You are here: OpenWrt Wiki » Documentation » The UCI System » AICCU (Automatic IPv6 Connectivity Client Utility) configuration

AICCU (Automatic IPv6 Connectivity Client Utility) configuration

Prerequesite

Signup for an SIXXS account and an SIXXS Handle

See for further details on http://www.sixxs.net/signup/create/

Check if your router is IPV6 ready.

opkg list kmod-ipv6
opkg list kmod-ip6tables
opkg list ip6tables
opkg list aiccu
opkg list radvd

Save as test.txt and execute sh test.txt

root@OpenWrt:~# sh test.txt
kmod-ipv6 - 3.0.12-1
kmod-ip6tables - 3.0.12-1
ip6tables - 1.4.10-4
aiccu - 20070115-9
radvd - 1.8.3-2

or something similar. If a package is missing install and update accordingly.

Historic Information!
This page contains archived information that is only kept for research purposes. The contents are most likely outdated.

:!: Changeset 32666 removed any OpenWrt changes to AICCU, so the information above does no longer apply. Still check if required packages are installed.

This change affects the OpenWrt Attitude Adjustment (12.09) release. In order to maintain a working AICCU setup, it is necessary to start and configure AICCU manually. You can choose one of following two configuration methods, depending on how you are going to use AICCU.

A. If you need on-demand AICCU connection, you can create an AICCU config file in /etc/aiccu.conf

username USER-SIXXS
password password123
server tic.sixxs.net
protocol tic
ipv6_interface sixxs
tunnel_id T99999
requiretls false
defaultroute true
behindnat true
makebeats true
daemonize true
pidfile /var/run/aiccu.pid

Note: with method A, you have to start aiccu manually by excuting command aiccu start.

B. It allows more convenient way to manipulate AICCU service. With this method, you can start/stop enable/disable the service via luci web interface. It needs two steps.

First, create aiccu configuration file at /etc/config/aiccu:

config aiccu
	option username  'XXXX-SIXXS'
	option password  'yourpassword'
	option protocol  'tic'
	option server 'tic.sixxs.net'
	option interface 'sixxs0'
	option tunnel_id 'T123XX6'
	option requiretls '0'
	option defaultroute     '1'
	option nat '1'
	option heartbeat '1'

Second, create the following script in /etc/init.d/aiccu:

#!/bin/sh /etc/rc.common
# Copyright (C) 2006-2011 OpenWrt.org
START=98

add_config_bool() {
        local section="$1"
        local option="$2"
        local value="$3"
        local default="$4"
        local _val

        config_get_bool _val "$section" "$option" "$default"
        [ "$_val" -gt 0 ] && _val="true" || _val="false"
        append args "$3 $_val" "\n"
}

add_config() {
        local section="$1"
        local option="$2"
        local value="$3"
        local _val

        config_get _val "$section" "$option"
        [ -n "$_val" ] && append args "$3 $_val" "\n"
}

start_instance() {
        local cfg="$1"
        CFGFILE="/var/etc/aiccu-${cfg}.conf"
        PIDFILE="/var/run/aiccu-${cfg}.pid"
        args=""

        add_config "$cfg" username username
        add_config "$cfg" password password
        add_config "$cfg" server server
        add_config "$cfg" protocol protocol
        add_config "$cfg" interface ipv6_interface
        add_config "$cfg" tunnel_id tunnel_id
        add_config_bool "$cfg" requiretls requiretls 0
        add_config_bool "$cfg" defaultroute defaultroute 1
        add_config_bool "$cfg" nat behindnat 1
        add_config_bool "$cfg" heartbeat makebeats 1
        append args "daemonize true" "\n"
        append args "pidfile $PIDFILE" "\n"

        mkdir -p /var/run /var/etc
        echo -e "$args" > "$CFGFILE"

        config_get_bool enabled "$cfg" enabled '1'
        [ "$enabled" -gt 0 ] && aiccu start "$CFGFILE" &
}

stop_instance() {
        local cfg="$1"
        aiccu stop "/var/etc/aiccu-${cfg}.conf"
}

restart_instance() {
        local cfg="$1"
        config_get_bool restart "$cfg" restart 0
        [ "$restart" -eq 1 ] && stop_instance "$cfg"
        start_instance "$cfg"
}

start() {
        config_load aiccu
        config_foreach start_instance aiccu
}

stop() {
        config_load aiccu
        config_foreach stop_instance aiccu
}

restart() {
        config_load aiccu
        config_foreach restart_instance aiccu
}

then chmod 755 /etc/init.d/aiccu to assign the appropriate permission.

Now you can use command /etc/init.d/aiccu [start|stop|restart] to enable, disable or restart AICCU.

For further support regarding AICCU, see the SixXS website.

The aiccu package is configured through /etc/config/aiccu.

Sections

There is only a section of type aiccu defined which may only appear once.

AICCU

Below is a listing of defined options in the aiccu section.

Name	Type	Required	Default	Description
`username`	string	yes	(none)	Username to authenticate with the tunnel broker
`password`	string	yes	(none)	Password to authenticate with the tunnel broker
`protocol`	string	yes	`tic`	Authentication protocol, can be one of `tic`, `tsp` or `l2tp`
`server`	ipaddr	no	(none)	Server to use
`interface`	string	no	`aiccu`	Name of the created tunnel interface
`tunnel_id`	integer	no	(none)	Tunnel ID to use if there are multiple tunnels registered with the broker
`requiretls`	boolean	no	`0`	Force the client to abort if the server does not support TLS
`defaultroute`	boolean	no	`1`	Whether to install an IPv6 default route over the established tunnel
`nat`	boolean	no	`1`	Notify if behind NAT
`heartbeat`	boolean	no	`1`	To enable `AYIYA` set heartbeat to 1, in case of an heartbeat tunnel 0

Tunnels

AYIYA

Example of an AYIYA tunnel configuration with the SixXS tunnel broker.

config 'aiccu'
        option 'username'  'test'
        option 'password'  'test'
        option 'tunnelid'  '1234'
        option 'protocol'  'tic'
        option 'server'    'tic.sixxs.net'
        option 'interface' 'sixxs0

In case you are behind a NAT firewall consult the SixX FAQ and check how to enable proto 41.

Heartbeat

Example of an SIXXS 6in4-heartbeat tunnel.

We will configure /etc/config/aiccu, modify /etc/config/network and /etc/config/firewall. This is tested for firewall2 using the related trunks for DIR-600 B1/B2 and RT-N16. And finally on ALIX Board using ../backfire/10.03.1-rc5/x86_generic/.

You have to request an heartbeat tunnel from SIXXS before. Check and review their documentation.

Prior to any change in your running configuration, create backups using your prefered back method.

Change /etc/config/aiccu using your SIXXS username and Tunnel ID.

config aiccu
       option username         'ABCD-SIXXS/T1234'
       option password         'yourpwasswort'
       option protocol         'tic'
       option server           'tic.sixxs.net'
       option interface        'sixxs0'
       option tunnel_id        'T1234'
       option requiretls       '0'
       option defaultroute     '1'
       option nat              '1'
       option heartbeat        '1

Static 6in4

tbd

Interface and LAN configuration

Configure an ipv6 IP to your lan interface and create a wan6 interface in /etc/config/network.

config 'interface' 'lan'
        option 'type' 'bridge'
        option 'ifname' 'eth0.0'
        option 'proto' 'static'
        option 'ipaddr' '192.168.1.1'
        option 'netmask' '255.255.255.0'
        option 'ip6addr' '2001:XXXX:YYYY:ZZZZ::1/64'

config 'interface' 'wan6'
        option 'proto' 'static'
        option 'ifname' 'sixxs0'
        option 'auto' '1'
        option 'ip6addr' '2001:YOUR:END:POINT::2/64'
        option 'ip6gw' '2001:YOUR:END:POINT::1/64'
        option 'send_rs' '0

Replace '2001:XXXX:YYYY:ZZZZ::1/64' with a routed /64 assigned to your tunnel by SixXS (1 provided by default on most SixXS tunnel PoPs as of Feb. 2012, additional /48s can be requested if needed after enough time passed/credits earned).

Replace '2001:YOUR:END:POINT::2/64' with your SixXS Tunnel individual endpoint address.

Replace '2001:YOUR:END:POINT::1/64' with your SixXS Tunnel individual gateway address.

Firewall

Add an additional zone wan6 for IPv6 in /etc/config/firewall:

config 'zone'
        option 'name'    'wan6'
        option 'network' 'wan6'
        option 'family'  'ipv6'
        option 'input'   'REJECT'
        option 'output'  'ACCEPT'
        option 'forward' 'REJECT' 
        option 'conntrack' '1

Add a corresponding forwarding rule for ipv6 in /etc/config/firewall:

config 'forwarding'
        option 'dest' 'wan6'
        option 'src' 'lan'
        option 'family' 'ipv6

If necessary configure your individual ipv6 rules in /etc/config/firewall:

config 'rule'
        option 'name' 'RHO'
        option 'family' 'ipv6'
        option 'target' 'DROP'
        option 'extra' '-m rt --rt-type 0'
        option 'proto' 'all'
        option 'src' 'wan6'

config 'rule'
        option 'name' 'RHO2'
        option 'family' 'ipv6'
        option 'target' 'DROP'
        option 'extra' '-m rt --rt-type 0'
        option 'proto' 'all'
        option 'src' 'wan6'
        option 'dest' 'lan' 

config 'rule'
        option 'target' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'
        option 'name' 'Allow-Ping ipv6'
        option 'family' 'ipv6'
        option 'proto' 'icmp'
        option 'src' 'wan6'
        option 'limit' '1000/sec'
        list 'icmp_type' 'echo-request'
        list 'icmp_type' 'destination-unreachable'
        list 'icmp_type' 'packet-too-big'
        list 'icmp_type' 'time-exceeded'
        list 'icmp_type' 'bad-header'
        list 'icmp_type' 'unknown-header-type'
        list 'icmp_type' 'router-solicitation'
        list 'icmp_type' 'neighbour-solicitation'
        list 'icmp_type' 'echo-reply

radvd

Populate your LAN with you local IPv6 ip range.

Therfore adopt /etc/config/radvd using your ipv6 subnet prefix:

config 'interface'
        option 'interface' 'lan'
        option 'AdvSendAdvert' '1'
        option 'AdvManagedFlag' '0'
        option 'AdvOtherConfigFlag' '0'
        option 'AdvLinkMTU' '1480'
        option 'ignore' '0'
 
config 'prefix'
        option 'interface' 'lan'
        option 'AdvOnLink' '1'
        option 'AdvAutonomous' '1'
        option 'AdvRouterAddr' '0'
        list 'prefix' '2001:XXXX:YYYY:ZZZZ::/64'
        option 'ignore' '0'

……..

Final Check

Prior to a reboot restart the network and firewall

/etc/init.d/network restart
/etc/init.d/firewall restart

The zone wan6 should appear as shown below.

root@OpenWrt:~# logread | grep firewall
Feb 23 09:32:06 OpenWrt user.info firewall: adding lan (br-lan) to zone lan
Feb 23 09:32:06 OpenWrt user.info firewall: adding wan (eth0) to zone wan
Feb 23 09:32:10 OpenWrt user.info firewall: adding wan6 (sixxs0) to zone wan6

Do a manual restart of aiccu and radvd.

/etc/init.d/aiccu start
/etc/init.d/radvd start

Inspect your logfile and check if you can ping ipv6 sites.

root@OpenWrt:~# ping6 ipv6.google.com
PING ipv6.google.com (2a00:1450:4001:c01::93): 56 data bytes
64 bytes from 2a00:1450:4001:c01::93: seq=0 ttl=57 time=24.144 ms
64 bytes from 2a00:1450:4001:c01::93: seq=1 ttl=57 time=23.581 ms
64 bytes from 2a00:1450:4001:c01::93: seq=2 ttl=57 time=22.934 ms

Do a test from a client in your LAN ipv6 enabled).

C:\Dokumente und Einstellungen\Bilbo_Beutlin>ping6 six.heise.de

six.heise.de [2a02:2e0:3fe:100::6] wird angepingt
von 2001:yyyy:xxxx:0:abcd:dead:beef:1234 mit 32 Bytes Daten:

Antwort von 2a02:2e0:3fe:100::6: Bytes=32 Zeit=10ms
Antwort von 2a02:2e0:3fe:100::6: Bytes=32 Zeit=13ms
Antwort von 2a02:2e0:3fe:100::6: Bytes=32 Zeit=8ms
Antwort von 2a02:2e0:3fe:100::6: Bytes=32 Zeit=8ms

Ping-Statistik für 2a02:2e0:3fe:100::6
    Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0 (0% Verlust),
Ungefähre Zeitangaben in Millisekunden:
    Minimum = 8ms, Maximum = 13ms, Mittelwert = 9ms

If everything works fine enable aiccu and radvd

/etc/init.d/aiccu enable
/etc/init.d/radvd enable

and reboot your router.

doc/uci/aiccu.txt · Last modified: 2013/03/31 19:47 by climate

OpenWrt

Wiki Search

Actions

Donate

Translations