[hipl-users] Re: Problems with RVS

  • From: Miika Komu <mkomu@xxxxxxxxx>
  • To: hipl-users@xxxxxxxxxxxxx
  • Date: Sat, 12 Oct 2013 14:30:09 +0300

Hi Paola,

initially, Teredo traffic is forwarded through a Teredo server to guaranteee NAT traversal and then miredo software tries to pinhole the NAT. My guess is that your *site* firewall is blocking the inital messages with the Teredo server. You can double check this as follows:

mkomu@bling:~$ dig -t aaaa www.google.com

; <<>> DiG 9.8.1-P1 <<>> -t aaaa www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12399
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com.                        IN      AAAA

;; ANSWER SECTION:
www.google.com.         214     IN      AAAA    2a00:1450:4010:c03::93

;; Query time: 333 msec
;; SERVER: 193.229.0.40#53(193.229.0.40)
;; WHEN: Sat Oct 12 14:20:35 2013
;; MSG SIZE  rcvd: 60

mkomu@bling:~$ ping6 2a00:1450:4010:c04::68
PING 2a00:1450:4010:c04::68(2a00:1450:4010:c04::68) 56 data bytes
64 bytes from 2a00:1450:4010:c04::68: icmp_seq=1 ttl=55 time=1363 ms
64 bytes from 2a00:1450:4010:c04::68: icmp_seq=2 ttl=55 time=441 ms
^C
--- 2a00:1450:4010:c04::68 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 441.913/902.595/1363.277/460.682 ms, pipe 2
mkomu@bling:~$ ip route get 2a00:1450:4010:c04::68
2a00:1450:4010:c04::68 from :: via 2a00:1450:4010:c04::68 dev teredo src 2001:0:53aa:64c:473:6a2c:ab19:60e3 metric 0

If this does not work for you, it probably means that the firewall your site is blocking Teredo. You can contact your site administrator to open the UDP port 3544.

You can also try the 2001:0:53aa:64c:3026:52b2:ad4a:8b91 (my test machine) which is actually behind a real NAT unlike the google server. If you can reach google server, but not mine, it most likely means that either of us is using a p2p-incompatible NAT.

You can also try e.g. 3ffe::x/64 address space for local experiments in your local LAN (or WLAN). Just configure it to the eth0 (or other device) for two machines and try pinging each other.

On 10/11/2013 09:03 PM, Paola Venuso wrote:
Hi Miika,

I uncommented the line "Bindport 3545" in file miredo.conf as I read on
the man page of miredo and checked ufw files for rules blocking IPv6
traffic (I uncommented two about forwarding, the others about enabling
this traffic were already uncommented). Then I tried ping6 the locators
and I got the message: unknown host.
Also I tried manual set up with IPv4-based locators, as you wrote me,
and my host exchanged HIP UPDATE and I1, R1, I2, R2 packets with another
host, with address193.167.187.149, that I don't know but I guess maybe
it's one of infrahip servers.
Anyway, I am not sure I checked correctly for rules about IPv6 traffic.
What should I do about this? Could all this problems be connected also
with virtual machine net configuration? It is NAT by default, but there
are some other options.

Thanks for all the help you're giving to me.

Paola


2013/10/11 Miika Komu <mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx>>

    Hi Paola,

    it seems your installation is fine. Base on my own experiences, I
    think that a middlebox (firewall) is blocking your IPv6 traffic (in
    the case of Teredo it's UDP port 3544). Did you try to ping6 the
    routable addresses (locators)?

    I also recommend trying a manual set up with IPv4-based locators as
    follows:

    hipconf daemon rst all
    hipconf daemon add map PEER_HIT PEER_IPV4_ADDRESS
    ping6 PEER_HIT


    On 10/10/2013 12:42 AM, Paola Venuso wrote:

        Hi Miika,

        hipd is running at the responder, the firewall is not blocking HIP
        traffic and I don't use redhat-based distro.
        This is the output of the commands from the manual:

        paola@ubuntu:~$ dpkg -l 'hipl*'
        Desired=Unknown/Install/__Remove/Purge/Hold
        |
        
Status=Not/Inst/Conf-files/__Unpacked/halF-conf/Half-inst/__trig-aWait/Trig-pend
        |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
        ||/ Nome           Versione       Descrizione
        
+++-==============-===========__===-==========================__==================
        ii  hipl-all       1.0.8-6429     HIP for Linux full software bundle
        ii  hipl-daemon    1.0.8-6429     HIP for Linux IPsec key
        management and
        mobil
        ii  hipl-dnsproxy  1.0.8-6429     HIP for Linux name lookup proxy
        ii  hipl-doc       1.0.8-6429     HIP for Linux documentation
        ii  hipl-firewall  1.0.8-6429     HIP for Linux multi-purpose
        firewall
        daemon
        un  hipl-minimal   <nessuna>      (nessuna descrizione disponibile)
        un  hipl-tools     <nessuna>      (nessuna descrizione disponibile)
        paola@ubuntu:~$ hipconf daemon get ha all
        Sending user message 22 to HIPD on socket 3
        Sent 40 bytes
        Waiting to receive daemon info.
        240 bytes received from HIP daemon.
        HA is I1-SENT
           Shotgun mode is off.
           Broadcast mode is off.
           Local HIT: 2001:0012:421d:99a0:005d:d60f:__73b0:4407
           Peer  HIT: 2001:001a:2a72:f01c:d98e:311c:__c76a:57c4
           Local LSI: 1.0.0.1
           Peer  LSI: 1.0.0.2
           Local IP: 2001:0000:53aa:064c:2cde:3e12:__4367:467f
           Local NAT traversal UDP port: 10500
           Peer  IP: 2001:0708:0140:0220:0000:0000:__0000:0016
           Peer  NAT traversal UDP port: 10500
           Peer  hostname:

        
------------------------------__------------------------------__------------------------------__------------------------------

        paola@ubuntu:~$ uname -a
        Linux ubuntu 3.5.0-41-generic #64~precise1-Ubuntu SMP Thu Sep 12
        17:01:55 UTC 2013 i686 i686 i386 GNU/Linux
        paola@ubuntu:~$ lsb_release -a
        No LSB modules are available.
        Distributor ID:    Ubuntu
        Description:    Ubuntu 12.04.3 LTS
        Release:    12.04
        Codename:    precise

        
------------------------------__------------------------------__------------------------------__------------------------------

        paola@ubuntu:~$ cat /etc/hip/hipd.conf
        # Format of this file is as with hipconf, but without "hipconf
        daemon"
        prefix
        # add hi default    # add all four HITs (see bug id 592127)
        # add map HIT IP    # preload some HIT-to-IP mappings to hipd
        # add service rvs   # the host acts as HIP rendezvous (also see
        relay.conf)
        # add server rvs [RVS-HIT] <RVS-IP-OR-HOSTNAME> <lifetime-secs> #
        register to rendezvous server
        # add server relay [RELAY-HIT] <RVS-IP-OR-HOSTNAME>
        <lifetime-secs> #
        register to relay server
        # add server full-relay [RELAY-HIT] <RVS-IP-OR-HOSTNAME>
        <lifetime-secs>
        # register to relay server
        hit-to-ip on # resolve HITs to locators in dynamic DNS zone
        # hit-to-ip set hit-to-ip.infrahip.net
        <http://hit-to-ip.infrahip.net> <http://hit-to-ip.infrahip.net__>.

        # resolve HITs to locators in dynamic DNS zone
        nsupdate on # send dynamic DNS updates
        # add server rvs hiprvs.infrahip.net
        <http://hiprvs.infrahip.net> <http://hiprvs.infrahip.net> 50000

        # Register to free RVS at infrahip
        # heartbeat 10 # send ICMPv6 messages inside HIP tunnels
        # locator on        # host sends all of its locators in base
        exchange
        # shotgun on # use all possible src/dst IP combinations to send
        I1/UPDATE
        # broadcast on # broadcast to LAN if no matching IP address found
        # opp normal|advanced|none
        # transform order 213 # crypto preference order (1=AES, 2=3DES,
        3=NULL)
        nat plain-udp       # use UDP capsulation (for NATted environments)
        #nat port local 11111 # change local default UDP port
        #nat port peer 22222 # change local peer UDP port
        debug medium        # debug verbosity: all, medium, low or none
        default-hip-version 1 # default HIP version number for the I1
        message.
        (1=HIPv1, 2=HIPv2)

        
------------------------------__------------------------------__------------------------------__------------------------------

        paola@ubuntu:~$ sudo iptables -L -n
        Chain INPUT (policy ACCEPT)
        target     prot opt source               destination
        HIPFW-INPUT  all  -- 0.0.0.0/0 <http://0.0.0.0/0>
        <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
        <http://0.0.0.0/0>
        ACCEPT     139  -- 0.0.0.0/0 <http://0.0.0.0/0>
        <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
        <http://0.0.0.0/0>
        ACCEPT     139  -- 0.0.0.0/0 <http://0.0.0.0/0>
        <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
        <http://0.0.0.0/0>
        ACCEPT     udp  -- 0.0.0.0/0 <http://0.0.0.0/0>
        <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
        <http://0.0.0.0/0>            udp spt:10500
        ACCEPT     esp  -- 0.0.0.0/0 <http://0.0.0.0/0>
        <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
        <http://0.0.0.0/0>
        ACCEPT     icmpv6-- 0.0.0.0/0 <http://0.0.0.0/0>
        <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
        <http://0.0.0.0/0>
        ACCEPT     all  -- 1.0.0.0/8 <http://1.0.0.0/8>
        <http://1.0.0.0/8> 1.0.0.0/8 <http://1.0.0.0/8>
        <http://1.0.0.0/8>


        Chain FORWARD (policy ACCEPT)
        target     prot opt source               destination
        HIPFW-FORWARD  all  -- 0.0.0.0/0 <http://0.0.0.0/0>
        <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
        <http://0.0.0.0/0>


        Chain OUTPUT (policy ACCEPT)
        target     prot opt source               destination
        HIPFW-OUTPUT  all  -- 0.0.0.0/0 <http://0.0.0.0/0>
        <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
        <http://0.0.0.0/0>
        ACCEPT     139  -- 0.0.0.0/0 <http://0.0.0.0/0>
        <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
        <http://0.0.0.0/0>
        ACCEPT     udp  -- 0.0.0.0/0 <http://0.0.0.0/0>
        <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
        <http://0.0.0.0/0>            udp dpt:10500
        ACCEPT     esp  -- 0.0.0.0/0 <http://0.0.0.0/0>
        <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
        <http://0.0.0.0/0>
        ACCEPT     icmpv6-- 0.0.0.0/0 <http://0.0.0.0/0>
        <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
        <http://0.0.0.0/0>
        ACCEPT     all  -- 1.0.0.0/8 <http://1.0.0.0/8>
        <http://1.0.0.0/8> 1.0.0.0/8 <http://1.0.0.0/8>
        <http://1.0.0.0/8>


        Chain HIPFW-FORWARD (1 references)
        target     prot opt source               destination

        Chain HIPFW-INPUT (1 references)
        target     prot opt source               destination
        NFQUEUE    udp  -- 0.0.0.0/0 <http://0.0.0.0/0>
        <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
        <http://0.0.0.0/0>            udp spt:10500 NFQUEUE num 0
        NFQUEUE    udp  -- 0.0.0.0/0 <http://0.0.0.0/0>
        <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
        <http://0.0.0.0/0>            udp dpt:10500 NFQUEUE num 0
        NFQUEUE    esp  -- 0.0.0.0/0 <http://0.0.0.0/0>
        <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
        <http://0.0.0.0/0>            NFQUEUE num 0


        Chain HIPFW-OUTPUT (1 references)
        target     prot opt source               destination
        NFQUEUE    all  -- 0.0.0.0/0 <http://0.0.0.0/0>
        <http://0.0.0.0/0> 1.0.0.0/8 <http://1.0.0.0/8>
        <http://1.0.0.0/8>            NFQUEUE num 0


        
------------------------------__------------------------------__------------------------------__------------------------------


        paola@ubuntu:~$ sudo ip6tables -L -n
        Chain INPUT (policy ACCEPT)
        target     prot opt source               destination
        HIPFW-INPUT  all      ::/0                 ::/0
        ACCEPT     all      2001:10::/28         2001:10::/28

        Chain FORWARD (policy ACCEPT)
        target     prot opt source               destination
        HIPFW-FORWARD  all      ::/0                 ::/0

        Chain OUTPUT (policy ACCEPT)
        target     prot opt source               destination
        HIPFW-OUTPUT  all      ::/0                 ::/0
        ACCEPT     all      2001:10::/28         2001:10::/28

        Chain HIPFW-FORWARD (1 references)
        target     prot opt source               destination

        Chain HIPFW-INPUT (1 references)
        target     prot opt source               destination
        NFQUEUE    esp      ::/0                 ::/0
        NFQUEUE num 1
        NFQUEUE    all      ::/0                 2001:10::/28
        NFQUEUE num 1

        Chain HIPFW-OUTPUT (1 references)
        target     prot opt source               destination
        NFQUEUE    udp      ::/0                 2001:10::/28
        NFQUEUE num 1
        NFQUEUE    icmp     ::/0                 2001:10::/28
        NFQUEUE num 1
        NFQUEUE    tcp      ::/0                 2001:10::/28
        NFQUEUE num 1
        NFQUEUE    icmpv6    ::/0                 2001:10::/28
        NFQUEUE num 1

        
------------------------------__------------------------------__------------------------------__------------------------------

        paola@ubuntu:~$ ps axu | grep hip
        nobody    1002  0.0  0.1   4980  2004 ?        S    14:21   0:00
        /usr/sbin/hipd -bkN
        nobody    1092  0.0  0.1   5116  1220 ?        S    14:21   0:00
        /usr/sbin/hipfw -bklpFi
        root      1477  0.0  0.6  10860  6576 ?        S    14:21   0:00
        python
        /usr/sbin/hipdnsproxy -k
        root      3144  0.0  0.0      0     0 ?        Z    14:22   0:00
        [hipconf] <defunct>
        paola     3304  0.0  0.0   4412   832 pts/0    S+   14:32   0:00
        grep
        --color=auto hip

        
------------------------------__------------------------------__------------------------------__------------------------------

        paola@ubuntu:~$ ps axu | grep dns
        root      1477  0.0  0.6  10860  6576 ?        S    14:21   0:00
        python
        /usr/sbin/hipdnsproxy -k
        nobody    2155  0.0  0.1   5400  1388 ?        S    14:21   0:00
        /usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts
        --bind-interfaces
        --pid-file=/var/run/sendsigs.__omit.d/network-manager.__dnsmasq.pid
        --listen-address=127.0.0.1
        --conf-file=/var/run/nm-dns-__dnsmasq.conf
        --cache-size=0 --proxy-dnssec --enable-dbus
        --conf-dir=/etc/__NetworkManager/dnsmasq.d
        paola     3307  0.0  0.0   4412   836 pts/0    S+   14:32   0:00
        grep
        --color=auto dns


        Thanks a lot,

        Paola


        2013/10/9 Miika Komu <mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx>
        <mailto:mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx>>>


             Hi Paola,

             please provide some more information as instructed in the
        manual:

        http://hipl.hiit.fi/hipl/____manual/HOWTO.html#quick
        <http://hipl.hiit.fi/hipl/__manual/HOWTO.html#quick>

             <http://hipl.hiit.fi/hipl/__manual/HOWTO.html#quick
        <http://hipl.hiit.fi/hipl/manual/HOWTO.html#quick>>

             Some additional questions:

             * Are running hipd at the responder?
             * Is there a firewall blocking HIP traffic (default UDP
        port 10500)
             * If you use redhat-based distro, have you disabled SElinux
        (please
             refer to the manual)?


             On 10/09/2013 12:27 PM, Paola Venuso wrote:

                 Hi,
                 I have an update. I tried again direct communication
        and now the
                 initiator can send the I1 packet. I tried also with Teredo
                 addresses but
                 its the same, I can see only I1 packet.


                 2013/10/8 Paola Venuso <pa.venuso@xxxxxxxxx
        <mailto:pa.venuso@xxxxxxxxx>
                 <mailto:pa.venuso@xxxxxxxxx
        <mailto:pa.venuso@xxxxxxxxx>> <mailto:pa.venuso@xxxxxxxxx
        <mailto:pa.venuso@xxxxxxxxx>

                 <mailto:pa.venuso@xxxxxxxxx <mailto:pa.venuso@xxxxxxxxx>>>>


                      I typed wrong the name of the version, I've already
                 installed the
                      latest version. Anyway I tried out direct
        communications as you
                      said, with different configurations, but with no
        success.
                 I'm sorry
                      to bother you but I don't know what else to do. I
        read the
                 manual
                      several times but obviously I'm still missing
        something. Maybe
                      something about hipl firewall?

                      Thanks for your help.




                      2013/10/8 Miika Komu <mkomu@xxxxxxxxx
        <mailto:mkomu@xxxxxxxxx>
                 <mailto:mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx>>
        <mailto:mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx>

                 <mailto:mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx>>>>


                          Hi Paola,


                          On 10/08/2013 01:44 PM, Paola Venuso wrote:

                              Hi Miika,
                              Thanks for the quik answer. I'll try what
        you said.
                 About
                              the latest
                              version, where can I find it? I downloaded
        the hipl
                 1.0.7
                              release from
                              the infrahip site but I saw nothing about the
                 latest version.

                              Thank you very much,


                          Source code:

        http://hipl.hiit.fi/index.php?______index=source
        <http://hipl.hiit.fi/index.php?____index=source>
                 <http://hipl.hiit.fi/index.__php?__index=source
        <http://hipl.hiit.fi/index.php?__index=source>>


          <http://hipl.hiit.fi/index.____php?index=source
        <http://hipl.hiit.fi/index.__php?index=source>

                 <http://hipl.hiit.fi/index.__php?index=source
        <http://hipl.hiit.fi/index.php?index=source>>>

                          There are multiple ways to get HIPL source
        code: binary
                 release,
                          bazaar and the nightly tarball.

                          The binaries are here:

        http://hipl.hiit.fi/index.php?______index=download
        <http://hipl.hiit.fi/index.php?____index=download>
                 <http://hipl.hiit.fi/index.__php?__index=download
        <http://hipl.hiit.fi/index.php?__index=download>>

          <http://hipl.hiit.fi/index.____php?index=download
        <http://hipl.hiit.fi/index.__php?index=download>
                 <http://hipl.hiit.fi/index.__php?index=download
        <http://hipl.hiit.fi/index.php?index=download>>>











Other related posts: