User Tools

Site Tools


doc:howto:ipv6.softwire

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:howto:ipv6.softwire [2014/08/23 03:35]
zorun
doc:howto:ipv6.softwire [2015/05/31 14:11] (current)
jow old revision restored (2015/05/30 20:57)
Line 1: Line 1:
 +====== IPv6 on softwire ======
  
 +This page documents how to configure IPv6 over a L2TP softwire, which is a method used by some ISP to provide IPv6 connectivity. It assumes Barrier Breaker (OpenWRT 14.07), but the old configuration for Attitude Adjustment (12.09) is available at the end of the page.
 +
 +===== About softwires =====
 +
 +"​softwire"​ is the new fancy term for network tunnels, aka encapsulation. Reasonably accurate definitions about softwires are given in [[http://​tools.ietf.org/​html/​rfc4925|RFC 4925]], and [[http://​tools.ietf.org/​html/​rfc5571|RFC 5571]] describes an implementation using L2TPv2.
 +
 +Softwires are used as basic blocks to transport newer protocols (typically IPv6) over an older network (typically, the IPv4 core network of an ISP).
 +
 +===== ISP using softwires to provide IPv6 =====
 +
 +  * SFR, in France, is known to use softwires to provide IPv6 to its residential customers. See some [[http://​bitsofnetworks.org/​utiliser-ipv6-chez-sfr-sans-la-neufbox-fr.html|documentation (in French)]].
 +
 +===== Overview =====
 +
 +This howto is derived from an experience with SFR, in France (FTTH residential access). It might applies to other ISPs as well, but you'll need to adapt IP addresses, PPP login and passwords, and so on.
 +
 +The high-level description of the tunneling is the following:
 +
 +  - a L2TP tunnel is created, encapsulated in UDP packets over IPv4
 +  - a PPP session is established inside the tunnel
 +  - IPv6CP (see [[http://​tools.ietf.org/​html/​rfc5072|RFC 5072]]) is used to negotiate link-local IPv6 addresses ​
 +  - an IPv6 prefix is obtained thanks to DHCPv6
 +
 +In the case of SFR, steps 1 and 2 require an authentication. Fortunately,​ the L2TP password is hardcoded. The PPP password is not, but it's sent as cleartext, so a simple sniffing is enough to recover it.
 +
 +===== Setup for Barrier Breaker =====
 +
 +Barrier Breaker has native IPv6 support, which greatly simplifies the configuration.
 +
 +==== Requirements ====
 +
 +You need to install ''​xl2tpd'',​ which will handle the L2TP tunnel and PPP session.
 +
 +==== Configuration ====
 +
 +''/​etc/​config/​network''​
 +<​code>​
 +config interface 6pe
 +        option proto l2tp
 +        option server <LNS address>
 +        option username '<​PPP username>'​
 +        option password '<​PPP password>'​
 +        option keepalive '​6'​
 +        option ipv6 '​1'​
 +
 +config interface '​wan6'​
 +        option ifname '​@6pe'​
 +        option proto '​dhcpv6'​
 +</​code>​
 +
 +:!: For the RC3 version of Barrier Breaker, you should use ''​proto l2tpv2''​ instead.
 +
 +See [[doc/​uci/​network#​protocol.l2tp.ppp.over.l2tp.pseudowire.tunnel]] for more options.
 +
 +If you need authentication at the L2TP level (before PPP), configure it in ''/​etc/​xl2tpd/​xl2tp-secrets'':​
 +<​code>​
 +* * my_l2tp_password
 +</​code>​
 +
 +At this point, rebooting or simply running ''​ifup wan6''​ should give you a fully working IPv6 setup. ​ To debug, look at the logs (''​logread''​) and the interfaces status (''​ifstatus 6pe''​ and ''​ifstatus wan6''​).
 +
 +===== Old setup for AA =====
 +
 +This setup is doing everything "by hand", which might be useful for other Linux distribution as well (for instance, Debian). ​ More precisely, we do the following:
 +
 +  - use ''​xl2tpd''​ to negociate the L2TP tunnel and the PPP session: this creates a ''​ppp0''​ interface
 +  - use ''​dhcp6c''​ to request an IPv6 prefix through DHCPv6
 +  - use ''​radvd''​ to distribute addresses to LAN clients from a /64 (which is automatically taken from the delegated prefix)
 +
 +Of course, you are free to use other methods. Most notably, newer OpenWRT versions handle IPv6 differently. It's also possible to distribute IPv6 addresses to LAN clients using ''​dnsmasq''​.
 +
 +Note that SFR's CPE, the Neufbox, is running a modified version of OpenWRT. Since they publish their firmware (I used the [[http://​download.nb6thd.neufbox.neuf.fr/​nb6thd_Vers%203.3.4_ter/​NB6-MAIN-R3.3.4|NB6-MAIN-R3.3.4]] firmware), it's possible to look at their config files (and hardcoded passwords), which greatly simplifies the task.
 +
 +==== L2TP tunnel using xl2tpd ====
 +
 +You need to install ''​xl2tpd''​. Then, a working ''/​etc/​x2ltpd/​x2ltpd.conf''​ for SFR is:
 +
 +<​code>​
 +[global]
 +port = 1701
 +auth file = /​etc/​xl2tpd/​xl2tp-secrets
 +access control = no
 +
 +[lac 6pe]
 +lns = 109.6.3.95 ; address of the LNS (L2TP Network Server)
 +ppp debug = yes
 +hostname = XX.XX.XX.XX ; your public IP address
 +hidden bit = no
 +; ppp debug = yes
 +pppoptfile = /​etc/​ppp/​options.xl2tpd
 +require authentication = no
 +refuse authentication = no
 +refuse chap = no
 +flow bit = yes
 +length bit = yes
 +</​code>​
 +
 +You need to fill out ''/​etc/​xl2tpd/​xl2tp-secrets''​ with the password. In the case of SFR:
 +
 +<​code>​
 +* * 6pe
 +</​code>​
 +
 +This should be enough to see if it works or not.
 +
 +=== Starting the L2TP tunnel ===
 +
 +You need to start ''​xl2tpd'',​ and connect the profile we defined:
 +
 +<​code>​
 +/​etc/​init.d/​xl2tpd start
 +echo "c 6pe" > /​var/​run/​xl2tpd/​l2tp-control
 +</​code>​
 +
 +There doesn'​t seem to be an easy way to start a profile automatically at startup. Quick & dirty: edit ''/​etc/​rc.d/​S60xl2tpd''​ and add
 +
 +<​code>​
 +(sleep 10 && echo "c 6pe" > /​var/​run/​xl2tpd/​l2tp-control) &
 +</​code>​
 +
 +just before the ''​$BIN $OPTIONS''​ line.
 +
 +=== Troubleshooting ===
 +
 +  * look at the logs (''​logread''​)
 +  * try to activate some ''​xl2tpd''​ debug options
 +  * use ''​tcpdump''​ to see what's going on with the LNS
 +
 +==== PPP configuration ====
 +
 +Last, you need to set PPP options for IPv6 negotiation. In ''/​etc/​ppp/​options.xl2tpd'':​
 +
 +<​code>​
 +# From the official firmware
 +ipv6 ,
 ++ipv6
 +ipv6cp-use-persistent
 +lock
 +child-timeout 20
 +lcp-echo-failure 3
 +lcp-echo-interval 20
 +name <your PPP login>
 +</​code>​
 +
 +For SFR, the PPP login seems to be ''​dhcp/​XX.XX.XX.XX@YYYYYYYYYYYY'',​ where ''​XX.XX.XX.XX''​ is your public IP address, and ''​YYYYYYYYYYYY''​ is the MAC address of the WAN interface of the official box, without the colons.
 +
 +You then need to define the PPP password in ''/​etc/​ppp/​chap-secrets'':​
 +
 +<​code>​
 +#​USERNAME ​ PROVIDER ​ PASSWORD ​ IPADDRESS
 +dhcp/​XX.XX.XX.XX@YYYYYYYYYYYY * <PPP password>​
 +</​code>​
 +
 +For SFR, the password is not obvious. It's sent in cleartext, thus recoverable by sniffing the WAN port of the official box.
 +
 +==== Prefix delegation through DHCPv6 ====
 +
 +Once the PPP session is established inside the L2TP tunnel, a new interface ''​ppp0''​ should appear.
 +
 +The only remaining step is to request an IPv6 prefix to the ISP, by using for instance the ''​wide-dhcp6c''​ client.
 +
 +=== OpenWRT integration ===
 +
 +Note that this is specific to Attitude Adjustment, as IPv6 support is expected to changed a lot in the upcoming Barrier Breaker release.
 +
 +=== Interface declaration ===
 +
 +We need to tell OpenWRT about the new interface, in ''/​etc/​config/​network'':​
 +
 +<​code>​
 +config interface wanv6
 +        option ifname ​  ppp0
 +        option proto    none
 +</​code>​
 +
 +If, at some point, you don't get a default route for IPv6, you could try to add the route yourself:
 +
 +<​code>​
 +config route6 ​                          
 +        option interface wanv6          ​
 +        option target '::/​0' ​           ​
 +        option gateway '​fe80::​XXXX:​XXff:​feXX:​XXXX'​
 +</​code>​
 +
 +where the gateway is the link-local address of the router at the other end of the softwire.
 +
 +=== Firewall rules ===
 +
 +Start by modifying the ''​wan''​ zone in ''/​etc/​config/​firewall'':​
 +
 +<​code>​
 +        option network ​         'wan wanv6'
 +</​code>​