AICCU (Automatic IPv6 Connectivity Client Utility) configuration

Prerequesite

Signup for an SIXXS account and an SIXXS Handle

See for further details on http://www.sixxs.net/signup/create/

Netifd integration since Barrier Breaker RC1

The AICCU client is now integrated with netifd. To use it, install the package aiccu and set up wan6 as follows:

config interface 'wan6' option 'proto' 'aiccu' option 'username' 'HANDLE-SIXXS/TID' option 'password' 'Password' #Use per-tunnel TIC password instead your account password option 'ip6prefix' '2001:db8:aabb::/48' #Delegated subnet option 'ip6addr' '2001:db8:aaaa:aaa::2/64' #Optional option 'verbose' 'true'

Warning: Do not restart the network interface with AICCU too often. TIC system detect excessive connection attempts and block your IP address if you try to connect more than 5 times per hour.


Historic Information!
This page contains archived information that is only kept for research purposes. The contents are most likely outdated.

Check if your router is IPV6 ready.

opkg list kmod-ipv6 opkg list kmod-ip6tables opkg list ip6tables opkg list aiccu opkg list radvd

Save as test.txt and execute sh test.txt

root@OpenWrt:~# sh test.txt kmod-ipv6 - 3.0.12-1 kmod-ip6tables - 3.0.12-1 ip6tables - 1.4.10-4 aiccu - 20070115-9 radvd - 1.8.3-2

or something similar. If a package is missing install and update accordingly.


:!: Changeset 32666 removed any OpenWrt changes to AICCU, so the information above does no longer apply. Still check if required packages are installed.

This change affects the OpenWrt Attitude Adjustment (12.09) release. In order to maintain a working AICCU setup, it is necessary to start and configure AICCU manually. You can choose one of following two configuration methods, depending on how you are going to use AICCU.

A. If you need on-demand AICCU connection, you can create an AICCU config file in /etc/aiccu.conf

username USER-SIXXS password password123 server tic.sixxs.net protocol tic ipv6_interface sixxs tunnel_id T99999 requiretls false defaultroute true behindnat true makebeats true daemonize true pidfile /var/run/aiccu.pid

Note: with method A, you have to start aiccu manually by excuting command aiccu start.

B. It allows more convenient way to manipulate AICCU service. With this method, you can start/stop enable/disable the service via luci web interface. It needs two steps.

First, create aiccu configuration file at /etc/config/aiccu:

config aiccu option username 'XXXX-SIXXS' option password 'yourpassword' option protocol 'tic' option server 'tic.sixxs.net' option interface 'sixxs0' option tunnel_id 'T123XX6' option requiretls '0' option defaultroute '1' option nat '1' option heartbeat '1'

Second, create the following script in /etc/init.d/aiccu:

#!/bin/sh /etc/rc.common # Copyright (C) 2006-2011 OpenWrt.org START=98 add_config_bool() { local section="$1" local option="$2" local value="$3" local default="$4" local _val config_get_bool _val "$section" "$option" "$default" [ "$_val" -gt 0 ] && _val="true" || _val="false" append args "$3 $_val" "\n" } add_config() { local section="$1" local option="$2" local value="$3" local _val config_get _val "$section" "$option" [ -n "$_val" ] && append args "$3 $_val" "\n" } start_instance() { local cfg="$1" CFGFILE="/var/etc/aiccu-${cfg}.conf" PIDFILE="/var/run/aiccu-${cfg}.pid" args="" add_config "$cfg" username username add_config "$cfg" password password add_config "$cfg" server server add_config "$cfg" protocol protocol add_config "$cfg" interface ipv6_interface add_config "$cfg" tunnel_id tunnel_id add_config_bool "$cfg" requiretls requiretls 0 add_config_bool "$cfg" defaultroute defaultroute 1 add_config_bool "$cfg" nat behindnat 1 add_config_bool "$cfg" heartbeat makebeats 1 append args "daemonize true" "\n" append args "pidfile $PIDFILE" "\n" mkdir -p /var/run /var/etc echo -e "$args" > "$CFGFILE" config_get_bool enabled "$cfg" enabled '1' [ "$enabled" -gt 0 ] && aiccu start "$CFGFILE" & } stop_instance() { local cfg="$1" aiccu stop "/var/etc/aiccu-${cfg}.conf" } restart_instance() { local cfg="$1" config_get_bool restart "$cfg" restart 0 [ "$restart" -eq 1 ] && stop_instance "$cfg" start_instance "$cfg" } start() { config_load aiccu config_foreach start_instance aiccu } stop() { config_load aiccu config_foreach stop_instance aiccu } restart() { config_load aiccu config_foreach restart_instance aiccu }

then chmod 755 /etc/init.d/aiccu to assign the appropriate permission.

Now you can use command /etc/init.d/aiccu [start|stop|restart] to enable, disable or restart AICCU.

For further support regarding AICCU, see the SixXS website.


The aiccu package is configured through /etc/config/aiccu.

Sections

There is only a section of type aiccu defined which may only appear once.

AICCU

Below is a listing of defined options in the aiccu section.

Name Type Required Default Description
username string yes (none) Username to authenticate with the tunnel broker
password string yes (none) Password to authenticate with the tunnel broker
protocol string yes tic Authentication protocol, can be one of tic, tsp or l2tp
server ipaddr no (none) Server to use
interface string no aiccu Name of the created tunnel interface
tunnel_id integer no (none) Tunnel ID to use if there are multiple tunnels registered with the broker
requiretls boolean no 0 Force the client to abort if the server does not support TLS
defaultroute boolean no 1 Whether to install an IPv6 default route over the established tunnel
nat boolean no 1 Notify if behind NAT
heartbeat boolean no 1 To enable AYIYA set heartbeat to 1, in case of an heartbeat tunnel 0

Tunnels

AYIYA

Example of an AYIYA tunnel configuration with the SixXS tunnel broker.

config 'aiccu' option 'username' 'test' option 'password' 'test' option 'tunnelid' '1234' option 'protocol' 'tic' option 'server' 'tic.sixxs.net' option 'interface' 'sixxs0'

In case you are behind a NAT firewall consult the SixX FAQ and check how to enable proto 41.

Heartbeat

Example of an SIXXS 6in4-heartbeat tunnel.

We will configure /etc/config/aiccu, modify /etc/config/network and /etc/config/firewall. This is tested for firewall2 using the related trunks for DIR-600 B1/B2 and RT-N16. And finally on ALIX Board using ../backfire/10.03.1-rc5/x86_generic/.

You have to request an heartbeat tunnel from SIXXS before. Check and review their documentation.

Prior to any change in your running configuration, create backups using your prefered back method.

Change /etc/config/aiccu using your SIXXS username and Tunnel ID.

config aiccu option username 'ABCD-SIXXS/T1234' option password 'yourpwasswort' option protocol 'tic' option server 'tic.sixxs.net' option interface 'sixxs0' option tunnel_id 'T1234' option requiretls '0' option defaultroute '1' option nat '1' option heartbeat '1'

Static 6in4

tbd

Interface and LAN configuration

Configure an ipv6 IP to your lan interface and create a wan6 interface in /etc/config/network.

config 'interface' 'lan' option 'type' 'bridge' option 'ifname' 'eth0.0' option 'proto' 'static' option 'ipaddr' '192.168.1.1' option 'netmask' '255.255.255.0' option 'ip6addr' '2001:XXXX:YYYY:ZZZZ::1/64' config 'interface' 'wan6' option 'proto' 'static' option 'ifname' 'sixxs0' option 'auto' '1' option 'ip6addr' '2001:YOUR:END:POINT::2/64' option 'ip6gw' '2001:YOUR:END:POINT::1' option 'send_rs' '0'

Replace '2001:XXXX:YYYY:ZZZZ::1/64' with a routed /64 assigned to your tunnel by SixXS (1 provided by default on most SixXS tunnel PoPs as of Feb. 2012, additional /48s can be requested if needed after enough time passed/credits earned).

Replace '2001:YOUR:END:POINT::2/64' with your SixXS Tunnel individual endpoint address.

Replace '2001:YOUR:END:POINT::1' with your SixXS Tunnel individual gateway address.

Firewall

Add an additional zone wan6 for IPv6 in /etc/config/firewall:

config 'zone' option 'name' 'wan6' option 'network' 'wan6' option 'family' 'ipv6' option 'input' 'REJECT' option 'output' 'ACCEPT' option 'forward' 'REJECT' option 'conntrack' '1'

Add a corresponding forwarding rule for ipv6 in /etc/config/firewall:

config 'forwarding' option 'dest' 'wan6' option 'src' 'lan' option 'family' 'ipv6'

If necessary configure your individual ipv6 rules in /etc/config/firewall:

config 'rule' option 'name' 'RHO' option 'family' 'ipv6' option 'target' 'DROP' option 'extra' '-m rt --rt-type 0' option 'proto' 'all' option 'src' 'wan6' config 'rule' option 'name' 'RHO2' option 'family' 'ipv6' option 'target' 'DROP' option 'extra' '-m rt --rt-type 0' option 'proto' 'all' option 'src' 'wan6' option 'dest' 'lan' config 'rule' option 'target' 'ACCEPT' option 'output' 'ACCEPT' option 'forward' 'REJECT' option 'name' 'Allow-Ping ipv6' option 'family' 'ipv6' option 'proto' 'icmp' option 'src' 'wan6' option 'limit' '1000/sec' list 'icmp_type' 'echo-request' list 'icmp_type' 'destination-unreachable' list 'icmp_type' 'packet-too-big' list 'icmp_type' 'time-exceeded' list 'icmp_type' 'bad-header' list 'icmp_type' 'unknown-header-type' list 'icmp_type' 'router-solicitation' list 'icmp_type' 'neighbour-solicitation' list 'icmp_type' 'echo-reply'

radvd

Populate your LAN with you local IPv6 ip range.

Therfore adopt /etc/config/radvd using your ipv6 subnet prefix:

config 'interface' option 'interface' 'lan' option 'AdvSendAdvert' '1' option 'AdvManagedFlag' '0' option 'AdvOtherConfigFlag' '0' option 'AdvLinkMTU' '1480' option 'ignore' '0' config 'prefix' option 'interface' 'lan' option 'AdvOnLink' '1' option 'AdvAutonomous' '1' option 'AdvRouterAddr' '0' list 'prefix' '2001:XXXX:YYYY:ZZZZ::/64' option 'ignore' '0' ……..

Final Check

Prior to a reboot restart the network and firewall

/etc/init.d/network restart /etc/init.d/firewall restart

The zone wan6 should appear as shown below.

root@OpenWrt:~# logread | grep firewall Feb 23 09:32:06 OpenWrt user.info firewall: adding lan (br-lan) to zone lan Feb 23 09:32:06 OpenWrt user.info firewall: adding wan (eth0) to zone wan Feb 23 09:32:10 OpenWrt user.info firewall: adding wan6 (sixxs0) to zone wan6

Do a manual restart of aiccu and radvd.

/etc/init.d/aiccu start /etc/init.d/radvd start

Inspect your logfile and check if you can ping ipv6 sites.

root@OpenWrt:~# ping6 ipv6.google.com PING ipv6.google.com (2a00:1450:4001:c01::93): 56 data bytes 64 bytes from 2a00:1450:4001:c01::93: seq=0 ttl=57 time=24.144 ms 64 bytes from 2a00:1450:4001:c01::93: seq=1 ttl=57 time=23.581 ms 64 bytes from 2a00:1450:4001:c01::93: seq=2 ttl=57 time=22.934 ms

Do a test from a client in your LAN ipv6 enabled).

C:\Dokumente und Einstellungen\Bilbo_Beutlin>ping6 six.heise.de six.heise.de [2a02:2e0:3fe:100::6] wird angepingt von 2001:yyyy:xxxx:0:abcd:dead:beef:1234 mit 32 Bytes Daten: Antwort von 2a02:2e0:3fe:100::6: Bytes=32 Zeit=10ms Antwort von 2a02:2e0:3fe:100::6: Bytes=32 Zeit=13ms Antwort von 2a02:2e0:3fe:100::6: Bytes=32 Zeit=8ms Antwort von 2a02:2e0:3fe:100::6: Bytes=32 Zeit=8ms Ping-Statistik für 2a02:2e0:3fe:100::6 Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0 (0% Verlust), Ungefähre Zeitangaben in Millisekunden: Minimum = 8ms, Maximum = 13ms, Mittelwert = 9ms

If everything works fine enable aiccu and radvd

/etc/init.d/aiccu enable /etc/init.d/radvd enable

and reboot your router.

hotplug script for 12.09.01 and later

In recent versions of openwrt, aiccu does not include an init script anymore. I've created an hotplug skript to run aiccu when my ipv4 wan interface comes up, and stops it when the wan interface goes down. Config is stored in /etc/aiccu.conf. Just copy that file to /etc/hotplug.d/iface/50-aiccu

#!/bin/sh if [ "$ACTION" = "ifdown" ]; then if [ "$INTERFACE" = "wan" ]; then # stop aiccu /usr/sbin/aiccu stop fi fi if [ "$ACTION" = "ifup" ]; then if [ "$INTERFACE" = "wan" ]; then # start aiccu again /usr/sbin/aiccu start fi fi

Back to top

doc/uci/aiccu.txt · Last modified: 2014/07/17 12:11 by oskar