User Tools

Site Tools


doc:uci:aiccu

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:uci:aiccu [2012/12/28 16:54]
morganfw
doc:uci:aiccu [2016/01/12 14:08] (current)
oskar [Netifd integration since Barrier Breaker RC1] - info about AYIYA mode only
Line 1: Line 1:
 +====== AICCU (Automatic IPv6 Connectivity Client Utility) configuration ======
 +
 +** Prerequesite **
 +
 +Signup for an SIXXS account and an SIXXS Handle ​
 +
 +See for further details on http://​www.sixxs.net/​signup/​create/​
 +
 +===== Netifd integration since Barrier Breaker RC1 =====
 +
 +The AICCU client is now integrated with [[doc/​techref/​netifd]]. ​
 +To use it, install the package aiccu and set up wan6 as follows:
 +
 +| ''​
 +config interface '​wan6'​
 +        option '​proto' ​   '​aiccu'​
 +        option '​username'​ '​HANDLE-SIXXS/​TID'​
 +        option '​password'​ '​Password'​ #Use per-tunnel TIC password instead your account password
 +        option '​ip6prefix'​ '​2001:​db8:​aabb::/​48'​ #Delegated subnet
 +        option '​ip6addr'​ '​2001:​db8:​aaaa:​aaa::​2/​64'​ #Optional
 +        option '​verbose'​ '​true'​
 +''​ |
 +
 +<WRAP center round important 60%>
 +The AICCU utility is not meant to operate in headless mode. Do not use it if you have some other option. Only AYIYA tunnel type has been tested. For static or heartbeat tunnels, use native [[[doc:​uci:​network#​protocol_6in4_ipv6-in-ipv4_tunnel|6in4 tunnel]] instead, perhaps with the he.net Tunnel Broker.
 +</​WRAP>​
 +
 +
 +<WRAP center round alert 60%>
 +Do not restart the network interface with AICCU too often. TIC system [[https://​www.sixxs.net/​faq/​aiccu/?​faq=tic|detect excessive connection attempts and block your IP address]] if you try to connect more than 5 times per hour.
 +
 +</​WRAP>​
 +
 +
 +----
 +
 +{{page>​meta:​infobox:​historic&​noheader&​nofooter&​noeditbtn}}
 +
 +===== Manual setup before Barrier Breaker RC1 =====
 +
 +Check if your router is IPV6 ready. ​
 +
 +| ''​opkg list kmod-ipv6
 +opkg list kmod-ip6tables
 +opkg list ip6tables
 +opkg list aiccu
 +opkg list radvd ''​ |
 +
 +Save as test.txt and execute sh test.txt ​
 +
 +| ''​root@OpenWrt:​~#​ sh test.txt
 +kmod-ipv6 - 3.0.12-1
 +kmod-ip6tables - 3.0.12-1
 +ip6tables - 1.4.10-4
 +aiccu - 20070115-9
 +radvd - 1.8.3-2''​ | 
 +
 +or something similar. If a package is missing install and update accordingly.  ​
 +
 +----
 +
 +
 +:!: [[https://​dev.openwrt.org/​changeset/​32666|Changeset 32666]] removed any OpenWrt changes to AICCU, so the information above does no longer apply. Still check if required packages are installed.
 +
 +This change affects the OpenWrt Attitude Adjustment (12.09) release. In order to maintain a working AICCU setup, it is necessary to start and configure AICCU manually. You can choose one of following two configuration methods, depending on how you are going to use AICCU.
 +
 +A. If you need on-demand AICCU connection, you can create an AICCU config file in ''/​etc/​aiccu.conf''​
 +| ''​username USER-SIXXS
 +password password123
 +server tic.sixxs.net
 +protocol tic
 +ipv6_interface sixxs
 +tunnel_id T99999
 +requiretls false
 +defaultroute true
 +behindnat true
 +makebeats true
 +daemonize true
 +pidfile /​var/​run/​aiccu.pid''​ |
 +
 +Note: with method A, you have to start aiccu manually by excuting command ''​aiccu start''​. ​
 +
 +B. It allows more convenient way to manipulate AICCU service. With this method, you can start/stop enable/​disable the service via luci web interface. It needs two steps.
 +
 +First, create aiccu configuration file at ''/​etc/​config/​aiccu'':​
 +| ''​config aiccu
 + option username ​ '​XXXX-SIXXS'​
 + option password ​ '​yourpassword'​
 + option protocol ​ '​tic'​
 + option server '​tic.sixxs.net'​
 + option interface '​sixxs0'​
 + option tunnel_id '​T123XX6'​
 + option requiretls '​0'​
 + option defaultroute ​    '​1'​
 + option nat '​1'​
 + option heartbeat '​1'​ ''​ |
 +
 +Second, create the following script in ''/​etc/​init.d/​aiccu'':​
 +
 +| ''#​!/​bin/​sh /​etc/​rc.common
 +# Copyright (C) 2006-2011 OpenWrt.org
 +START=98
 +
 +add_config_bool() {
 +        local section="​$1"​
 +        local option="​$2"​
 +        local value="​$3"​
 +        local default="​$4"​
 +        local _val
 +
 +        config_get_bool _val "​$section"​ "​$option"​ "​$default"​
 +        [ "​$_val"​ -gt 0 ] && _val="​true"​ || _val="​false"​
 +        append args "$3 $_val" "​\n"​
 +}
 +
 +add_config() {
 +        local section="​$1"​
 +        local option="​$2"​
 +        local value="​$3"​
 +        local _val
 +
 +        config_get _val "​$section"​ "​$option"​
 +        [ -n "​$_val"​ ] && append args "$3 $_val" "​\n"​
 +}
 +
 +start_instance() {
 +        local cfg="​$1"​
 +        CFGFILE="/​var/​etc/​aiccu-${cfg}.conf"​
 +        PIDFILE="/​var/​run/​aiccu-${cfg}.pid"​
 +        args=""​
 +
 +        add_config "​$cfg"​ username username
 +        add_config "​$cfg"​ password password
 +        add_config "​$cfg"​ server server
 +        add_config "​$cfg"​ protocol protocol
 +        add_config "​$cfg"​ interface ipv6_interface
 +        add_config "​$cfg"​ tunnel_id tunnel_id
 +        add_config_bool "​$cfg"​ requiretls requiretls 0
 +        add_config_bool "​$cfg"​ defaultroute defaultroute 1
 +        add_config_bool "​$cfg"​ nat behindnat 1
 +        add_config_bool "​$cfg"​ heartbeat makebeats 1
 +        append args "​daemonize true" "​\n"​
 +        append args "​pidfile $PIDFILE"​ "​\n"​
 +
 +        mkdir -p /var/run /var/etc
 +        echo -e "​$args"​ > "​$CFGFILE"​
 +
 +        config_get_bool enabled "​$cfg"​ enabled '​1'​
 +        [ "​$enabled"​ -gt 0 ] && aiccu start "​$CFGFILE"​ &
 +}
 +
 +stop_instance() {
 +        local cfg="​$1"​
 +        aiccu stop "/​var/​etc/​aiccu-${cfg}.conf"​
 +}
 +
 +restart_instance() {
 +        local cfg="​$1"​
 +        config_get_bool restart "​$cfg"​ restart 0
 +        [ "​$restart"​ -eq 1 ] && stop_instance "​$cfg"​
 +        start_instance "​$cfg"​
 +}
 +
 +start() {
 +        config_load aiccu
 +        config_foreach start_instance aiccu
 +}
 +
 +stop() {
 +        config_load aiccu
 +        config_foreach stop_instance aiccu
 +}
 +
 +restart() {
 +        config_load aiccu
 +        config_foreach restart_instance aiccu
 +}''​ |
 +
 +then ''​chmod 755 /​etc/​init.d/​aiccu''​ to assign the appropriate permission.
 +
 +Now you can use command ''/​etc/​init.d/​aiccu [start|stop|restart]''​ to enable, disable or restart AICCU.
 +
 +For further support regarding AICCU, see the [[http://​www.sixxs.net/​tools/​aiccu/​|SixXS website]].
 +----
 +
 +The //aiccu// package is configured through ''/​etc/​config/​aiccu''​.
 +===== Sections =====
 +
 +There is only a section of type ''​aiccu''​ defined which may only appear once.
 +
 +==== AICCU ====
 +
 +Below is a listing of defined options in the ''​aiccu''​ section.
 +
 +^ Name ^ Type ^ Required ^ Default ^ Description ^
 +| ''​username'' ​ | string | yes | //(none)// | Username to authenticate with the tunnel broker |
 +| ''​password'' ​ | string | yes | //(none)// | Password to authenticate with the tunnel broker |
 +| ''​protocol'' ​ | string | yes | ''​tic''​ | Authentication protocol, can be one of ''​tic'',​ ''​tsp''​ or ''​l2tp''​ |
 +| ''​server'' ​   | ipaddr | no | //(none)// | Server to use | 
 +| ''​interface''​ | string | no | ''​aiccu''​ | Name of the created tunnel interface |
 +| ''​tunnel_id''​ | integer | no | //(none)// | Tunnel ID to use if there are multiple tunnels registered with the broker |
 +| ''​requiretls''​ | boolean | no | ''​0''​ | Force the client to abort if the server does not support TLS |
 +| ''​defaultroute''​ | boolean | no | ''​1''​ | Whether to install an IPv6 default route over the established tunnel |
 +| ''​nat''​ | boolean | no | ''​1''​ | Notify if behind NAT |
 +| ''​heartbeat''​ | boolean | no | ''​1''​ | To enable ''​AYIYA''​ set heartbeat to 1, in case of an heartbeat tunnel 0 |
 +
 +
 +
 +===== Tunnels =====
 +
 +==== AYIYA ====
 +
 +Example of an AYIYA tunnel configuration with the SixXS tunnel broker.
 +
 +| ''​config '​aiccu'​
 +        option '​username' ​ '​test'​
 +        option '​password' ​ '​test'​
 +        option '​tunnelid' ​ '​1234'​
 +        option '​protocol' ​ '​tic'​
 +        option '​server' ​   '​tic.sixxs.net'​
 +        option '​interface'​ '​sixxs0'''​ |
 +
 +In case you are behind a NAT firewall consult the SixX FAQ and check how to enable proto 41. 
 +
 +==== Heartbeat ====
 +
 +Example of an SIXXS 6in4-heartbeat tunnel.
 +
 +We will configure /​etc/​config/​aiccu,​ modify /​etc/​config/​network and /​etc/​config/​firewall. This is tested for firewall2 using the related trunks for DIR-600 B1/B2 and RT-N16. And finally on ALIX Board using ../​backfire/​10.03.1-rc5/​x86_generic/​.  ​
 +
 +You have to request an heartbeat tunnel from SIXXS before. Check and review their documentation.
 +
 +**Prior to any change in your running configuration,​ create backups using your prefered back method.**
 + 
 +
 +Change ''/​etc/​config/​aiccu''​ using your SIXXS username and Tunnel ID. 
 +
 +| ''​config aiccu
 +       ​option username ​        '​ABCD-SIXXS/​T1234'​
 +       ​option password ​        '​yourpwasswort'​
 +       ​option protocol ​        '​tic'​
 +       ​option server ​          '​tic.sixxs.net'​
 +       ​option interface ​       **'​sixxs0'​**
 +       ​option tunnel_id ​       '​T1234'​
 +       ​option requiretls ​      '​0'​
 +       ​option defaultroute ​    '​1'​
 +       ​option nat              '​1'​
 +       ​option heartbeat ​       '​1'''​ |
 +
 +==== Static 6in4 ====
 +
 +tbd
 +
 +===== Interface and LAN configuration =====
 +
 +Configure an ipv6 IP to your lan interface and create a wan6 interface in ''​[[doc:​uci:​network|/​etc/​config/​network]]''​.  ​
 +
 +| ''​config '​interface'​ '​lan'​
 +        option '​type'​ '​bridge'​
 +        option '​ifname'​ '​eth0.0'​
 +        option '​proto'​ '​static'​
 +        option '​ipaddr'​ '​192.168.1.1'​
 +        option '​netmask'​ '​255.255.255.0'​
 +        option '​ip6addr'​ **'​2001:​XXXX:​YYYY:​ZZZZ::​1/​64'​**
 +
 +config '​interface'​ '​wan6'​
 +        option '​proto'​ '​static'​
 +        option '​ifname'​ **'​sixxs0'​**
 +        option '​auto'​ '​1'​
 +        option '​ip6addr'​ **'​2001:​YOUR:​END:​POINT::​2/​64'​**
 +        option '​ip6gw'​ **'​2001:​YOUR:​END:​POINT::​1'​**
 +        option '​send_rs'​ '​0'''​ |
 +
 +Replace **'​2001:​XXXX:​YYYY:​ZZZZ::​1/​64'​** with a routed /64 assigned to your tunnel by SixXS (1 provided by default on most SixXS tunnel PoPs as of Feb. 2012, additional /48s can be requested if needed after enough time passed/​credits earned).
 +
 +Replace **'​2001:​YOUR:​END:​POINT::​2/​64'​** with your SixXS Tunnel individual **endpoint** address.
 +
 +Replace **'​2001:​YOUR:​END:​POINT::​1'​** with your SixXS Tunnel individual **gateway** address. ​
 +
 +===== Firewall =====
 +
 +Add an additional **zone** ​ ''​wan6''​ for IPv6 in 
 +''​[[doc:​uci:​firewall|/​etc/​config/​firewall]]'':​
 +
 +| ''​config '​zone'​
 +        option '​name' ​   '​wan6'​
 +        option '​network'​ '​wan6'​
 +        option '​family' ​ '​ipv6'​
 +        option '​input' ​  '​REJECT'​
 +        option '​output' ​ '​ACCEPT'​
 +        option '​forward'​ '​REJECT' ​
 +        option '​conntrack'​ '​1'''​|
 +
 +Add a corresponding **forwarding** rule for ipv6 in ''​[[doc:​uci:​firewall|/​etc/​config/​firewall]]'':​
 +
 +| ''​config '​forwarding'​
 +        option '​dest'​ '​wan6'​
 +        option '​src'​ '​lan'​
 +        option '​family'​ '​ipv6'''​ |
 +
 +If necessary configure your individual ipv6 rules in ''​[[doc:​uci:​firewall|/​etc/​config/​firewall]]'':​
 +
 +
 +| ''​config '​rule'​
 +        option '​name'​ '​RHO'​
 +        option '​family'​ '​ipv6'​
 +        option '​target'​ '​DROP'​
 +        option '​extra'​ '-m rt //​-//​-rt-type 0'
 +        option '​proto'​ '​all'​
 +        option '​src'​ '​wan6'​
 +
 +config '​rule'​
 +        option '​name'​ '​RHO2'​
 +        option '​family'​ '​ipv6'​
 +        option '​target'​ '​DROP'​
 +        option '​extra'​ '-m rt //​-//​-rt-type 0'
 +        option '​proto'​ '​all'​
 +        option '​src'​ '​wan6'​
 +        option '​dest'​ '​lan' ​
 +
 +config '​rule'​
 +        option '​target'​ '​ACCEPT'​
 +        option '​output'​ '​ACCEPT'​
 +        option '​forward'​ '​REJECT'​
 +        option '​name'​ '​Allow-Ping ipv6'
 +        option '​family'​ '​ipv6'​
 +        option '​proto'​ '​icmp'​
 +        option '​src'​ '​wan6'​
 +        option '​limit'​ '​1000/​sec'​
 +        list '​icmp_type'​ '​echo-request'​
 +        list '​icmp_type'​ '​destination-unreachable'​
 +        list '​icmp_type'​ '​packet-too-big'​
 +        list '​icmp_type'​ '​time-exceeded'​
 +        list '​icmp_type'​ '​bad-header'​
 +        list '​icmp_type'​ '​unknown-header-type'​
 +        list '​icmp_type'​ '​router-solicitation'​
 +        list '​icmp_type'​ '​neighbour-solicitation'​
 +        list '​icmp_type'​ '​echo-reply'''​ |
 +
 +===== radvd =====
 +
 +Populate your LAN with you local IPv6 ip range. ​
 +
 +Therfore adopt ''​[[doc:​uci:​radvd|/​etc/​config/​radvd]]''​ using your ipv6 subnet prefix:
 +
 +| ''​config '​interface'​
 +        option '​interface'​ '​lan'​
 +        option '​AdvSendAdvert'​ '​1'​
 +        option '​AdvManagedFlag'​ '​0'​
 +        option '​AdvOtherConfigFlag'​ '​0'​
 +        option '​AdvLinkMTU'​ '​1480'​
 +        option '​ignore'​ '​0'​
 + 
 +config '​prefix'​
 +        option '​interface'​ '​lan'​
 +        option '​AdvOnLink'​ '​1'​
 +        option '​AdvAutonomous'​ '​1'​
 +        option '​AdvRouterAddr'​ '​0'​
 +        list '​prefix'​ '​2001:​XXXX:​YYYY:​ZZZZ::/​64'​
 +        option '​ignore'​ '​0'​
 +
 +........''​ |
 +
 +
 +===== Final Check =====
 +
 +Prior to a reboot restart the network and  firewall ​
 +
 +| ''/​etc/​init.d/​network restart
 +/​etc/​init.d/​firewall restart''​ | 
 +
 +The zone **wan6** should appear as shown below.
 +
 +| ''​root@OpenWrt:​~#​ logread | grep firewall
 +Feb 23 09:32:06 OpenWrt user.info firewall: adding lan (br-lan) to zone lan
 +Feb 23 09:32:06 OpenWrt user.info firewall: adding wan (eth0) to zone wan
 +Feb 23 09:32:10 OpenWrt user.info firewall: **adding wan6 (sixxs0) to zone wan6**''​ |
 +
 +Do a manual restart of aiccu and radvd.  ​
 +
 +| ''/​etc/​init.d/​aiccu start
 +/​etc/​init.d/​radvd start''​ | 
 +
 +Inspect your logfile and check if you can ping ipv6 sites. ​
 +
 +| ''​root@OpenWrt:​~#​ ping6 ipv6.google.com
 +PING ipv6.google.com (2a00:​1450:​4001:​c01::​93):​ 56 data bytes
 +64 bytes from 2a00:​1450:​4001:​c01::​93:​ seq=0 ttl=57 time=24.144 ms
 +64 bytes from 2a00:​1450:​4001:​c01::​93:​ seq=1 ttl=57 time=23.581 ms
 +64 bytes from 2a00:​1450:​4001:​c01::​93:​ seq=2 ttl=57 time=22.934 ms''​|
 +
 +Do a test from a client in your LAN ipv6 enabled). ​
 +
 +| ''​C:​\Dokumente und Einstellungen\Bilbo_Beutlin>​ping6 six.heise.de
 +
 +six.heise.de [2a02:​2e0:​3fe:​100::​6] wird angepingt
 +von 2001:​yyyy:​xxxx:​0:​abcd:​dead:​beef:​1234 mit 32 Bytes Daten:
 +
 +Antwort von 2a02:​2e0:​3fe:​100::​6:​ Bytes=32 Zeit=10ms
 +Antwort von 2a02:​2e0:​3fe:​100::​6:​ Bytes=32 Zeit=13ms
 +Antwort von 2a02:​2e0:​3fe:​100::​6:​ Bytes=32 Zeit=8ms
 +Antwort von 2a02:​2e0:​3fe:​100::​6:​ Bytes=32 Zeit=8ms
 +
 +Ping-Statistik für 2a02:​2e0:​3fe:​100::​6
 +    Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0 (0% Verlust),
 +Ungefähre Zeitangaben in Millisekunden:​
 +    Minimum = 8ms, Maximum = 13ms, Mittelwert = 9ms''​|
 +
 +If everything works fine enable aiccu and radvd 
 +
 +| ''/​etc/​init.d/​aiccu enable
 +/​etc/​init.d/​radvd enable''​ |
 +
 +and reboot your router. ​
 +
 +===== hotplug script for 12.09.01 and later =====
 +In recent versions of openwrt, aiccu does not include an init script anymore. I've created an hotplug skript to run aiccu when my ipv4 wan interface comes up, and stops it when the wan interface goes down. Config is stored in /​etc/​aiccu.conf. Just copy that file to /​etc/​hotplug.d/​iface/​50-aiccu
 +
 +
 +| ''#​!/​bin/​sh
 +
 +if [ "​$ACTION"​ = "​ifdown"​ ]; then
 + if [ "​$INTERFACE"​ = "​wan"​ ]; then
 +
 + # stop aiccu
 + /​usr/​sbin/​aiccu stop
 +
 + fi
 +fi
 +
 +if [ "​$ACTION"​ = "​ifup"​ ]; then
 + if [ "​$INTERFACE"​ = "​wan"​ ]; then
 +
 + # start aiccu again
 + /​usr/​sbin/​aiccu start
 +
 + fi
 +fi
 +''​ |