[hipl-users] Re: Problems with RVS
- From: Paola Venuso <pa.venuso@xxxxxxxxx>
- To: hipl-users@xxxxxxxxxxxxx
- Date: Fri, 11 Oct 2013 20:03:29 +0200
Hi Miika,
I uncommented the line "Bindport 3545" in file miredo.conf as I read on the
man page of miredo and checked ufw files for rules blocking IPv6 traffic (I
uncommented two about forwarding, the others about enabling this traffic
were already uncommented). Then I tried ping6 the locators and I got the
message: unknown host.
Also I tried manual set up with IPv4-based locators, as you wrote me, and
my host exchanged HIP UPDATE and I1, R1, I2, R2 packets with another host,
with address193.167.187.149, that I don't know but I guess maybe it's one
of infrahip servers.
Anyway, I am not sure I checked correctly for rules about IPv6 traffic.
What should I do about this? Could all this problems be connected also
with virtual machine net configuration? It is NAT by default, but there are
some other options.
Thanks for all the help you're giving to me.
Paola
2013/10/11 Miika Komu <mkomu@xxxxxxxxx>
> Hi Paola,
>
> it seems your installation is fine. Base on my own experiences, I think
> that a middlebox (firewall) is blocking your IPv6 traffic (in the case of
> Teredo it's UDP port 3544). Did you try to ping6 the routable addresses
> (locators)?
>
> I also recommend trying a manual set up with IPv4-based locators as
> follows:
>
> hipconf daemon rst all
> hipconf daemon add map PEER_HIT PEER_IPV4_ADDRESS
> ping6 PEER_HIT
>
>
> On 10/10/2013 12:42 AM, Paola Venuso wrote:
>
>> Hi Miika,
>>
>> hipd is running at the responder, the firewall is not blocking HIP
>> traffic and I don't use redhat-based distro.
>> This is the output of the commands from the manual:
>>
>> paola@ubuntu:~$ dpkg -l 'hipl*'
>> Desired=Unknown/Install/**Remove/Purge/Hold
>> |
>> Status=Not/Inst/Conf-files/**Unpacked/halF-conf/Half-inst/**
>> trig-aWait/Trig-pend
>> |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
>> ||/ Nome Versione Descrizione
>> +++-==============-===========**===-==========================**
>> ==================
>> ii hipl-all 1.0.8-6429 HIP for Linux full software bundle
>> ii hipl-daemon 1.0.8-6429 HIP for Linux IPsec key management and
>> mobil
>> ii hipl-dnsproxy 1.0.8-6429 HIP for Linux name lookup proxy
>> ii hipl-doc 1.0.8-6429 HIP for Linux documentation
>> ii hipl-firewall 1.0.8-6429 HIP for Linux multi-purpose firewall
>> daemon
>> un hipl-minimal <nessuna> (nessuna descrizione disponibile)
>> un hipl-tools <nessuna> (nessuna descrizione disponibile)
>> paola@ubuntu:~$ hipconf daemon get ha all
>> Sending user message 22 to HIPD on socket 3
>> Sent 40 bytes
>> Waiting to receive daemon info.
>> 240 bytes received from HIP daemon.
>> HA is I1-SENT
>> Shotgun mode is off.
>> Broadcast mode is off.
>> Local HIT: 2001:0012:421d:99a0:005d:d60f:**73b0:4407
>> Peer HIT: 2001:001a:2a72:f01c:d98e:311c:**c76a:57c4
>> Local LSI: 1.0.0.1
>> Peer LSI: 1.0.0.2
>> Local IP: 2001:0000:53aa:064c:2cde:3e12:**4367:467f
>> Local NAT traversal UDP port: 10500
>> Peer IP: 2001:0708:0140:0220:0000:0000:**0000:0016
>> Peer NAT traversal UDP port: 10500
>> Peer hostname:
>>
>> ------------------------------**------------------------------**
>> ------------------------------**------------------------------
>>
>> paola@ubuntu:~$ uname -a
>> Linux ubuntu 3.5.0-41-generic #64~precise1-Ubuntu SMP Thu Sep 12
>> 17:01:55 UTC 2013 i686 i686 i386 GNU/Linux
>> paola@ubuntu:~$ lsb_release -a
>> No LSB modules are available.
>> Distributor ID: Ubuntu
>> Description: Ubuntu 12.04.3 LTS
>> Release: 12.04
>> Codename: precise
>>
>> ------------------------------**------------------------------**
>> ------------------------------**------------------------------
>>
>> paola@ubuntu:~$ cat /etc/hip/hipd.conf
>> # Format of this file is as with hipconf, but without "hipconf daemon"
>> prefix
>> # add hi default # add all four HITs (see bug id 592127)
>> # add map HIT IP # preload some HIT-to-IP mappings to hipd
>> # add service rvs # the host acts as HIP rendezvous (also see
>> relay.conf)
>> # add server rvs [RVS-HIT] <RVS-IP-OR-HOSTNAME> <lifetime-secs> #
>> register to rendezvous server
>> # add server relay [RELAY-HIT] <RVS-IP-OR-HOSTNAME> <lifetime-secs> #
>> register to relay server
>> # add server full-relay [RELAY-HIT] <RVS-IP-OR-HOSTNAME> <lifetime-secs>
>> # register to relay server
>> hit-to-ip on # resolve HITs to locators in dynamic DNS zone
>> # hit-to-ip set hit-to-ip.infrahip.net <http://hit-to-ip.infrahip.net**>.
>>
>> # resolve HITs to locators in dynamic DNS zone
>> nsupdate on # send dynamic DNS updates
>> # add server rvs hiprvs.infrahip.net <http://hiprvs.infrahip.net> 50000
>>
>> # Register to free RVS at infrahip
>> # heartbeat 10 # send ICMPv6 messages inside HIP tunnels
>> # locator on # host sends all of its locators in base exchange
>> # shotgun on # use all possible src/dst IP combinations to send I1/UPDATE
>> # broadcast on # broadcast to LAN if no matching IP address found
>> # opp normal|advanced|none
>> # transform order 213 # crypto preference order (1=AES, 2=3DES, 3=NULL)
>> nat plain-udp # use UDP capsulation (for NATted environments)
>> #nat port local 11111 # change local default UDP port
>> #nat port peer 22222 # change local peer UDP port
>> debug medium # debug verbosity: all, medium, low or none
>> default-hip-version 1 # default HIP version number for the I1 message.
>> (1=HIPv1, 2=HIPv2)
>>
>> ------------------------------**------------------------------**
>> ------------------------------**------------------------------
>>
>> paola@ubuntu:~$ sudo iptables -L -n
>> Chain INPUT (policy ACCEPT)
>> target prot opt source destination
>> HIPFW-INPUT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
>> <http://0.0.0.0/0>
>> ACCEPT 139 -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
>> <http://0.0.0.0/0>
>> ACCEPT 139 -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
>> <http://0.0.0.0/0>
>> ACCEPT udp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
>> <http://0.0.0.0/0> udp spt:10500
>> ACCEPT esp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
>> <http://0.0.0.0/0>
>> ACCEPT icmpv6-- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
>> <http://0.0.0.0/0>
>> ACCEPT all -- 1.0.0.0/8 <http://1.0.0.0/8> 1.0.0.0/8
>> <http://1.0.0.0/8>
>>
>>
>> Chain FORWARD (policy ACCEPT)
>> target prot opt source destination
>> HIPFW-FORWARD all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
>> <http://0.0.0.0/0>
>>
>>
>> Chain OUTPUT (policy ACCEPT)
>> target prot opt source destination
>> HIPFW-OUTPUT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
>> <http://0.0.0.0/0>
>> ACCEPT 139 -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
>> <http://0.0.0.0/0>
>> ACCEPT udp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
>> <http://0.0.0.0/0> udp dpt:10500
>> ACCEPT esp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
>> <http://0.0.0.0/0>
>> ACCEPT icmpv6-- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
>> <http://0.0.0.0/0>
>> ACCEPT all -- 1.0.0.0/8 <http://1.0.0.0/8> 1.0.0.0/8
>> <http://1.0.0.0/8>
>>
>>
>> Chain HIPFW-FORWARD (1 references)
>> target prot opt source destination
>>
>> Chain HIPFW-INPUT (1 references)
>> target prot opt source destination
>> NFQUEUE udp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
>> <http://0.0.0.0/0> udp spt:10500 NFQUEUE num 0
>> NFQUEUE udp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
>> <http://0.0.0.0/0> udp dpt:10500 NFQUEUE num 0
>> NFQUEUE esp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
>> <http://0.0.0.0/0> NFQUEUE num 0
>>
>>
>> Chain HIPFW-OUTPUT (1 references)
>> target prot opt source destination
>> NFQUEUE all -- 0.0.0.0/0 <http://0.0.0.0/0> 1.0.0.0/8
>> <http://1.0.0.0/8> NFQUEUE num 0
>>
>>
>> ------------------------------**------------------------------**
>> ------------------------------**------------------------------
>>
>>
>> paola@ubuntu:~$ sudo ip6tables -L -n
>> Chain INPUT (policy ACCEPT)
>> target prot opt source destination
>> HIPFW-INPUT all ::/0 ::/0
>> ACCEPT all 2001:10::/28 2001:10::/28
>>
>> Chain FORWARD (policy ACCEPT)
>> target prot opt source destination
>> HIPFW-FORWARD all ::/0 ::/0
>>
>> Chain OUTPUT (policy ACCEPT)
>> target prot opt source destination
>> HIPFW-OUTPUT all ::/0 ::/0
>> ACCEPT all 2001:10::/28 2001:10::/28
>>
>> Chain HIPFW-FORWARD (1 references)
>> target prot opt source destination
>>
>> Chain HIPFW-INPUT (1 references)
>> target prot opt source destination
>> NFQUEUE esp ::/0 ::/0 NFQUEUE num
>> 1
>> NFQUEUE all ::/0 2001:10::/28 NFQUEUE num
>> 1
>>
>> Chain HIPFW-OUTPUT (1 references)
>> target prot opt source destination
>> NFQUEUE udp ::/0 2001:10::/28 NFQUEUE num
>> 1
>> NFQUEUE icmp ::/0 2001:10::/28 NFQUEUE num
>> 1
>> NFQUEUE tcp ::/0 2001:10::/28 NFQUEUE num
>> 1
>> NFQUEUE icmpv6 ::/0 2001:10::/28 NFQUEUE
>> num 1
>>
>> ------------------------------**------------------------------**
>> ------------------------------**------------------------------
>>
>> paola@ubuntu:~$ ps axu | grep hip
>> nobody 1002 0.0 0.1 4980 2004 ? S 14:21 0:00
>> /usr/sbin/hipd -bkN
>> nobody 1092 0.0 0.1 5116 1220 ? S 14:21 0:00
>> /usr/sbin/hipfw -bklpFi
>> root 1477 0.0 0.6 10860 6576 ? S 14:21 0:00 python
>> /usr/sbin/hipdnsproxy -k
>> root 3144 0.0 0.0 0 0 ? Z 14:22 0:00
>> [hipconf] <defunct>
>> paola 3304 0.0 0.0 4412 832 pts/0 S+ 14:32 0:00 grep
>> --color=auto hip
>>
>> ------------------------------**------------------------------**
>> ------------------------------**------------------------------
>>
>> paola@ubuntu:~$ ps axu | grep dns
>> root 1477 0.0 0.6 10860 6576 ? S 14:21 0:00 python
>> /usr/sbin/hipdnsproxy -k
>> nobody 2155 0.0 0.1 5400 1388 ? S 14:21 0:00
>> /usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts
>> --bind-interfaces
>> --pid-file=/var/run/sendsigs.**omit.d/network-manager.**dnsmasq.pid
>> --listen-address=127.0.0.1 --conf-file=/var/run/nm-dns-**dnsmasq.conf
>> --cache-size=0 --proxy-dnssec --enable-dbus
>> --conf-dir=/etc/**NetworkManager/dnsmasq.d
>> paola 3307 0.0 0.0 4412 836 pts/0 S+ 14:32 0:00 grep
>> --color=auto dns
>>
>>
>> Thanks a lot,
>>
>> Paola
>>
>>
>> 2013/10/9 Miika Komu <mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx>>
>>
>>
>> Hi Paola,
>>
>> please provide some more information as instructed in the manual:
>>
>>
>> http://hipl.hiit.fi/hipl/__**manual/HOWTO.html#quick<http://hipl.hiit.fi/hipl/__manual/HOWTO.html#quick>
>>
>>
>> <http://hipl.hiit.fi/hipl/**manual/HOWTO.html#quick<http://hipl.hiit.fi/hipl/manual/HOWTO.html#quick>
>> >
>>
>> Some additional questions:
>>
>> * Are running hipd at the responder?
>> * Is there a firewall blocking HIP traffic (default UDP port 10500)
>> * If you use redhat-based distro, have you disabled SElinux (please
>> refer to the manual)?
>>
>>
>> On 10/09/2013 12:27 PM, Paola Venuso wrote:
>>
>> Hi,
>> I have an update. I tried again direct communication and now the
>> initiator can send the I1 packet. I tried also with Teredo
>> addresses but
>> its the same, I can see only I1 packet.
>>
>>
>> 2013/10/8 Paola Venuso <pa.venuso@xxxxxxxxx
>> <mailto:pa.venuso@xxxxxxxxx> <mailto:pa.venuso@xxxxxxxxx
>>
>> <mailto:pa.venuso@xxxxxxxxx>>>
>>
>>
>> I typed wrong the name of the version, I've already
>> installed the
>> latest version. Anyway I tried out direct communications as
>> you
>> said, with different configurations, but with no success.
>> I'm sorry
>> to bother you but I don't know what else to do. I read the
>> manual
>> several times but obviously I'm still missing something.
>> Maybe
>> something about hipl firewall?
>>
>> Thanks for your help.
>>
>>
>>
>>
>> 2013/10/8 Miika Komu <mkomu@xxxxxxxxx
>> <mailto:mkomu@xxxxxxxxx> <mailto:mkomu@xxxxxxxxx
>>
>> <mailto:mkomu@xxxxxxxxx>>>
>>
>>
>> Hi Paola,
>>
>>
>> On 10/08/2013 01:44 PM, Paola Venuso wrote:
>>
>> Hi Miika,
>> Thanks for the quik answer. I'll try what you said.
>> About
>> the latest
>> version, where can I find it? I downloaded the hipl
>> 1.0.7
>> release from
>> the infrahip site but I saw nothing about the
>> latest version.
>>
>> Thank you very much,
>>
>>
>> Source code:
>>
>>
>> http://hipl.hiit.fi/index.php?**____index=source<http://hipl.hiit.fi/index.php?____index=source>
>>
>> <http://hipl.hiit.fi/index.**php?__index=source<http://hipl.hiit.fi/index.php?__index=source>
>> >
>>
>>
>> <http://hipl.hiit.fi/index.__**php?index=source<http://hipl.hiit.fi/index.__php?index=source>
>>
>>
>> <http://hipl.hiit.fi/index.**php?index=source<http://hipl.hiit.fi/index.php?index=source>
>> >>
>>
>> There are multiple ways to get HIPL source code: binary
>> release,
>> bazaar and the nightly tarball.
>>
>> The binaries are here:
>>
>>
>> http://hipl.hiit.fi/index.php?**____index=download<http://hipl.hiit.fi/index.php?____index=download>
>>
>> <http://hipl.hiit.fi/index.**php?__index=download<http://hipl.hiit.fi/index.php?__index=download>
>> >
>>
>> <http://hipl.hiit.fi/index.__**php?index=download<http://hipl.hiit.fi/index.__php?index=download>
>>
>> <http://hipl.hiit.fi/index.**php?index=download<http://hipl.hiit.fi/index.php?index=download>
>> >>
>>
>>
>>
>>
>>
>>
>>
>
>
Other related posts:
