0

I'm trying to configure a Debian Wheezy host to get an IPv6 address via ISATAP (using isatapd). This machine has two outgoing interfaces: eth0 and eth0.20 (virtual interface using VLAN 20):

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:30:05:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet 10.xxx.xxx.12/24 brd 10.xxx.xxx.255 scope global eth0
    inet 10.xxx.xxx.100/24 brd 10.xxx.xxx.255 scope global secondary eth0
3: eth0.20@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP 
    link/ether 00:30:05:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet 129.187.xxx.xxx/28 brd 129.187.xxx.xxx scope global eth0.20
    inet6 fe80::xxxx:xxxx:xxxx:xxxx/64 scope link 
       valid_lft forever preferred_lft forever
4: sit0: <NOARP> mtu 1480 qdisc noop state DOWN 
    link/sit 0.0.0.0 brd 0.0.0.0

10.xxx.xxx.12 is the network-unique IP for this host, 10.xxx.xxx.100 is a virtual IP bouncing between two hosts for loadbalancing. 129.187.xxx.xxx is also a virtual IP but (obviously) globally reachable using a tagged VLAN. There were no firewall rules in place during the testing.

I started isatapd using the following command, where the isatap domain points to a address within 10.0.0.0/8:

root@host:~# isatapd -l eth0.20 -n isa0 -v isatap.example.com
isatapd[25007]: Adding internal PDR 10.xxx.xxx.xxx
isatapd[25007]: isa0 created (local 129.187.xxx.xxx, pmtudisc)
isatapd[25007]: interface isa0 up
isatapd[25009]: Soliciting fe80::xxxx:xxxx:xxxx
isatapd[25009]: Soliciting fe80::xxxx:xxxx:xxxx
[...]

Yes, the host's IP is a global one and the ISATAP-Router's one is within a local network. I've already suspected this to be the problem, but both ping and traceroute work from my machine.

When looking at the traffic in wireshark, I can see the following:

[Host] -> [ISATAP-Router]    ICMPv6 Router Solicitation
[ISATAP-Router] -> [Host]    ICMPv6 Router Advertisement
[Host] -> [ISATAP-Router]    ICMP Destination unreachable (Port unreachable)

Both the Router Solicitation and the Advertisement look fine. They have (at least as far as I can tell) the correct IPs set (both in the IPv4 header as well as within the encapsulated IPv6 headers and I receive the correct prefix in the Advertisement), but my host rejects the Advertisement immediately. Any ideas why this is happening?

St0rmi
  • 1
  • 2
  • Do you have to use ISATAP? It's generally only useful when you have an ancient network infrastructure that has no idea what to do with IPv6, and even in those cases there are better ways to set up tunnels. – Michael Hampton Jan 05 '16 at 22:59
  • Sadly, yes. I am not aware of any other way to use IPv6 in our environment. We have two IPv4 subnets (a /28 public and a /24 private) which we are allowed to use with no access to the routing. – St0rmi Jan 06 '16 at 12:03

0 Answers0