Project L6: IPv6 Gateway on Ubuntu (15 pts.)

What You Need

A Linux machine, configured as a L2TP/IPsec VPN server, which you made in a previous project.
The machine must be connected to the IPv6 Internet, and you must have a block of addresses assigned to you. The simplest way to accomplish that is to connect your server to a Hurricane Electric tunnel, which you also did in a previous project.

The previous projects are in the "Linux IPv6 Projects" section of this page:

http://samsclass.info/ipv6/60_F12.php#projects

Purpose

This gateway will provide IPv6 connectivity to clients running Windows or Mac, even if they are behind NAT and only connected via IPv4.

Connect to your VPN

You did this in a previous project. It works for both PC and Mac.

The next sections are specific to the Mac and PC. Use the steps that match your machine.

Testing Configuration on a Mac Client

In System Preferences, open Network.

Your VPN connection should appear on the left with a green dot, and a status of "Connected", as shown below:

On your Mac, open a Terminal window and execute this command:

ifconfig

A virtual adapter named ppp0 is shown, with an address in the 172.22.1.0 network, as shown below:

Enabling IPv6

Notice that the ppp0 interface doesn't have any IPv6 address, not even an fe80:: address.

That's because IPv6 is not enabled on it.

To enable IPv6 on all interfaces, on your Mac, in a Terminal window, execute this command:

sudo ip6 -a

You may see some errors for other interfaces, but not for ppp0, as shown below:

on your Mac, in a Terminal window, execute this command:

ifconfig ppp0

Now ppp0 has an fe80: address, as shown below:

Since you are using a Mac, skip the Windows 7 section below, and go directly to the "Viewing your HE Tunnel Details" section.

Testing Configuration on a Windows 7 Client

On your Windows 7 client machine, in Network Connections, connect to the VPN.

In an Administrator Command Prompt window, execute this command:

ipconfig

You should see a "PPP adapter VPN Connection" with an IPv6 address starting with 172.22.1 and a Link-Locak IPv6 Address starting with fe80:, as shown below:

Viewing your HE Tunnel Details

Open a Web browser and go to http://tunnelbroker.net/

At the upper left, log in.

Your tunnel appears at the bottom of the screen, as shown below:

If you don't have a tunnel, go do the prevous project to make one.

Click the name of your tunnel.

The details of your tunnel appear, as shown below:

Understanding Routed Prefixes

You have a "Routed /64" right now, which is enough for one subnet, since the recommended size is /64 for each subnet.

But the recommended procedure for assigning addresses is to start with a larger block and subnet it. We'll do that.

In the "Tunnel Details" screen, in the "Routed IPV6 Prefixes" section, click "Assign /48"

After a few seconds, your assigned /48 appears, as shown below:

My routed /48 is:

2001:470:f19e::/48

Filling in zeroes, the address becomes:

2001:0470:f19e:0000:0000:0000:0000:0000
-------------- ---- -------------------
WAN Prefix     Sub         Host

The first 3 fields, labelled "WAN Prefix" in the diagram above, contain a total of 48 bits. All addresses starting with those 48 bits will be routed from the Internet through your tunnel by Hurricane Electric.

The next field, labelled "Sub" in the diagram above, is yours to use, to divide the addresses into subnets to meet your business needs.

For example, if CCSF were to use these addresses, we might divide them this way:

2001:470:f19e:1:/64 -- Administration
2001:470:f19e:2:/64 -- VoIP Phones
2001:470:f19e:3:/64 -- Library
2001:470:f19e:4:/64 -- CNIT
etc.

Each division gets a complete /64, with more than 16 billion billion addresses, so there will never be any reason for them to need more addresses.

Right now, we are only connecting one category of devices: VPN Clients.

2001:470:f19e:1:/64 -- VPN Clients

We need to assign the first address to the Linux server:

2001:470:f19e:1::1/64

And all the clients should auto-configure addresses in that network.

Assigning the VPN Gateway Address on the Server

Whenever the VPN connects, we need to run a script to configure it on the server. On your Linux server, execute these commands:

sudo cp /etc/ppp/ipv6-up /etc/ppp/ipv6-up.bak

sudo nano /etc/ppp/ipv6-up

Scroll to the bottom of this file and add these lines, replacing the first IPv6 addresses with the first address in your routed subnet, and the second one with the "Server IPv6 Address" in the "Tunnel Endpoints" section of your Hurricane Electric Tunnel Details:

ifconfig ppp0 add 2001:470:f19e:1::1/64

as shown below:

Save the file with Ctrl+X, Y, Enter.

On your client, disconnect and reconnect to the VPN.

On your Linux server, execute this command:

ifconfig ppp0

The ppp0 interface automatically gets the first address in your routed subnet, as shown below:

Enabling IPv6 Forwarding

On your Linux server, execute this command:

sudo nano /etc/sysctl.conf

Find this section:

# Uncomment the next line to enable packet forwarding for IPv6
#  Enabling this option disables Stateless Address Autoconfiguration
#  based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1

Remove the # at the start of the fourth line, like this:

# Uncomment the next line to enable packet forwarding for IPv6
#  Enabling this option disables Stateless Address Autoconfiguration
#  based on Router Advertisements for this host
net.ipv6.conf.all.forwarding=1

This enables your Linux server to be the source of Routing Advertisements rather than a client receiving them.

Save the file with Ctrl+X, Y, Enter.

To make the change take effect immediately, On your Linux server, execute this command:

sudo /sbin/sysctl -p

Installing radvd

radvd is the Router Advertisement Daemon.

On your Linux server, execute this command:

sudo apt-get install radvd -y

Creating the radvd.conf File

On your Linux server, execute this command:

sudo nano /etc/radvd.conf

Paste in the code below, inserting your own routed prefix in the prefix line:

interface ppp0
{
   AdvSendAdvert on;
   MaxRtrAdvInterval 10;

   prefix 2001:470:f19e:1::/64
   {
        AdvOnLink on;
        AdvAutonomous on;
   };
};

Save the file with Ctrl+X, Y, Enter.

Note: This configuration only provides IPv6 service to the first client that connects.

If you plan to have more clients than that, you need to add more sections to this file. But each section will need to use a different IPv6 subnet.

Starting radvd

On your Linux server, execute this command:

sudo /etc/init.d/radvd start

You should see this message: "Starting radvd: radvd", as shown below:

If you get an error message instead, follow the advice it gives to correct the problem.

Please note that you cannot use "sudo /etc/init.d/radvd restart" to start radvd the first time, you must use "sudo /etc/init.d/radvd start".

Observing Router Advertisements on the Server

On your Linux server, execute this command:

tcpdump -c 1 -i eth0 -nvvvX dst ff02::1

This will capture one packet from eth0, print a lot of details about it, and only capture packets sent to ff02::1, the Link-Local Multicast to All Nodes address.

Within ten seconds, you should see a packet captured, as shown below:

Notice that the payload of the packet contains the subnet prefix, as highlighted in the image above.

The Router Advertisements are being sent, and they contain the correct prefix.

Enabling IPv6 in PPP

On your Linux server, execute this command:

ifconfig ppp0

The ppp0 interface doesn't have any IPv6 address, not even an fe80:: one, as shown below:

That's bad, because it cannot send Router Advertisements out an interface without a link-local IPv6 address.

To fix that problem, on your Linux server, execute this command:

sudo nano /etc/ppp/options

Add this line at the top of the file:

+ipv6 ipv6cp-use-ipaddr

as shown below:

Save your changes with Ctrl+X, Y, Enter.

After this change, disconnect and reconnect the VPN interface on your client. On your Linux server, execute this command:

ifconfig ppp0

Now the ppp0 interface has an fe80:: address, as shown below:

Observing Router Advertisements on the Client

This only seems to be possible on the Mac. If you are using a PC, just skip ahead to the "Viewing the SLAAC Address on the Client" section. On your Mac, make sure your VPN connection is connected, and run Wireshark.

In Wireshark, click Capture, Interfaces.

Start a capture on the VPN interface, which is ppp0 on the Mac, as shown below:

Within ten seconds, you should see an Router Advertisement, with the correct Prefix Information, as shown below:

Enabling SLAAC on the Mac OS X Client

On your Mac OS X client, in a Terminal window, execute this command:

sudo sysctl -w net.inet6.ip6.accept_rtadv=1

Viewing the SLAAC Address on the Client

The next sections are specific to the Mac and PC. Use the steps that match your machine.

Viewing the SLAAC Address on a Mac Client

Make sure your VPN is connected.

On your Mac OS X client, in a Terminal window, execute this command:

ifconfig ppp0

Now the ppp0 interface has an autoconfigured IPv6 address in your routed subnet, starting with 2001:470:, as shown below:

Saving the Screen Image

Make sure the address starting with "2001:470:" is visible on the ppp interface.

Save a screen shot of this image with the filename

Proj L6a from Your Name

Adding a Default Route to the Mac OS X Client

On your Mac OS X client, in a Terminal window, execute this command, replacing the IP address with the gateway address for your routed subnet:

sudo route add -inet6 default 2001:470:f19e:1::1

Traceroute on the Mac OS X Client

On your Mac OS X client, in a Terminal window, execute this command:

traceroute6 google.com

Your second hop should be an ipv6.he.net address, as shown below:

Saving the Screen Image

Make sure the second hop is an ipv6.he.net address.

Save a screen shot of this image with the filename

Proj L6b from Your Name

Since you are using a Mac, skip to the "Turning In your Project" section.

Disabling the Teredo Adapter from the Windows 7 Client

If you put a Teredo connection on the Windows 7 client in a previous project, disable it with this command in an Administrator Command Prompt window:

netsh interface teredo set state disable

Disconnecting Other Clients

If you have both a PC and Mac available, you need to disconnect the Mac's VPN connection, then disconnect the PC's VPN connection, then reconnect the PC's VPN connection.

This is required because only the first VPN connection will get IPv6 service, as explained previously.

Blocking IPv4 Internet Traffic through the VPN on the Windows 7 Client

On your Windows 7 client, in Network connections, disconnect the VPN.

Right-click the "VPN Connection" icon and click Properties.

In the "VPN Connection Properties" sheet, click the Networking tab.

Click "Internet Protocol Version 4 (TCP/IPv4)", as shown below, and click Properties.

In the "Internet Protocol Version 4 (TCP/IPv4) Properties" sheet, click the Advanced button.

In the "Advanced TCP/IP Settings" box, clear the "Use default gateway on remote network" check box, as shown below:

In the "Advanced TCP/IP Settings" box, click the OK button.

In the "Internet Protocol Version 4 (TCP/IPv4) Properties" sheet, click the OK button.

In the "VPN Connection Properties" sheet, click the OK button.

Right-click the "VPN Connection" icon and click Connect. Enter your password and connect to the VPN.

On your Windows 7 client machine, in an Administrator Command Prompt window, execute this command:

ping -4 google.com

You should see replies, as shown below:

Viewing the SLAAC Address on a Windows 7 Client

Make sure your VPN is connected.

On your Windows 7 client machine, in an Administrator Command Prompt window, execute this command:

ipconfig

You should see a "PPP adapter VPN Connection" with an IPv6 address starting with 2001:470, and a Link-Local IPv6 Address starting with fe80:, as shown below:

Saving the Screen Image

Make sure the address starting with "2001:470:" is visible on the ppp interface.

Save a screen shot of this image with the filename

Proj L6a from Your Name

Adding a Default Route to the Windows 7 Client

On your Windows 7 client machine, in an Administrator Command Prompt window, execute these commands, replacing the IPv6 address with the gateway address for your routed subnet:

netsh interface ipv6 add route ::/0 "VPN Connection" 2001:470:f19e:1::1

ping -6 google.com

You should see replies, as shown below:

Using Tracert -6 on the Windows 7 Client

On your Windows 7 client machine, in an Administrator Command Prompt window, execute this command:

tracert -6 google.com

The second hop should be an ipv6.he.net address, as shown below:

Saving the Screen Image

Make sure the second hop is an ipv6.he.net address.

Save a screen shot of this image with the filename

Proj L6b from Your Name

Turning In your Project

Email the images to cnit.60@gmail.com with a subject line of

Proj L6 from Your Name

Sources

https://wiki.ubuntu.com/IPv6

http://forums.digitalpoint.com/showthread.php?t=84966

https://discussions.apple.com/thread/4294034?start=0&tstart=0

http://ipv6int.net/systems/mac_os_x-ipv6.html

Last modified 5:45 pm 10-1-12