2

Some family members asked me to help configuring WinSCP. They need to connect to multiple servers some of which are dual stack and some which are IPv6-only.

What we did so far is the following:

  • Install WinSCP from https://winscp.net/
  • Generated a keypair
  • Saved different combinations of hostname and username in the Login window.

This works great for connecting to dual stack hosts. But attempting to connect to any IPv6-only host results in the error message:

Host "hostname.example.net" does not exist.

But the hostname I am using is correct. For further investigation I have connected an Ubuntu 14.04 machine to the same LAN. And on the Ubuntu machine I type:

ssh hostname.example.net

The Ubuntu machine connects to the very same hostname without any problem.

I looked at the network configuration and on both machines I observe the same:

  • The wireless interface has an IPv4 address
  • The wireless interface has no IPv6 address
  • There is a Teredo interface which has successfully acquired a correct IPv6 address

The IPv6-only servers which we need to connect to are on a LAN with a dedicated Teredo relay, so a reliable connection should possible, and indeed it works from the Ubuntu client.

What do we need to change in the configuration of Windows and/or WinSCP to successfully connect to an IPv6-only host?

(Teredo is not a requirement if there are better alternatives. It just happens to be the only IPv6 address configured on the Windows machine by default.)

kasperd
  • 2,861
  • 1
  • 18
  • 29
  • Can you at least `ping` the host via Teredo? _(Note that Microsoft is very close to shutting down their Teredo services, and many providers have already turned off their relays.)_ – u1686_grawity Nov 02 '16 at 18:34
  • @grawity `ping -6 hostname.example.net` on the Windows machine also claims `could not find host`. `ping -6 2600::` says `Request timed out.`. From the IPv6 address I can see that the Teredo server being used is `157.56.106.189`. If I configure the Ubuntu machine to use `157.56.106.189` as its Teredo server connectivity still works from the Ubuntu machine. So Ubuntu and Windows on same LAN using same Teredo server trying to ping the same IPv6 address works on Ubuntu and fails on Windows. – kasperd Nov 02 '16 at 18:44
  • @grawity If I knew how to switch Teredo server on Windows, I would try another Teredo server. Ultimately Teredo is not a requirement, it just happens to be the only protocol I know allowing a client behind an IPv4-only NAT to communicate with an IPv6-only server without tunneling through a third party. – kasperd Nov 02 '16 at 18:47
  • But... Teredo *does* tunnel through a third party... (The 'control' server is changeable through `netsh interface ipv6 teredo set …` assuming you can find a working server. I think Remlab still runs one. I think the actual data relays are chosen by the same server.) – u1686_grawity Nov 02 '16 at 18:51
  • @grawity Teredo only tunnels through a third party if you don't have your own relay. That's why I specifically mentioned that the IPv6-only servers are on a LAN with a dedicated Teredo relay. Thus in my case there is no tunnel through a third party. And the Remlab server still exists. That's the one Ubuntu uses by default. However the choice of Teredo server should not make a difference. It is not the Teredo server which choose the relay. It is the native IPv6 host which choose which Teredo relay to use. – kasperd Nov 02 '16 at 18:57
  • @grawity Accessing `test-ipv6.com` from the Windows machines does manage to show the IPv6 address assigned to the Teredo interface. And from looking at the individual test results I can see that using DNS fails but accessing IPv6 addresses without using DNS succeeds. So maybe that is a possible workaround. – kasperd Nov 02 '16 at 20:05

2 Answers2

1

The problem was that Windows did not attempt any AAAA lookups, presumably because it is not considered worthwhile to perform AAAA lookups when the only IPv6 address is a Teredo address.

IPv6 connectivity is working as long as an explicit address is specified.

So I managed to get connectivity by replacing the name in the hostname field with the actual IPv6 address of the server. After doing that WinSCP was able to connect.

In my case the servers have static IPv6 addresses (at least for as long as they stay with the current provider). So having a static IPv6 address in the WinSCP saved logins is not a major problem.

kasperd
  • 2,861
  • 1
  • 18
  • 29
  • This solution worked when I initially configured it. However since then it has stopped working. I suspect Microsoft broke it by either pushing an update to Windows or changing the configuration of the Teredo servers being used by the client on Windows. – kasperd Nov 07 '18 at 10:54
1

As described in a Microsoft technical note (http://technet.microsoft.com/en-us/library/bb727035.aspx), a Windows Vista or Windows 7 client will not query the DNS for an IPv6 address (query a DNS name for a AAAA record) if the only local IPv6 interfaces are link-local and Teredo interfaces. In other words, while Teredo may be enabled on a large number of end systems that are connected to the Internet and located behind NATs, such systems will not invoke Teredo to access an IPv6-only URL in the normal course of events because they will not query the DNS for an IPv6 address to use.

Geoff Huston, Testing Teredo

However, it is apparently possible to alter this behaviour. In your favourite registry editor, navigate to the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dnscache\Parameters and add a DWORD value AddrConfigControl set to 0.

Unfortunately, there does not appear to be any official documentation for this setting.

Bob
  • 60,938
  • 25
  • 191
  • 216
  • I may decide to give this a try at a later time. But for now I would rather not perform system-wide changes. In particular I am concerned about any application which would possibly prefer Teredo over IPv4 if I applied the change you suggest. If I could enable it for WinSCP only and leave it disabled for the rest of the system I would. It would be even better if I could configure it such that it only uses the AAAA record when the A query produce an answer indicating the domain exists but has no A record. – kasperd Nov 20 '16 at 20:10