[hipl-users] Re: Problems with RVS
- From: Paola Venuso <pa.venuso@xxxxxxxxx>
- To: hipl-users@xxxxxxxxxxxxx
- Date: Wed, 9 Oct 2013 23:42:46 +0200
Hi Miika,
hipd is running at the responder, the firewall is not blocking HIP traffic
and I don't use redhat-based distro.
This is the output of the commands from the manual:
paola@ubuntu:~$ dpkg -l 'hipl*'
Desired=Unknown/Install/Remove/Purge/Hold
|
Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Nome Versione Descrizione
+++-==============-==============-============================================
ii hipl-all 1.0.8-6429 HIP for Linux full software bundle
ii hipl-daemon 1.0.8-6429 HIP for Linux IPsec key management and
mobil
ii hipl-dnsproxy 1.0.8-6429 HIP for Linux name lookup proxy
ii hipl-doc 1.0.8-6429 HIP for Linux documentation
ii hipl-firewall 1.0.8-6429 HIP for Linux multi-purpose firewall
daemon
un hipl-minimal <nessuna> (nessuna descrizione disponibile)
un hipl-tools <nessuna> (nessuna descrizione disponibile)
paola@ubuntu:~$ hipconf daemon get ha all
Sending user message 22 to HIPD on socket 3
Sent 40 bytes
Waiting to receive daemon info.
240 bytes received from HIP daemon.
HA is I1-SENT
Shotgun mode is off.
Broadcast mode is off.
Local HIT: 2001:0012:421d:99a0:005d:d60f:73b0:4407
Peer HIT: 2001:001a:2a72:f01c:d98e:311c:c76a:57c4
Local LSI: 1.0.0.1
Peer LSI: 1.0.0.2
Local IP: 2001:0000:53aa:064c:2cde:3e12:4367:467f
Local NAT traversal UDP port: 10500
Peer IP: 2001:0708:0140:0220:0000:0000:0000:0016
Peer NAT traversal UDP port: 10500
Peer hostname:
------------------------------------------------------------------------------------------------------------------------
paola@ubuntu:~$ uname -a
Linux ubuntu 3.5.0-41-generic #64~precise1-Ubuntu SMP Thu Sep 12 17:01:55
UTC 2013 i686 i686 i386 GNU/Linux
paola@ubuntu:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 12.04.3 LTS
Release: 12.04
Codename: precise
------------------------------------------------------------------------------------------------------------------------
paola@ubuntu:~$ cat /etc/hip/hipd.conf
# Format of this file is as with hipconf, but without "hipconf daemon"
prefix
# add hi default # add all four HITs (see bug id 592127)
# add map HIT IP # preload some HIT-to-IP mappings to hipd
# add service rvs # the host acts as HIP rendezvous (also see relay.conf)
# add server rvs [RVS-HIT] <RVS-IP-OR-HOSTNAME> <lifetime-secs> # register
to rendezvous server
# add server relay [RELAY-HIT] <RVS-IP-OR-HOSTNAME> <lifetime-secs> #
register to relay server
# add server full-relay [RELAY-HIT] <RVS-IP-OR-HOSTNAME> <lifetime-secs> #
register to relay server
hit-to-ip on # resolve HITs to locators in dynamic DNS zone
# hit-to-ip set hit-to-ip.infrahip.net. # resolve HITs to locators in
dynamic DNS zone
nsupdate on # send dynamic DNS updates
# add server rvs hiprvs.infrahip.net 50000 # Register to free RVS at
infrahip
# heartbeat 10 # send ICMPv6 messages inside HIP tunnels
# locator on # host sends all of its locators in base exchange
# shotgun on # use all possible src/dst IP combinations to send I1/UPDATE
# broadcast on # broadcast to LAN if no matching IP address found
# opp normal|advanced|none
# transform order 213 # crypto preference order (1=AES, 2=3DES, 3=NULL)
nat plain-udp # use UDP capsulation (for NATted environments)
#nat port local 11111 # change local default UDP port
#nat port peer 22222 # change local peer UDP port
debug medium # debug verbosity: all, medium, low or none
default-hip-version 1 # default HIP version number for the I1 message.
(1=HIPv1, 2=HIPv2)
------------------------------------------------------------------------------------------------------------------------
paola@ubuntu:~$ sudo iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
HIPFW-INPUT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT 139 -- 0.0.0.0/0 0.0.0.0/0
ACCEPT 139 -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:10500
ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmpv6-- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 1.0.0.0/8 1.0.0.0/8
Chain FORWARD (policy ACCEPT)
target prot opt source destination
HIPFW-FORWARD all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
HIPFW-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT 139 -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:10500
ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmpv6-- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 1.0.0.0/8 1.0.0.0/8
Chain HIPFW-FORWARD (1 references)
target prot opt source destination
Chain HIPFW-INPUT (1 references)
target prot opt source destination
NFQUEUE udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:10500
NFQUEUE num 0
NFQUEUE udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:10500
NFQUEUE num 0
NFQUEUE esp -- 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0
Chain HIPFW-OUTPUT (1 references)
target prot opt source destination
NFQUEUE all -- 0.0.0.0/0 1.0.0.0/8 NFQUEUE num 0
------------------------------------------------------------------------------------------------------------------------
paola@ubuntu:~$ sudo ip6tables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
HIPFW-INPUT all ::/0 ::/0
ACCEPT all 2001:10::/28 2001:10::/28
Chain FORWARD (policy ACCEPT)
target prot opt source destination
HIPFW-FORWARD all ::/0 ::/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
HIPFW-OUTPUT all ::/0 ::/0
ACCEPT all 2001:10::/28 2001:10::/28
Chain HIPFW-FORWARD (1 references)
target prot opt source destination
Chain HIPFW-INPUT (1 references)
target prot opt source destination
NFQUEUE esp ::/0 ::/0 NFQUEUE num 1
NFQUEUE all ::/0 2001:10::/28 NFQUEUE num 1
Chain HIPFW-OUTPUT (1 references)
target prot opt source destination
NFQUEUE udp ::/0 2001:10::/28 NFQUEUE num 1
NFQUEUE icmp ::/0 2001:10::/28 NFQUEUE num 1
NFQUEUE tcp ::/0 2001:10::/28 NFQUEUE num 1
NFQUEUE icmpv6 ::/0 2001:10::/28 NFQUEUE num 1
------------------------------------------------------------------------------------------------------------------------
paola@ubuntu:~$ ps axu | grep hip
nobody 1002 0.0 0.1 4980 2004 ? S 14:21 0:00
/usr/sbin/hipd -bkN
nobody 1092 0.0 0.1 5116 1220 ? S 14:21 0:00
/usr/sbin/hipfw -bklpFi
root 1477 0.0 0.6 10860 6576 ? S 14:21 0:00 python
/usr/sbin/hipdnsproxy -k
root 3144 0.0 0.0 0 0 ? Z 14:22 0:00 [hipconf]
<defunct>
paola 3304 0.0 0.0 4412 832 pts/0 S+ 14:32 0:00 grep
--color=auto hip
------------------------------------------------------------------------------------------------------------------------
paola@ubuntu:~$ ps axu | grep dns
root 1477 0.0 0.6 10860 6576 ? S 14:21 0:00 python
/usr/sbin/hipdnsproxy -k
nobody 2155 0.0 0.1 5400 1388 ? S 14:21 0:00
/usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts
--bind-interfaces
--pid-file=/var/run/sendsigs.omit.d/network-manager.dnsmasq.pid
--listen-address=127.0.0.1 --conf-file=/var/run/nm-dns-dnsmasq.conf
--cache-size=0 --proxy-dnssec --enable-dbus
--conf-dir=/etc/NetworkManager/dnsmasq.d
paola 3307 0.0 0.0 4412 836 pts/0 S+ 14:32 0:00 grep
--color=auto dns
Thanks a lot,
Paola
2013/10/9 Miika Komu <mkomu@xxxxxxxxx>
> Hi Paola,
>
> please provide some more information as instructed in the manual:
>
> http://hipl.hiit.fi/hipl/**manual/HOWTO.html#quick<http://hipl.hiit.fi/hipl/manual/HOWTO.html#quick>
>
> Some additional questions:
>
> * Are running hipd at the responder?
> * Is there a firewall blocking HIP traffic (default UDP port 10500)
> * If you use redhat-based distro, have you disabled SElinux (please refer
> to the manual)?
>
>
> On 10/09/2013 12:27 PM, Paola Venuso wrote:
>
>> Hi,
>> I have an update. I tried again direct communication and now the
>> initiator can send the I1 packet. I tried also with Teredo addresses but
>> its the same, I can see only I1 packet.
>>
>>
>> 2013/10/8 Paola Venuso <pa.venuso@xxxxxxxxx <mailto:pa.venuso@xxxxxxxxx>>
>>
>>
>> I typed wrong the name of the version, I've already installed the
>> latest version. Anyway I tried out direct communications as you
>> said, with different configurations, but with no success. I'm sorry
>> to bother you but I don't know what else to do. I read the manual
>> several times but obviously I'm still missing something. Maybe
>> something about hipl firewall?
>>
>> Thanks for your help.
>>
>>
>>
>>
>> 2013/10/8 Miika Komu <mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx>>
>>
>>
>> Hi Paola,
>>
>>
>> On 10/08/2013 01:44 PM, Paola Venuso wrote:
>>
>> Hi Miika,
>> Thanks for the quik answer. I'll try what you said. About
>> the latest
>> version, where can I find it? I downloaded the hipl 1.0.7
>> release from
>> the infrahip site but I saw nothing about the latest version.
>>
>> Thank you very much,
>>
>>
>> Source code:
>>
>>
>> http://hipl.hiit.fi/index.php?**__index=source<http://hipl.hiit.fi/index.php?__index=source>
>>
>>
>> <http://hipl.hiit.fi/index.**php?index=source<http://hipl.hiit.fi/index.php?index=source>
>> >
>>
>> There are multiple ways to get HIPL source code: binary release,
>> bazaar and the nightly tarball.
>>
>> The binaries are here:
>>
>>
>> http://hipl.hiit.fi/index.php?**__index=download<http://hipl.hiit.fi/index.php?__index=download>
>>
>> <http://hipl.hiit.fi/index.**php?index=download<http://hipl.hiit.fi/index.php?index=download>
>> >
>>
>>
>>
>>
>
>
Other related posts:
