Archlinux as dual-stack (IPv4/v6) gateway/router

Hello everyone,
i've installed Arch on my PC a few days ago and it works perfectly, the PC is a gaming PC (Asus P8P67 Deluxe, Intel Core i3 2100, 14 GB RAM, 2x Nvidia GTX580) however for specific reasons (i don't have anything else besides IBM PCs with 600Mhz CPUs) i need to use it as a server and a router/gateway for my network (an Archlinux laptop and some Apple products), here's my current network setup :
PPPoE modem is connected to lan0 (ethernet interface) which is configured as 192.168.1.2, gateway 192.168.1.1 (it's the modem's address).
My provider (OVH in France) gives me a /64 IPv6 subnet.
ppp0 interface is created once the lan0 is up (i'm using POST_UP="pon myprovider" in netcfg script, i've already added +ipv6 in /etc/ppp/options to enable IPv6 on the ppp), it gets automatically an IPv4 address and an IPv6 one from my provider, here's the ifconfig ppp0 (i know it's deprecated but i'm so used to it...) :
ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1452
inet 109.190.20.173 netmask 255.255.255.255 destination 178.32.37.16
inet6 2001:41d0:70:1301:1c1e:882b:1e8b:efd7 prefixlen 64 scopeid 0x0<global>
inet6 fe80::1c1e:882b:1e8b:efd7 prefixlen 10 scopeid 0x20<link>
ppp txqueuelen 3 (Point-to-Point Protocol)
RX packets 6080 bytes 3571799 (3.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4173 bytes 870323 (849.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
here's my IPv4 routing table :
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default * 0.0.0.0 U 0 0 0 ppp0
172.16.1.0 * 255.255.255.0 U 0 0 0 lan1
rbx-1-rdb.fr.eu * 255.255.255.255 UH 0 0 0 ppp0
192.168.1.0 * 255.255.255.0 U 0 0 0 lan0
lan1 is my local wired interface which connects to a 1000Mb/s switch, on it there is a Debian machine (the 600Mhz one) which acts as an access point (on it the wired interface is bridged with the wireless one, but all the DHCP/DNS stuff is done on my main computer and i don't think there's anything to do on the access point machine) and my other Archlinux laptop. Forwarding is enabled on both IPv4 and v6 in /etc/sysctl.conf and iptables (not ip6tables) is configured correctly, all works as would like on the IPv4 side (DHCP/DNS/internet access works for all computers on the network) here's my ifconfig lan1 :
lan1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9152
inet 172.16.1.1 netmask 255.255.255.0 broadcast 172.16.1.255
inet6 fe80::f66d:4ff:fee3:2c96 prefixlen 64 scopeid 0x20<link>
ether f4:6d:04:e3:2c:96 txqueuelen 1000 (Ethernet)
RX packets 5060 bytes 701035 (684.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 10181 bytes 7102665 (6.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 20 memory 0xf5100000-f5120000
Here's my IPv6 routing table (i have experience with computers and networks in general but this is a total non-sense to me) :
Kernel IPv6 routing table
Destination Next Hop Flag Met Ref Use If
::1/128 :: U 256 0 0 lo
2001:41d0:70:1301::/64 :: UA 256 0 0 ppp0
fe80::/64 :: !n 256 0 0 lo
fe80::/64 :: U 256 0 0 lan0
fe80::/64 :: U 256 0 0 lan1
fe80::/64 :: U 256 0 0 ppp0
fe80::/10 :: U 1 0 0 ppp0
fe80::/10 :: U 256 0 0 ppp0
::/0 fe80::230:88ff:fe04:63d4 UGDAe 1024 1 0 ppp0
::/0 :: !n -1 1 312 lo
::1/128 :: Un 0 1 2 lo
2001:41d0:70:1301::/128 :: Un 0 1 0 lo
2001:41d0:70:1301:1c1e:882b:1e8b:efd7/128 :: Un 0 2 102 lo
fe80::/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::1c1e:882b:1e8b:efd7/128 :: Un 0 1 0 lo
fe80::f66d:4ff:fee3:2010/128 :: Un 0 1 0 lo
fe80::f66d:4ff:fee3:2c96/128 :: Un 0 1 0 lo
ff00::/8 :: U 256 0 0 lan0
ff00::/8 :: U 256 0 0 lan1
ff00::/8 :: U 256 0 0 ppp0
::/0 :: !n -1 1 312 lo
now with that configuration i can ping6 ipv6.google.com and get a reply :
PING ipv6.google.com(wb-in-x69.1e100.net) 56 data bytes
64 bytes from wb-in-x69.1e100.net: icmp_seq=1 ttl=56 time=49.1 ms
64 bytes from wb-in-x69.1e100.net: icmp_seq=2 ttl=56 time=48.5 ms
64 bytes from wb-in-x69.1e100.net: icmp_seq=3 ttl=56 time=48.3 ms
64 bytes from wb-in-x69.1e100.net: icmp_seq=4 ttl=56 time=50.3 ms
--- ipv6.google.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 48.399/49.116/50.393/0.834 ms
but what next ? I need to redistribute that IPv6 to all my network, currently i have isc-dhcp-server (dhcpd) that gives IPv4 addresses on lan1, i also have bind which acts like a DNS resolver/cacher for my local network. I've heard about radvd which is like a dhcpd but for IPv6, however i think there's other stuff to do on the IPv6 routing table (which i don't understand) before hosts on the network can access Internet through IPv6... so here's a summary : ppp0 gets an IPv6 address, i can ping6 from this computer, and that's it...
Sorry for the long post but we're not on IRC so i don't think the usage of Pastebin is required, thanks for reading and have a nice day.

Awe, way cool radvd "router advertisement daemon"
Ya, that is what you needed for IPv6 to work Ya, see the IPv6 protocol takes care of addressing for you. No need for DHCP nor NAT/PAT becuase your ISP gives you more IP's then you could ever need. In fact, you can fit every IPv4 address posible into the range of addresses your ISP gives you!
One other VARY cool thing with IPv6 is "Anycast, One-to-nearest". Really just endless super cool stuff with IPv6.
If I remember correctly like all OS's prefer to use IPv6 if avalable.
Okay, so for DNS, well I think you do need DHCP to hand that out... (I'm probaly wrong about that), anyway, I'd simply configure you DNS host by host... but I have a faint memory of some cool way that can work itself out too... in anycase:
Google DNS
/etc/resolv.conf
nameserver 2001:4860:4860::8888
nameserver 2001:4860:4860::8844
nameserver 8.8.8.8
nameserver 8.8.4.4
You know though. For security sake, you may want to configure your LAN with a Private IPv6 netwrok and subnet. All you would need to do is give the interfaces on the router an address starting with FD. Then you can use like arno-iptables-firewall to NAT the address range.
Like this is how IPv6 network and subnet addressing works
http://www.simpledns.com/private-ipv6.aspx
| 8 bits |  40 bits   |  16 bits  |          64 bits           |
+--------+-+------------+-----------+----------------------------+
| Prefix | Global ID  | Subnet ID |        Interface ID        |
+--------+-+------------+-----------+----------------------------+
That "Interface ID" is created by the Host automaticaly. It simply takes the MAC address of the interface and puts an "FE" in teh middel to make it 64 bits long.
A Host learns about the network half of the address by picking up the "Router Advertisement messages"
So if the interface on the LAN side of the router has a Private IP address (it starts with "FD"), that is the network the router will put in the Router Advertisement and the Host's will pick up that Network 64bits and add on it's Interface ID 64bit's. Then bam, you got yourself an IPv6 address in a "Unique Local" IPv6 address range.
EDIT:
Awe, Okay, I just re-read my CCNA book. Okay so ya, a Host or Router using stateless autoconfiguration can learn both the IPv6 address prefix and it's default router IP address using NDP RS/RA messages. However, you do need at least a stateless DHCPv6 server to hand out DNS server's IP.
Last edited by hunterthomson (2012-11-06 09:35:54)

Similar Messages

  • PIX515e dual-stack ipv4 & ipv6 over PPPoE

    Hi Everyone,
    In short: I am trying to get ipv4 and ipv6 over PPPoE running on my PIX515e.
    Heres a bit more info about my setup and the scenario:
    My internet provider (residential) has offered me a dual-stack service on my ADSL.
    I get a STATIC ipv4 address, but a DYNAMIC ipv6 address. Additionally I get a STATIC ipv6 /56 prefix for my lan "if my router supports prefix delegation".
    My PIX is the 515e and its running PIX 7.2(4) with ASDM 5.2.
    Getting the ipv4 side of it working isnt an issue - ive configured the pppoe side of it with my username and password, and configured my outside interface (Ethernet 0) with the ipv4 address.
    But I cannot figure out how to get a dynamic ipv6 address on the outside (Ethernet 0) interface.
    At this stage all I care about is getting a dynamic ipv6 address on Ethernet 0. I dont care about the "lan" prefix or Prefix Delegation part of it because I figure I'll just NAT my lan ipv6 addresses out to the internet using the dyanmic ipv6 address on the outside interface.
    Ive read a lot of articles and looked at a lot of examples but none quite explain what im trying to do.
    I have enabled ipv6 on the outside interface - ipv6 enable
    and ive looked at ipv6 address and ive found the autoconfigure option but that doesnt appear to fetch the ipv6 address from my internet provider.
    I guess im expecting to see something like ipv6 address dhcp or ipv6 address pppoe
    So my question is does anyone know how I can get dual-stack working on my outside interface with dynamically assigned ipv6 from pppoe.
    Or do i need to update the PIX software on my device. If so, can anyone suggest which version?
    Any help is greately appreciated.

    I wanted to provide an update on this topic.  It turns out the traffic class that I was testing with was overlapping another class's match statement, which had a much lower bandwidth percentage.
    After making the corrections, it seems the IPv4 and IPv6 work very well together in the queues.  And now that you can run fair-queueing per class, I'm actually impressed with how well it is working.
    Now if only I could classify traffic based on the number of packets/bytes seen in netflow.... then I could shape some really nice QoS policies!

  • Problem running apache dual stack IPv4 and IPv6

    Hello!
    I am running a single Lion-Server with one public IPv4 address. Because my Provider is able to support IPv6 now, I ordered a public IPv6 address for my server. (To learn IPv6)
    I setup IPv6 address and setup the firewall with ip6fw - everything works fine, I can connect to ssh and afp via IPv4 or IPv6 but when I try to connect to my wiki over IPv6 I get the certificate question (unknown certificate ... blah) click continue and the certificate is loeded againe - I end up in an infinte loop of certificate questions.
    The part of the firewall config looks like this:
    20515 allow tcp from any to any 443
    20516 allow tcp from any to any 8443
    20517 allow tcp from any to any 1640
    I looked into apache config:
    /etc/apache2/sites/virtual_host_global.conf has this entries:
    Listen  *:443
    NameVirtualHost *:443
    Listen  *:80
    NameVirtualHost *:80
    I have only one domain and only one single virtual host as defined in /etc/apache2/sites/0000_any_443_.conf:
    ## Default Virtual Host Configuration
    <VirtualHost *:443>
            ServerAdmin [email protected]
            DocumentRoot "/Library/Server/Web/Data/Sites/Default"
            DirectoryIndex index.html index.php /wiki/ default.html
            CustomLog "/var/log/apache2/access_log" combinedvhost
            ErrorLog "/var/log/apache2/error_log"
            <IfModule mod_ssl.c>
                    SSLEngine On
                    SSLCipherSuite "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM"
                    SSLProxyEngine On
                    SSLProtocol -ALL +SSLv3 +TLSv1
                    SSLCertificateFile "/etc/certificates/www.ABCDE.de.1A00F8DFC2738F25D26E3248A4C8F687D7EA7F32.cert.p em"
                    SSLCertificateKeyFile "/etc/certificates/www.ABCDE.de.1A00F8DFC2738F25D26E3248A4C8F687D7EA7F32.key.pe m"
                    SSLCertificateChainFile "/etc/certificates/www.ABCDE.de.1A00F8DFC2738F25D26E3248A4C8F687D7EA7F32.chain. pem"
                    SSLProxyProtocol -ALL +SSLv3 +TLSv1
            </IfModule>
            <Directory "/Library/Server/Web/Data/Sites/Default">
                    Options All +MultiViews -ExecCGI -Indexes
                    AllowOverride None
                    <IfModule mod_dav.c>
                            DAV Off
                    </IfModule>
            </Directory>
    </VirtualHost>
    I have not modified the apache config by hand until now - but this was an upgrade from Snow Leopard Server. At the moment I am a littel scared to upgrade to Mountain Lion server because this server runs mail and calender services for my company.
    I tried to setup "Listen" entry with dedicated IP-addresses, one for IPv4 and one for IPv6 but this only leads to the same problem - IPv4 works, IPv6 ends in an infinte loop.
    I found somewhere that I had to duplicate virtual hosts setup for IPv4 and IPv6 but afaik "Server.app" will overwrite it, right?
    Every hint is welcome, bye
    Christoph
    P.S. Sorry just saw that I posted to ML-Server discussions not Lion-Server, but maybe someone can tell me that I can upgrade without scare.
    Message was edited by: Christoph Ewering1

    Hello!
    Did some more testing and found that FireFox works with the loopback-address.
    https://[::1]/
    So, the address above works with FireFox after accepting the certificate - Safari loops in the dialog accepting the certificate.
    Then I tried the link-local-address but it looks like apache does not listen to that address at all
    Then I tried the global-address and got to:
    Safari looping in the certificate dialog
    FireFox brings an alert „sec_err_bad_database"
    BTW this tests were made on the server that runs the apache. So no firewall between the browser and the server.
    No one using Mac OS X server in a dual stack enviroment?
    Bye,
    eweri

  • Dual-stacked DCs

    I thought I would re-post this here for an answer:
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/7882a70f-598e-4606-938e-7b0ddac27fbe/dhcp-dns-ipv6-dual-stack?forum=winserverNIS#eb4944e4-fca7-4dac-af70-c10fbbed68cdthe
    the question in short is: has anyone done a dual-stack ipv4 + ipv6 configuration on a domain controller?

    Hi,
    Thanks for your post.
    It's recommended to keep IPv6 enabled on DC.
    Please refer to this similar thread:
    Disabling IPv6 on 2008R2 Domain Controllers... Best Practice?
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/18001bd9-e79f-4f80-973c-3ef0f0b3d2ff/disabling-ipv6-on-2008r2-domain-controllers-best-practice?forum=winservergen
    Regards.
    Vivian Wang

  • 6VPE and Dual Stack Core?

    Hi,
    I've been following this discussion on a MPLS migration to IPv6.
    https://supportforums.cisco.com/thread/2181573
    I have the following customer requirements:
    - Dual stack IPv4/IPv6 across the entire network including the core.
    - Run 6VPE between the PE routers
    Is it true to say that this is not a supported configuration? 6VPE only runs on a native IPv4 core?
    Thanks
    Sean

    6VPE is a tunneling technology to allow you to run IPv4 and IPv6 over an IPv4-only core and provide dual-stack at the customer edge.  The customer is blissfully unaware that there is anything other than dual-stack - or better described as IPv4 and IPv6 capabilities - at their demarcation.
    If you configure your entire core with dual-stack, there isn't really a need for 6VPE.  What you will need is a solution for LDPv6 or what is sometimes referred to as MPLSv6 (http://blogs.cisco.com/tag/ldpv6/).
    cheers.

  • Dual stack support

    dears,
    three questions
    1) is the 7206VXR support dual stack ipv4 and ipv6?
    2) is 7606 with sup720-B SUPPORT DUAL STACK IPV4 AND IPV6?
    3) is 6513 with FW and IPD module support dual  stack?
    4) is GSR 12410 support dual stack?
    thank you in advance

    Ahmed,
    FWSM support for IPv6 is not dependant on mode of operation, to process IPv6 in a stateful way we need to handle traffic in CPU (note that ASA SM should not have this limitation).
    Regarding IDSM, I found a quote internally (from Oct 2009, but should be still relevant).
    The IDSM-2, AIM-IPS, and NME-IPS are not supported for IPv6 monitoring.
    No roadmap yet for this support as far as I am aware.
    HTH,
    Marcin

  • Dual-Stack LNS - ppp negotiation fails if no ipv6 prefix assigned by Radius

    Hello,
    We have an LNS (asr1k), dual-stack CPE and Radius server.
    Everything works fine if both ipv4 and ipv6 prefix is assigned to CPE by Radius
    If we set Radius server not to assign v6 prefix, we expect to build up an ipv4-only session over ppp.
    This is not what happens. PPP negotiation fails with the following debug lines:
    IPv6 DHCP_AAA: No authorization data from SSS
    Vi2.2364 PPP DISC: Non-PPP hang up
    some config parts of LNS:
    no ipv6 source-route
    ipv6 unicast-routing
    ipv6 dhcp binding track ppp
    ipv6 dhcp pool IPv6_DHCP_POOL
    ipv6 dhcp pool POOL_DHCP_PD
    ipv6 multicast-routing
    ipv6 multicast rpf use-bgp
    interface Virtual-Template99
     mtu 1460
     ip unnumbered Loopback0
     ip tcp adjust-mss 1420
     no logging event link-status
     ipv6 enable
     no ipv6 nd prefix framed-ipv6-prefix
     no ipv6 nd ra suppress
     ipv6 dhcp server POOL_DHCP_PD allow-hint
     peer default ip address pool adslpool_1 adslpool_2
     ppp max-configure 3
     ppp authentication pap AAA_AUTHEN_PPP_noc3x
     ppp authorization AAA_AUTHOR_NET_noc3x
     ppp accounting AAA_ACCT_NET_noc3x
     ppp ipcp address required
     ppp ipcp address accept
     ppp ipcp no-renegotiation send-termreq
     ppp link reorders
     ppp timeout retry 5
     ppp timeout ncp 30
     ppp timeout authentication 30
    end
    Can anyone help?
    Regards,
    Antal

    Have opend a case with cisco. The solution for me is to put
    no ipv6 dhcp ppp terminate
    in to the global config.
    Hope that helps anyone who has the same problem.

  • Dual stack multi-home BGP

    I have a design I'm working on which will require among other things dual stack across MPLS. Configuring CE routers for dual stack seems very straight forward, however I'm having trouble finding documentation describing the BGP config for multihoming and load sharing with 2 routers and 2 service providers. I've configured this quite a few times with HSRP and BGP for IPv4 similar to this example:
    http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a00800945bf.shtml#conf5
    Am I looking at this wrong or are these scenarios just not widely published yet?
    Any help is greatly appreciated!
    thanks,
    Josh

    Hi Josh,
    You will have to understand the MBGP address families. One of the basic rule of MBGP is that when I'm advertising a route from a specific address family, the next hop has to be from the same address family. So, you will have to make sure the next hop is from the same address family. Couple of examples for you:
    1. IPv6 NLRI in IPv4
    router bgp 201
    bgp router-id 192.168.30.1
    neighbor 150.1.1.2 remote-as 301
    address-family ipv6
    neighbor 150.1.1.2 activate
    neighbor 150.1.1.2 route-map SETNH out
    network 2192:10::/48
    route-map SETNH permit 10
    set ipv6 next-hop 2150:1:1::3
    2. IPv4 NLRI in IPv6
    router bgp 201
    bgp router-id 192.168.30.1
    neighbor 2150:1:1::2 remote-as 301
    address-family ipv4
    neighbor 2150:1:1::2 activate
    neighbor 2150:1:1::2 route-map SETNH out
    network 192.10.0.0
    route-map SETNH permit 10
    set ip next-hop 150.1.1.3
    I also came across this document which should help you: http://fengnet.com/book/Cisco.IOS.Cookbook.2nd/I_0596527225_CHP_25_SECT_11.html
    Regards,
    Salman

  • [ASR1K] ISG Dual Stack configuration

    Hello
    Is it possible to configure l3-connected ISG dual stack on ASR1000?

    Hi,
    According to document http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/isg/configuration/xe-3s/asr1000/isg-xe-3s-asr1000-book/isg-ipv6.html, it is possible:
    Restrictions for ISG IPv6 Support
    Layer 2 connected interfaces are not supported. Only Layer 3 routed in-band IPv6 sessions are supported.
    Session Coexistence on ISG Interfaces
    The following session combinations can exist on the same ISG interface in Cisco IOS XE Release 3.5S and later releases:
    Native IPv6 and native IPv4 sessions
    Regards

  • DMVPN on Dual Stack Hub Site

    Hi,
    I have a Dual Stacked DMVPN Hub site, VPN for ether IPv4 oder IPv6 is working properly, but not both at the same time.
    If the IPv4 Peers connect first, then the IPv6 Peers are unable to form an IPsec security association and the other way around. Crypto ISAKMP Phase1 is build correctly.
    A "show crypto ipsec sa" on the Hub shows only sa's for the kind of Peers that connected first. A "show crypto ipsec sa" on the Spoke that is unable to form an security association with the Hub shows an security association, but with no proposals and raising send error counters:
    Spoke (IPv4) SA
    interface: Tunnel1
        Crypto map tag: My-Profile-v4-head-1, local addr 2.2.2.1
       protected vrf: (none)
       local  ident (addr/mask/prot/port): (2.2.2.1/255.255.255.255/47/0)
       remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)
       current_peer 1.1.1.1 port 500
         PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0
        #pkts not decompressed: 0, #pkts decompress failed: 0
        #send errors 23255, #recv errors 0
         local crypto endpt.: 2.2.2.1, remote crypto endpt.: 1.1.1.1
         plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb (none)
         current outbound spi: 0x0(0)
         PFS (Y/N): N, DH group: none
         inbound esp sas:
         inbound ah sas:
         inbound pcp sas:
         outbound esp sas:
         outbound ah sas:
         outbound pcp sas:
       protected vrf: (none)
    I'm running IOS Version 15.3(2)T, is there some kind of known bug and/or a workaround for this?
    Interface Configuration
    interface GigabitEthernet0
    description ** Outside **
    ip address 1.1.1.1 255.255.255.0
    duplex auto
    speed auto
    ipv6 address 2001:1:1:1::1/64
    Crypto Configuration
    crypto isakmp policy 10
    encr aes 256
    authentication pre-share
    group 14
    crypto isakmp key cisco address 0.0.0.0 no-xauth
    crypto isakmp key cisco address ipv6 ::/0 no-xauth
    crypto isakmp keepalive 10 periodic
    crypto ipsec transform-set My-Set esp-aes 256 esp-sha512-hmac
    mode tunnel
    crypto ipsec profile My-Profile-v4
    description ** IPsec Profile fuer IPv4 Peers **
    set transform-set My-Set
    set pfs group2
    crypto ipsec profile My-Profile-v6
    description ** IPsec Profile fuer IPv6 Peers **
    set transform-set My-Set
    set pfs group2
    Tunnel Configuration
    interface Tunnel1
    description ** DMVPN Intranet IPv4 **
    bandwidth 1000
    ip vrf forwarding VPN
    ip address 10.0.10.1 255.255.255.0
    no ip redirects
    ip mtu 1416
    no ip next-hop-self eigrp 65351
    no ip split-horizon eigrp 65351
    ip pim sparse-mode
    ip nhrp map multicast dynamic
    ip nhrp network-id 1
    ip nhrp holdtime 360
    ip nhrp shortcut
    ip nhrp redirect
    ip tcp adjust-mss 1360
    load-interval 30
    shutdown
    keepalive 10 3
    tunnel source GigabitEthernet0
    tunnel mode gre multipoint
    tunnel key 1
    tunnel protection ipsec profile My-Profile-v4 shared
    interface Tunnel2
    description ** DMVPN Intranet IPv6 **
    bandwidth 1000
    ip vrf forwarding VPN
    ip address 10.0.12.1 255.255.255.0
    ip mtu 1416
    no ip next-hop-self eigrp 65351
    no ip split-horizon eigrp 65351
    ip pim sparse-mode
    ip nhrp map multicast dynamic
    ip nhrp network-id 2
    ip nhrp holdtime 360
    ip nhrp shortcut
    ip nhrp redirect
    ip tcp adjust-mss 1360
    load-interval 30
    keepalive 10 3
    tunnel source GigabitEthernet0
    tunnel mode gre multipoint ipv6
    tunnel key 2
    tunnel protection ipsec profile My-Profile-v6 shared
    Regards,
    Thomas

    Hello Marcin,
    it is working now :-)
    First I was running a dual stacked spoke as well, but now I am using one IPv4 and one IPv6 only spoke. The ipsec profiles are "shared", because besides the two shown tunnels I have one more IPv4 and IPv6 Tunnel for Extranetuse. The Spoke sites use "shared" as well, because they build a backup VPN Tunnel to a second Hub router.
    I have removed the "keepalive 10 3" from my Tunnel interfaces and rebooted the routers and everything is working now.
    Here are my final configurations:
    Crypto
    crypto isakmp policy 10
    encr aes 256
    authentication pre-share
    group 14
    crypto isakmp key cisco address 0.0.0.0         no-xauth
    crypto isakmp key cisco address ipv6 ::/0 no-xauth
    crypto isakmp keepalive 10 periodic
    crypto ipsec transform-set My-Set esp-aes 256 esp-sha512-hmac
    mode tunnel
    crypto ipsec profile My-Profile-v4
    description ** IPsec Profile fuer IPv4 Peers **
    set transform-set My-Set
    set pfs group2
    crypto ipsec profile My-Profile-v6
    description ** IPsec Profile fuer IPv6 Peers **
    set transform-set My-Set
    set pfs group2
    Tunnel Hub Dual Stacked
    interface Tunnel1
    description ** DMVPN Intranet IPv4 **
    bandwidth 1000
    ip vrf forwarding VPN
    ip address 10.0.10.1 255.255.255.0
    no ip redirects
    ip mtu 1416
    no ip next-hop-self eigrp 65351
    no ip split-horizon eigrp 65351
    ip pim sparse-mode
    ip nhrp map multicast dynamic
    ip nhrp network-id 1
    ip nhrp holdtime 360
    ip nhrp shortcut
    ip nhrp redirect
    ip tcp adjust-mss 1360
    load-interval 30
    tunnel source GigabitEthernet0
    tunnel mode gre multipoint
    tunnel key 1
    tunnel protection ipsec profile My-Profile-v4 shared
    interface Tunnel2
    description ** DMVPN Intranet IPv6 **
    bandwidth 1000
    ip vrf forwarding VPN
    ip address 10.0.12.1 255.255.255.0
    ip mtu 1416
    no ip next-hop-self eigrp 65351
    no ip split-horizon eigrp 65351
    ip pim sparse-mode
    ip nhrp map multicast dynamic
    ip nhrp network-id 2
    ip nhrp holdtime 360
    ip nhrp shortcut
    ip nhrp redirect
    ip tcp adjust-mss 1360
    load-interval 30
    tunnel source GigabitEthernet0
    tunnel mode gre multipoint ipv6
    tunnel key 2
    tunnel protection ipsec profile My-Profile-v6 shared
    end
    Tunnel Spoke IPv4
    interface Tunnel1
    description ** DMVPN Intranet IPv4 **
    ip vrf forwarding VPN
    ip address 10.0.10.2 255.255.255.0
    no ip redirects
    ip mtu 1416
    ip pim sparse-mode
    ip nhrp map 10.0.10.1 1.1.1.1
    ip nhrp map multicast 1.1.1.1
    ip nhrp network-id 1
    ip nhrp holdtime 360
    ip nhrp nhs 10.0.10.1
    ip nhrp shortcut
    ip tcp adjust-mss 1360
    delay 1000
    tunnel source GigabitEthernet0
    tunnel mode gre multipoint
    tunnel key 1
    tunnel protection ipsec profile My-Profile-v4 shared
    end
    Tunnel Spoke IPv6
    interface Tunnel1
    description ** DMVPN Intranet IPv6 **
    ip vrf forwarding VPN
    ip address 10.0.12.2 255.255.255.0
    no ip redirects
    ip mtu 1416
    ip pim sparse-mode
    ip nhrp map 10.0.12.1 2001:1:1:1::1
    ip nhrp map multicast 2001:1:1:1::1
    ip nhrp network-id 2
    ip nhrp holdtime 360
    ip nhrp nhs 10.0.12.1
    ip nhrp shortcut
    ip tcp adjust-mss 1360
    delay 1000
    tunnel source GigabitEthernet0
    tunnel mode gre multipoint ipv6
    tunnel key 2
    tunnel protection ipsec profile My-Profile-v6 shared
    end
    Thanks again
    Thomas

  • Dual stack on tunnel interface

    Is it possible to run dual stack IP schemes over an ipsec-protected tunnel interface on IOS? I am able to assign the IPv6 addresses like a normal interface on both ends however when i try to ping across the tunnel with IPv6 there is no response. Here is an example of my config:
    R1
    interface Tunnel0
     description Tunnel to R2
     ip address 172.30.1.237 255.255.255.252
     ip mtu 1400
     ip nat inside
     ip virtual-reassembly
     load-interval 30
     ipv6 address FE80::172:30:1:1 link-local
     ipv6 address 2001:1::172:30:1:1/126
     keepalive 5 4
     tunnel source GigabitEthernet0/1
     tunnel mode ipsec ipv4
     tunnel destination 1.2.3.4
     tunnel protection ipsec profile protect-gre
    R2
    interface Tunnel0
     description Tunnel to R1
     ip address 172.30.1.238 255.255.255.252
     ip mtu 1400
     ip nat inside
     ip virtual-reassembly
     load-interval 30
     ipv6 address 2001:1::172:30:1:2/126
     ipv6 address FE80::172:30:1:2 link-local
     keepalive 5 4
     tunnel source FastEthernet0/1
     tunnel destination 1.2.3.5
     tunnel mode ipsec ipv4
     tunnel protection ipsec profile protect-gre
    The only solution i can clearly see is running a separate tunnel, which i would like to avoid. Any assistance is greatly appreciated!

    Hello,
    In my System preferences the IPv6 settings are set to "automatic", my DSL router (Cisco 787) supports IPv6. When visiting sites like www.sixxs.net and www.apnic.org (which are reachable by both IPv6 and IPv4), some pages are reached by IPv6 and some by IP4. Even the same page may load in IPv6 first, but a second time via IPv4. This behaviour has changed since my upgrade to Leopard, under Tiger the behaviour was much more stable.
    Gerard

  • Dual-stack approach

    Hi guys,
    In a dual stack network, how can we decide whether IPv4 or IPv6 address is used in a simulator software? How to test this?
    Thank you in advance.

    The preference for either v4 or v6 is embedded in the applications.
    Just do a google search on: ipv4 ipv6 preference.
    If your network uses dns, you could somewhat steer this by only providing a response for one protocol or the other.
    The best option would be to configure the application appropriately, if possible.
    If you have no options to configure this, you can test the default behavior by using a packet tracer or ultimately configure the machine on which such an application runs to use only one protocol.
    regards,
    Leo

  • Dual stack BGP Configuration guide for enterprise CPE

    Hi,
    I couldn't find the config guide for BGP in a IPv4 & IPv6 dual stack environment for CPE in Cisco website. Hope someone can share the URL.
    Thanks

    The following URL shows how to configure Multi-protocol BGP - http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-mt/irg-15-mt-book.html.
    hth,
    -jim

  • Dual-Stack CTS configuration

    Hi All,
    My question is :
    Once we have configured the ABAP-Stack of a dual-stack system into the transport domain through CTS, so can we now move the JAVA-based objects as well or we need to do something else also.
    If so, what is that?
    Regards

    Hi Chilbul,
    Your question is pretty vague. As per it, we don't know if you have actually carried out all the steps of CTS+ configuration prior to including the abap stack in transport routes or not.
    If you have already completed CTS+ configuration and this was the last step you did, then your java developers should be able to include their objects in a transport request.
    However, if you haven't done the CTS+ configuration yet, then please do that. For reference, these are some documents that should help you:
    CTS+ config for dual stack systems -->
    http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/10456aac-44f7-2a10-1fbe-8b7bcd7bcd58?quicklink=index&overridelayout=true
    Other helpful guides:
    /people/dolores.correa/blog/2009/06/05/cts-configuration-in-solution-manager-70-ehp1
    http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/e0249083-c0ab-2a10-78b8-b7a7854b1070
    Regards,
    Shitij

  • IPv6 dual stack Host Problem

                Hello...
    I have configured a dual stack VLAN on cisco 6500 switch and assign a ipv6 address on my LAPTOP and connected to the VLAN .but my laptop is not identifying the ipv6 address and gateway is also not pinging from the laptop. rest configuration on swich is ok . what may be the issue . can anyone suggest waht may be the issue.

    Dear Sunny,
    thank you for your answer.
    I've already tried this method. Unfortunately it didn't help, because the upgrade tool is not searching for those packages in other directories.
    In the meantime I found out a possible reason of the problem. It seems the usage type of the JAVA is not correct. In configtool I saw it is DW. The list of the problematic components contains all of the XSS components and one other.
    I will try the following workaround:
    - Undeploy all 'wrong' components before the upgrade
    - Remove the components from the stack xml
    - Deploy the missing components
    BR,
    Veronika

Maybe you are looking for