[hipl-users] Re: Problems with RVS

  • From: Miika Komu <mkomu@xxxxxxxxx>
  • To: hipl-users@xxxxxxxxxxxxx
  • Date: Fri, 11 Oct 2013 13:45:32 +0300

Hi Paola,

it seems your installation is fine. Base on my own experiences, I think that a middlebox (firewall) is blocking your IPv6 traffic (in the case of Teredo it's UDP port 3544). Did you try to ping6 the routable addresses (locators)?

I also recommend trying a manual set up with IPv4-based locators as follows:

hipconf daemon rst all
hipconf daemon add map PEER_HIT PEER_IPV4_ADDRESS
ping6 PEER_HIT

On 10/10/2013 12:42 AM, Paola Venuso wrote:
Hi Miika,

hipd is running at the responder, the firewall is not blocking HIP
traffic and I don't use redhat-based distro.
This is the output of the commands from the manual:

paola@ubuntu:~$ dpkg -l 'hipl*'
Desired=Unknown/Install/Remove/Purge/Hold
|
Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Nome           Versione       Descrizione
+++-==============-==============-============================================
ii  hipl-all       1.0.8-6429     HIP for Linux full software bundle
ii  hipl-daemon    1.0.8-6429     HIP for Linux IPsec key management and
mobil
ii  hipl-dnsproxy  1.0.8-6429     HIP for Linux name lookup proxy
ii  hipl-doc       1.0.8-6429     HIP for Linux documentation
ii  hipl-firewall  1.0.8-6429     HIP for Linux multi-purpose firewall
daemon
un  hipl-minimal   <nessuna>      (nessuna descrizione disponibile)
un  hipl-tools     <nessuna>      (nessuna descrizione disponibile)
paola@ubuntu:~$ hipconf daemon get ha all
Sending user message 22 to HIPD on socket 3
Sent 40 bytes
Waiting to receive daemon info.
240 bytes received from HIP daemon.
HA is I1-SENT
  Shotgun mode is off.
  Broadcast mode is off.
  Local HIT: 2001:0012:421d:99a0:005d:d60f:73b0:4407
  Peer  HIT: 2001:001a:2a72:f01c:d98e:311c:c76a:57c4
  Local LSI: 1.0.0.1
  Peer  LSI: 1.0.0.2
  Local IP: 2001:0000:53aa:064c:2cde:3e12:4367:467f
  Local NAT traversal UDP port: 10500
  Peer  IP: 2001:0708:0140:0220:0000:0000:0000:0016
  Peer  NAT traversal UDP port: 10500
  Peer  hostname:

------------------------------------------------------------------------------------------------------------------------

paola@ubuntu:~$ uname -a
Linux ubuntu 3.5.0-41-generic #64~precise1-Ubuntu SMP Thu Sep 12
17:01:55 UTC 2013 i686 i686 i386 GNU/Linux
paola@ubuntu:~$ lsb_release -a
No LSB modules are available.
Distributor ID:    Ubuntu
Description:    Ubuntu 12.04.3 LTS
Release:    12.04
Codename:    precise

------------------------------------------------------------------------------------------------------------------------

paola@ubuntu:~$ cat /etc/hip/hipd.conf
# Format of this file is as with hipconf, but without "hipconf daemon"
prefix
# add hi default    # add all four HITs (see bug id 592127)
# add map HIT IP    # preload some HIT-to-IP mappings to hipd
# add service rvs   # the host acts as HIP rendezvous (also see relay.conf)
# add server rvs [RVS-HIT] <RVS-IP-OR-HOSTNAME> <lifetime-secs> #
register to rendezvous server
# add server relay [RELAY-HIT] <RVS-IP-OR-HOSTNAME> <lifetime-secs> #
register to relay server
# add server full-relay [RELAY-HIT] <RVS-IP-OR-HOSTNAME> <lifetime-secs>
# register to relay server
hit-to-ip on # resolve HITs to locators in dynamic DNS zone
# hit-to-ip set hit-to-ip.infrahip.net <http://hit-to-ip.infrahip.net>.
# resolve HITs to locators in dynamic DNS zone
nsupdate on # send dynamic DNS updates
# add server rvs hiprvs.infrahip.net <http://hiprvs.infrahip.net> 50000
# Register to free RVS at infrahip
# heartbeat 10 # send ICMPv6 messages inside HIP tunnels
# locator on        # host sends all of its locators in base exchange
# shotgun on # use all possible src/dst IP combinations to send I1/UPDATE
# broadcast on # broadcast to LAN if no matching IP address found
# opp normal|advanced|none
# transform order 213 # crypto preference order (1=AES, 2=3DES, 3=NULL)
nat plain-udp       # use UDP capsulation (for NATted environments)
#nat port local 11111 # change local default UDP port
#nat port peer 22222 # change local peer UDP port
debug medium        # debug verbosity: all, medium, low or none
default-hip-version 1 # default HIP version number for the I1 message.
(1=HIPv1, 2=HIPv2)

------------------------------------------------------------------------------------------------------------------------

paola@ubuntu:~$ sudo iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
HIPFW-INPUT  all  -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
<http://0.0.0.0/0>
ACCEPT     139  -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
<http://0.0.0.0/0>
ACCEPT     139  -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
<http://0.0.0.0/0>
ACCEPT     udp  -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
<http://0.0.0.0/0>            udp spt:10500
ACCEPT     esp  -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
<http://0.0.0.0/0>
ACCEPT     icmpv6-- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
<http://0.0.0.0/0>
ACCEPT     all  -- 1.0.0.0/8 <http://1.0.0.0/8> 1.0.0.0/8
<http://1.0.0.0/8>

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
HIPFW-FORWARD  all  -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
<http://0.0.0.0/0>

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
HIPFW-OUTPUT  all  -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
<http://0.0.0.0/0>
ACCEPT     139  -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
<http://0.0.0.0/0>
ACCEPT     udp  -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
<http://0.0.0.0/0>            udp dpt:10500
ACCEPT     esp  -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
<http://0.0.0.0/0>
ACCEPT     icmpv6-- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
<http://0.0.0.0/0>
ACCEPT     all  -- 1.0.0.0/8 <http://1.0.0.0/8> 1.0.0.0/8
<http://1.0.0.0/8>

Chain HIPFW-FORWARD (1 references)
target     prot opt source               destination

Chain HIPFW-INPUT (1 references)
target     prot opt source               destination
NFQUEUE    udp  -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
<http://0.0.0.0/0>            udp spt:10500 NFQUEUE num 0
NFQUEUE    udp  -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
<http://0.0.0.0/0>            udp dpt:10500 NFQUEUE num 0
NFQUEUE    esp  -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
<http://0.0.0.0/0>            NFQUEUE num 0

Chain HIPFW-OUTPUT (1 references)
target     prot opt source               destination
NFQUEUE    all  -- 0.0.0.0/0 <http://0.0.0.0/0> 1.0.0.0/8
<http://1.0.0.0/8>            NFQUEUE num 0

------------------------------------------------------------------------------------------------------------------------


paola@ubuntu:~$ sudo ip6tables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
HIPFW-INPUT  all      ::/0                 ::/0
ACCEPT     all      2001:10::/28         2001:10::/28

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
HIPFW-FORWARD  all      ::/0                 ::/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
HIPFW-OUTPUT  all      ::/0                 ::/0
ACCEPT     all      2001:10::/28         2001:10::/28

Chain HIPFW-FORWARD (1 references)
target     prot opt source               destination

Chain HIPFW-INPUT (1 references)
target     prot opt source               destination
NFQUEUE    esp      ::/0                 ::/0                 NFQUEUE num 1
NFQUEUE    all      ::/0                 2001:10::/28         NFQUEUE num 1

Chain HIPFW-OUTPUT (1 references)
target     prot opt source               destination
NFQUEUE    udp      ::/0                 2001:10::/28         NFQUEUE num 1
NFQUEUE    icmp     ::/0                 2001:10::/28         NFQUEUE num 1
NFQUEUE    tcp      ::/0                 2001:10::/28         NFQUEUE num 1
NFQUEUE    icmpv6    ::/0                 2001:10::/28         NFQUEUE num 1

------------------------------------------------------------------------------------------------------------------------

paola@ubuntu:~$ ps axu | grep hip
nobody    1002  0.0  0.1   4980  2004 ?        S    14:21   0:00
/usr/sbin/hipd -bkN
nobody    1092  0.0  0.1   5116  1220 ?        S    14:21   0:00
/usr/sbin/hipfw -bklpFi
root      1477  0.0  0.6  10860  6576 ?        S    14:21   0:00 python
/usr/sbin/hipdnsproxy -k
root      3144  0.0  0.0      0     0 ?        Z    14:22   0:00
[hipconf] <defunct>
paola     3304  0.0  0.0   4412   832 pts/0    S+   14:32   0:00 grep
--color=auto hip

------------------------------------------------------------------------------------------------------------------------

paola@ubuntu:~$ ps axu | grep dns
root      1477  0.0  0.6  10860  6576 ?        S    14:21   0:00 python
/usr/sbin/hipdnsproxy -k
nobody    2155  0.0  0.1   5400  1388 ?        S    14:21   0:00
/usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts
--bind-interfaces
--pid-file=/var/run/sendsigs.omit.d/network-manager.dnsmasq.pid
--listen-address=127.0.0.1 --conf-file=/var/run/nm-dns-dnsmasq.conf
--cache-size=0 --proxy-dnssec --enable-dbus
--conf-dir=/etc/NetworkManager/dnsmasq.d
paola     3307  0.0  0.0   4412   836 pts/0    S+   14:32   0:00 grep
--color=auto dns


Thanks a lot,

Paola


2013/10/9 Miika Komu <mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx>>

    Hi Paola,

    please provide some more information as instructed in the manual:

    http://hipl.hiit.fi/hipl/__manual/HOWTO.html#quick
    <http://hipl.hiit.fi/hipl/manual/HOWTO.html#quick>

    Some additional questions:

    * Are running hipd at the responder?
    * Is there a firewall blocking HIP traffic (default UDP port 10500)
    * If you use redhat-based distro, have you disabled SElinux (please
    refer to the manual)?


    On 10/09/2013 12:27 PM, Paola Venuso wrote:

        Hi,
        I have an update. I tried again direct communication and now the
        initiator can send the I1 packet. I tried also with Teredo
        addresses but
        its the same, I can see only I1 packet.


        2013/10/8 Paola Venuso <pa.venuso@xxxxxxxxx
        <mailto:pa.venuso@xxxxxxxxx> <mailto:pa.venuso@xxxxxxxxx
        <mailto:pa.venuso@xxxxxxxxx>>>


             I typed wrong the name of the version, I've already
        installed the
             latest version. Anyway I tried out direct communications as you
             said, with different configurations, but with no success.
        I'm sorry
             to bother you but I don't know what else to do. I read the
        manual
             several times but obviously I'm still missing something. Maybe
             something about hipl firewall?

             Thanks for your help.




             2013/10/8 Miika Komu <mkomu@xxxxxxxxx
        <mailto:mkomu@xxxxxxxxx> <mailto:mkomu@xxxxxxxxx
        <mailto:mkomu@xxxxxxxxx>>>


                 Hi Paola,


                 On 10/08/2013 01:44 PM, Paola Venuso wrote:

                     Hi Miika,
                     Thanks for the quik answer. I'll try what you said.
        About
                     the latest
                     version, where can I find it? I downloaded the hipl
        1.0.7
                     release from
                     the infrahip site but I saw nothing about the
        latest version.

                     Thank you very much,


                 Source code:

        http://hipl.hiit.fi/index.php?____index=source
        <http://hipl.hiit.fi/index.php?__index=source>

                 <http://hipl.hiit.fi/index.__php?index=source
        <http://hipl.hiit.fi/index.php?index=source>>

                 There are multiple ways to get HIPL source code: binary
        release,
                 bazaar and the nightly tarball.

                 The binaries are here:

        http://hipl.hiit.fi/index.php?____index=download
        <http://hipl.hiit.fi/index.php?__index=download>
                 <http://hipl.hiit.fi/index.__php?index=download
        <http://hipl.hiit.fi/index.php?index=download>>








Other related posts: