my mind.
Installed aiccu using entware, edited config. Set up 6in4.
Make sure hardware acceleration is turned off.

I am not at home, I can help more after I reach home.


Sent from my iPhone using Tapatalk

 

[owine]

It is working for me. Here is something from top of my mind.
Installed aiccu using entware, edited config. Set up 6in4.
Make sure hardware acceleration is turned off.

I am not at home, I can help more after I reach home.


Sent from my iPhone using Tapatalk

Would be interested to know the details of your configuration. I have aiccu running and the router is able to reach IPv6 when I have it set to DHCP-PD. When I switch to 6in4, the router is no longer able to reach IPv6.

 

[frriction]

In sixxs make sure that Tunnel Type / endpoint is 6in4-heartbeat.

here is my aiccu config file
username, password and tunnel_id should be changed according to your account detail.

# AICCU Configuration

# Login information
username [I]<first line of TIC Password for this tunnel>[/I]
password [I]<TIC Password for this tunnel, password you have setup>[/I]

# Interface names to use
# ipv6_interface is the name of the interface that will be used as a tunnel interface.
# On *BSD the ipv6_interface should be set to gifX (eg gif0) for proto-41 tunnels
# or tunX (eg tun0) for AYIYA tunnels.
ipv6_interface sixxs

# The tunnel_id to use
# (only required when there are multiple tunnels in the list)
tunnel_id [I]<Tunnel Information for xxxxxx, this xxxxxx is tunnel id>[/I]

# Be verbose?
verbose false

# Daemonize?
daemonize true

# Automatic Login and Tunnel activation?
automatic true

# Require TLS?
# When set to true, if TLS is not supported on the server
# the TIC transaction will fail.
# When set to false, it will try a starttls, when that is
# not supported it will continue.
# In any case if AICCU is build with TLS support it will
# try to do a 'starttls' to the TIC server to see if that
# is supported.
requiretls false

here is 6in4 tunnel detail

Connection type- Tunnel 6in4
Server IPv4 Address - pop ipv4 (from sixx tunnel detail page)
Client IPv6 Address - Your IPv6 (from sixx tunnel detail page)
IPv6 Prefix Length - 64
Tunnel MTU - 1480 (I have changed it in Sixx, Tunnel MTU section)
Tunnel TTL - 255
LAN Prefix Length - 64
LAN IPv6 Prefix - subnet prefix in SUBNETS TABLE without /64
IPv6 DNS Server 1 - 2001:470:20::2
Enable Router Advertisement - Enable
Enable DHCPv6 Server - Enable

This is important or ipv6 will not work.
now go in LAN > SWITCH CONTROL > NAT Acceleration should be disabled.

 

[adst4oir]

This is important or ipv6 will not work.
now go in LAN > SWITCH CONTROL > NAT Acceleration should be disabled.

I am using aiccu w/o issues with NAT Acceleration enabled.

I had some timing issues w/ aiccu start. Therefor I delay aiccu start.

Since the release 374.42 "radvd" and "dhcpv6" are no longer started autmatically. I do it manually via start scripts.

Here is my solution:

/jffs/scripts/wan-start:

#!/bin/sh
ifconfig br0 <mylocal IPv6 router address>/64

ip -f inet6 route del default dev eth0

(sleep 60; /jffs/scripts/IPv6Start)&

/jffs/scripts/IPv6Start:

#!/bin/sh
/opt/sbin/aiccu start /opt/etc/aiccu.conf

if [ ! -f /tmp/var/run/radvd.pid ]
then
        cp /jffs/configs/radvd.conf /etc
        radvd -u admin
fi

if [ ! -f /tmp/var/run/dhcp6s.pid ]
then
        cp /jffs/configs/dhcp6s.conf /etc
        dhcp6s br0
fi

sleep 180

if [ ! -f /tmp/var/run/aiccu.pid ]
then
        /opt/sbin/aiccu start /opt/etc/aiccu.conf
fi

 

[owine]

I am using aiccu w/o issues with NAT Acceleration enabled.

I had some timing issues w/ aiccu start. Therefor I delay aiccu start.

Since the release 374.42 "radvd" and "dhcpv6" are no longer started autmatically. I do it manually via start scripts.

Here is my solution:

/jffs/scripts/wan-start:

#!/bin/sh
ifconfig br0 <mylocal IPv6 router address>/64

ip -f inet6 route del default dev eth0

(sleep 60; /jffs/scripts/IPv6Start)&

/jffs/scripts/IPv6Start:

#!/bin/sh
/opt/sbin/aiccu start /opt/etc/aiccu.conf

if [ ! -f /tmp/var/run/radvd.pid ]
then
        cp /jffs/configs/radvd.conf /etc
        radvd -u admin
fi

if [ ! -f /tmp/var/run/dhcp6s.pid ]
then
        cp /jffs/configs/dhcp6s.conf /etc
        dhcp6s br0
fi

sleep 180

if [ ! -f /tmp/var/run/aiccu.pid ]
then
        /opt/sbin/aiccu start /opt/etc/aiccu.conf
fi

Thanks for this. In the wan-start script, is <mylocal IPv6 router address> the a) Client IPv6 or b) LAN IPv6 address?

 

[adst4oir]

Thanks for this. In the wan-start script, is <mylocal IPv6 router address> the a) Client IPv6 or b) LAN IPv6 address?

It's the router's address in your LAN. The address is a combination of the subnet prefix you got from sixxs (the /64 prefix you got w/ your tunnel or if you requested a dedicated subnet one subnet out of the /48 prefix) + the EUI-64 identifier of your router's br0 interface (These are the rightmost 64 bit of the "fe80::..." address).

 

[owine]

In sixxs make sure that Tunnel Type / endpoint is 6in4-heartbeat.

here is my aiccu config file
username, password and tunnel_id should be changed according to your account detail.

# AICCU Configuration

# Login information
username [I]<first line of TIC Password for this tunnel>[/I]
password [I]<TIC Password for this tunnel, password you have setup>[/I]

# Interface names to use
# ipv6_interface is the name of the interface that will be used as a tunnel interface.
# On *BSD the ipv6_interface should be set to gifX (eg gif0) for proto-41 tunnels
# or tunX (eg tun0) for AYIYA tunnels.
ipv6_interface sixxs

# The tunnel_id to use
# (only required when there are multiple tunnels in the list)
tunnel_id [I]<Tunnel Information for xxxxxx, this xxxxxx is tunnel id>[/I]

# Be verbose?
verbose false

# Daemonize?
daemonize true

# Automatic Login and Tunnel activation?
automatic true

# Require TLS?
# When set to true, if TLS is not supported on the server
# the TIC transaction will fail.
# When set to false, it will try a starttls, when that is
# not supported it will continue.
# In any case if AICCU is build with TLS support it will
# try to do a 'starttls' to the TIC server to see if that
# is supported.
requiretls false

here is 6in4 tunnel detail

Connection type- Tunnel 6in4
Server IPv4 Address - pop ipv4 (from sixx tunnel detail page)
Client IPv6 Address - Your IPv6 (from sixx tunnel detail page)
IPv6 Prefix Length - 64
Tunnel MTU - 1480 (I have changed it in Sixx, Tunnel MTU section)
Tunnel TTL - 255
LAN Prefix Length - 64
LAN IPv6 Prefix - subnet prefix in SUBNETS TABLE without /64
IPv6 DNS Server 1 - 2001:470:20::2
Enable Router Advertisement - Enable
Enable DHCPv6 Server - Enable

This is important or ipv6 will not work.
now go in LAN > SWITCH CONTROL > NAT Acceleration should be disabled.

I am in a double NAT situation and therefore unable to use 6in4-heartbeat tunnels. Is this mission critical in this case?

 

[ryzhov_al]

Could anybody help me with this issue? Should I add some script to aiccu package? At this moment there is a binary only.

I remember gw6c/vpnc packages has some shell script to fire up a tunnel.

 

[buddyp]

Could anybody help me with this issue? Should I add some script to aiccu package? At this moment there is a binary only.

you don't need aiccu.sh on merlin asuswrt.

put your aiccu.conf in /opt/etc/

create a script something like this one in /jffs/scripts/wan-start and chmod it 755. the sleep 60 is there to give ntp time to set the routers clock because aiccu wont run if the time is not more-or-less synchronized with the server.

#!/bin/sh

/usr/bin/logger -t $(basename $0) "started [$@]"

# Start SIXXS IPV6 tunnel
# wait for ntp to set system time
( sleep 60 ; /opt/sbin/aiccu start /opt/etc/aiccu.conf ) &

/usr/bin/logger -t $(basename $0) "finished [$@]"

I had a problem with the built-in firewall rules after I rebooted to install 376.49_5 (which I didn't have before) and I haven't figured that out yet. I was searching for a solution to that problem when I came across your post. For now I disabled the built-in IPv6 rules and put my own in instead to get IPv6 connectivity for the clients behind the router. You may have to do the same thing.

 

[Egbert]

Small addition here, I also had issues with the IPv6 firewall in the web interface. The reason was that aiccu was configuring a tunnel on virtual interface called sixxs while the web interface was expecting to use interface v6in4 (when set to 6in4 tunnel) or WAN (when using native). I now put the web interface on 6in4 tunnel and changed aiccu to use v6in4 as the ipv6_interface rather than sixxs, and now the IPv6 firewall also works.