Archlinux as dual-stack (IPv4/v6) gateway/router
Hello everyone,
i've installed Arch on my PC a few days ago and it works perfectly, the PC is a gaming PC (Asus P8P67 Deluxe, Intel Core i3 2100, 14 GB RAM, 2x Nvidia GTX580) however for specific reasons (i don't have anything else besides IBM PCs with 600Mhz CPUs) i need to use it as a server and a router/gateway for my network (an Archlinux laptop and some Apple products), here's my current network setup :
PPPoE modem is connected to lan0 (ethernet interface) which is configured as 192.168.1.2, gateway 192.168.1.1 (it's the modem's address).
My provider (OVH in France) gives me a /64 IPv6 subnet.
ppp0 interface is created once the lan0 is up (i'm using POST_UP="pon myprovider" in netcfg script, i've already added +ipv6 in /etc/ppp/options to enable IPv6 on the ppp), it gets automatically an IPv4 address and an IPv6 one from my provider, here's the ifconfig ppp0 (i know it's deprecated but i'm so used to it...) :
ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1452
inet 109.190.20.173 netmask 255.255.255.255 destination 178.32.37.16
inet6 2001:41d0:70:1301:1c1e:882b:1e8b:efd7 prefixlen 64 scopeid 0x0<global>
inet6 fe80::1c1e:882b:1e8b:efd7 prefixlen 10 scopeid 0x20<link>
ppp txqueuelen 3 (Point-to-Point Protocol)
RX packets 6080 bytes 3571799 (3.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4173 bytes 870323 (849.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
here's my IPv4 routing table :
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default * 0.0.0.0 U 0 0 0 ppp0
172.16.1.0 * 255.255.255.0 U 0 0 0 lan1
rbx-1-rdb.fr.eu * 255.255.255.255 UH 0 0 0 ppp0
192.168.1.0 * 255.255.255.0 U 0 0 0 lan0
lan1 is my local wired interface which connects to a 1000Mb/s switch, on it there is a Debian machine (the 600Mhz one) which acts as an access point (on it the wired interface is bridged with the wireless one, but all the DHCP/DNS stuff is done on my main computer and i don't think there's anything to do on the access point machine) and my other Archlinux laptop. Forwarding is enabled on both IPv4 and v6 in /etc/sysctl.conf and iptables (not ip6tables) is configured correctly, all works as would like on the IPv4 side (DHCP/DNS/internet access works for all computers on the network) here's my ifconfig lan1 :
lan1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9152
inet 172.16.1.1 netmask 255.255.255.0 broadcast 172.16.1.255
inet6 fe80::f66d:4ff:fee3:2c96 prefixlen 64 scopeid 0x20<link>
ether f4:6d:04:e3:2c:96 txqueuelen 1000 (Ethernet)
RX packets 5060 bytes 701035 (684.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 10181 bytes 7102665 (6.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 20 memory 0xf5100000-f5120000
Here's my IPv6 routing table (i have experience with computers and networks in general but this is a total non-sense to me) :
Kernel IPv6 routing table
Destination Next Hop Flag Met Ref Use If
::1/128 :: U 256 0 0 lo
2001:41d0:70:1301::/64 :: UA 256 0 0 ppp0
fe80::/64 :: !n 256 0 0 lo
fe80::/64 :: U 256 0 0 lan0
fe80::/64 :: U 256 0 0 lan1
fe80::/64 :: U 256 0 0 ppp0
fe80::/10 :: U 1 0 0 ppp0
fe80::/10 :: U 256 0 0 ppp0
::/0 fe80::230:88ff:fe04:63d4 UGDAe 1024 1 0 ppp0
::/0 :: !n -1 1 312 lo
::1/128 :: Un 0 1 2 lo
2001:41d0:70:1301::/128 :: Un 0 1 0 lo
2001:41d0:70:1301:1c1e:882b:1e8b:efd7/128 :: Un 0 2 102 lo
fe80::/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::1c1e:882b:1e8b:efd7/128 :: Un 0 1 0 lo
fe80::f66d:4ff:fee3:2010/128 :: Un 0 1 0 lo
fe80::f66d:4ff:fee3:2c96/128 :: Un 0 1 0 lo
ff00::/8 :: U 256 0 0 lan0
ff00::/8 :: U 256 0 0 lan1
ff00::/8 :: U 256 0 0 ppp0
::/0 :: !n -1 1 312 lo
now with that configuration i can ping6 ipv6.google.com and get a reply :
PING ipv6.google.com(wb-in-x69.1e100.net) 56 data bytes
64 bytes from wb-in-x69.1e100.net: icmp_seq=1 ttl=56 time=49.1 ms
64 bytes from wb-in-x69.1e100.net: icmp_seq=2 ttl=56 time=48.5 ms
64 bytes from wb-in-x69.1e100.net: icmp_seq=3 ttl=56 time=48.3 ms
64 bytes from wb-in-x69.1e100.net: icmp_seq=4 ttl=56 time=50.3 ms
--- ipv6.google.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 48.399/49.116/50.393/0.834 ms
but what next ? I need to redistribute that IPv6 to all my network, currently i have isc-dhcp-server (dhcpd) that gives IPv4 addresses on lan1, i also have bind which acts like a DNS resolver/cacher for my local network. I've heard about radvd which is like a dhcpd but for IPv6, however i think there's other stuff to do on the IPv6 routing table (which i don't understand) before hosts on the network can access Internet through IPv6... so here's a summary : ppp0 gets an IPv6 address, i can ping6 from this computer, and that's it...
Sorry for the long post but we're not on IRC so i don't think the usage of Pastebin is required, thanks for reading and have a nice day.
Awe, way cool radvd "router advertisement daemon"
Ya, that is what you needed for IPv6 to work Ya, see the IPv6 protocol takes care of addressing for you. No need for DHCP nor NAT/PAT becuase your ISP gives you more IP's then you could ever need. In fact, you can fit every IPv4 address posible into the range of addresses your ISP gives you!
One other VARY cool thing with IPv6 is "Anycast, One-to-nearest". Really just endless super cool stuff with IPv6.
If I remember correctly like all OS's prefer to use IPv6 if avalable.
Okay, so for DNS, well I think you do need DHCP to hand that out... (I'm probaly wrong about that), anyway, I'd simply configure you DNS host by host... but I have a faint memory of some cool way that can work itself out too... in anycase:
Google DNS
/etc/resolv.conf
nameserver 2001:4860:4860::8888
nameserver 2001:4860:4860::8844
nameserver 8.8.8.8
nameserver 8.8.4.4
You know though. For security sake, you may want to configure your LAN with a Private IPv6 netwrok and subnet. All you would need to do is give the interfaces on the router an address starting with FD. Then you can use like arno-iptables-firewall to NAT the address range.
Like this is how IPv6 network and subnet addressing works
http://www.simpledns.com/private-ipv6.aspx
| 8 bits | 40 bits | 16 bits | 64 bits |
+--------+-+------------+-----------+----------------------------+
| Prefix | Global ID | Subnet ID | Interface ID |
+--------+-+------------+-----------+----------------------------+
That "Interface ID" is created by the Host automaticaly. It simply takes the MAC address of the interface and puts an "FE" in teh middel to make it 64 bits long.
A Host learns about the network half of the address by picking up the "Router Advertisement messages"
So if the interface on the LAN side of the router has a Private IP address (it starts with "FD"), that is the network the router will put in the Router Advertisement and the Host's will pick up that Network 64bits and add on it's Interface ID 64bit's. Then bam, you got yourself an IPv6 address in a "Unique Local" IPv6 address range.
EDIT:
Awe, Okay, I just re-read my CCNA book. Okay so ya, a Host or Router using stateless autoconfiguration can learn both the IPv6 address prefix and it's default router IP address using NDP RS/RA messages. However, you do need at least a stateless DHCPv6 server to hand out DNS server's IP.
Last edited by hunterthomson (2012-11-06 09:35:54)
Similar Messages
-
PIX515e dual-stack ipv4 & ipv6 over PPPoE
Hi Everyone,
In short: I am trying to get ipv4 and ipv6 over PPPoE running on my PIX515e.
Heres a bit more info about my setup and the scenario:
My internet provider (residential) has offered me a dual-stack service on my ADSL.
I get a STATIC ipv4 address, but a DYNAMIC ipv6 address. Additionally I get a STATIC ipv6 /56 prefix for my lan "if my router supports prefix delegation".
My PIX is the 515e and its running PIX 7.2(4) with ASDM 5.2.
Getting the ipv4 side of it working isnt an issue - ive configured the pppoe side of it with my username and password, and configured my outside interface (Ethernet 0) with the ipv4 address.
But I cannot figure out how to get a dynamic ipv6 address on the outside (Ethernet 0) interface.
At this stage all I care about is getting a dynamic ipv6 address on Ethernet 0. I dont care about the "lan" prefix or Prefix Delegation part of it because I figure I'll just NAT my lan ipv6 addresses out to the internet using the dyanmic ipv6 address on the outside interface.
Ive read a lot of articles and looked at a lot of examples but none quite explain what im trying to do.
I have enabled ipv6 on the outside interface - ipv6 enable
and ive looked at ipv6 address and ive found the autoconfigure option but that doesnt appear to fetch the ipv6 address from my internet provider.
I guess im expecting to see something like ipv6 address dhcp or ipv6 address pppoe
So my question is does anyone know how I can get dual-stack working on my outside interface with dynamically assigned ipv6 from pppoe.
Or do i need to update the PIX software on my device. If so, can anyone suggest which version?
Any help is greately appreciated.I wanted to provide an update on this topic. It turns out the traffic class that I was testing with was overlapping another class's match statement, which had a much lower bandwidth percentage.
After making the corrections, it seems the IPv4 and IPv6 work very well together in the queues. And now that you can run fair-queueing per class, I'm actually impressed with how well it is working.
Now if only I could classify traffic based on the number of packets/bytes seen in netflow.... then I could shape some really nice QoS policies! -
Problem running apache dual stack IPv4 and IPv6
Hello!
I am running a single Lion-Server with one public IPv4 address. Because my Provider is able to support IPv6 now, I ordered a public IPv6 address for my server. (To learn IPv6)
I setup IPv6 address and setup the firewall with ip6fw - everything works fine, I can connect to ssh and afp via IPv4 or IPv6 but when I try to connect to my wiki over IPv6 I get the certificate question (unknown certificate ... blah) click continue and the certificate is loeded againe - I end up in an infinte loop of certificate questions.
The part of the firewall config looks like this:
20515 allow tcp from any to any 443
20516 allow tcp from any to any 8443
20517 allow tcp from any to any 1640
I looked into apache config:
/etc/apache2/sites/virtual_host_global.conf has this entries:
Listen *:443
NameVirtualHost *:443
Listen *:80
NameVirtualHost *:80
I have only one domain and only one single virtual host as defined in /etc/apache2/sites/0000_any_443_.conf:
## Default Virtual Host Configuration
<VirtualHost *:443>
ServerAdmin [email protected]
DocumentRoot "/Library/Server/Web/Data/Sites/Default"
DirectoryIndex index.html index.php /wiki/ default.html
CustomLog "/var/log/apache2/access_log" combinedvhost
ErrorLog "/var/log/apache2/error_log"
<IfModule mod_ssl.c>
SSLEngine On
SSLCipherSuite "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM"
SSLProxyEngine On
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCertificateFile "/etc/certificates/www.ABCDE.de.1A00F8DFC2738F25D26E3248A4C8F687D7EA7F32.cert.p em"
SSLCertificateKeyFile "/etc/certificates/www.ABCDE.de.1A00F8DFC2738F25D26E3248A4C8F687D7EA7F32.key.pe m"
SSLCertificateChainFile "/etc/certificates/www.ABCDE.de.1A00F8DFC2738F25D26E3248A4C8F687D7EA7F32.chain. pem"
SSLProxyProtocol -ALL +SSLv3 +TLSv1
</IfModule>
<Directory "/Library/Server/Web/Data/Sites/Default">
Options All +MultiViews -ExecCGI -Indexes
AllowOverride None
<IfModule mod_dav.c>
DAV Off
</IfModule>
</Directory>
</VirtualHost>
I have not modified the apache config by hand until now - but this was an upgrade from Snow Leopard Server. At the moment I am a littel scared to upgrade to Mountain Lion server because this server runs mail and calender services for my company.
I tried to setup "Listen" entry with dedicated IP-addresses, one for IPv4 and one for IPv6 but this only leads to the same problem - IPv4 works, IPv6 ends in an infinte loop.
I found somewhere that I had to duplicate virtual hosts setup for IPv4 and IPv6 but afaik "Server.app" will overwrite it, right?
Every hint is welcome, bye
Christoph
P.S. Sorry just saw that I posted to ML-Server discussions not Lion-Server, but maybe someone can tell me that I can upgrade without scare.
Message was edited by: Christoph Ewering1Hello!
Did some more testing and found that FireFox works with the loopback-address.
https://[::1]/
So, the address above works with FireFox after accepting the certificate - Safari loops in the dialog accepting the certificate.
Then I tried the link-local-address but it looks like apache does not listen to that address at all
Then I tried the global-address and got to:
Safari looping in the certificate dialog
FireFox brings an alert „sec_err_bad_database"
BTW this tests were made on the server that runs the apache. So no firewall between the browser and the server.
No one using Mac OS X server in a dual stack enviroment?
Bye,
eweri -
I thought I would re-post this here for an answer:
http://social.technet.microsoft.com/Forums/windowsserver/en-US/7882a70f-598e-4606-938e-7b0ddac27fbe/dhcp-dns-ipv6-dual-stack?forum=winserverNIS#eb4944e4-fca7-4dac-af70-c10fbbed68cdthe
the question in short is: has anyone done a dual-stack ipv4 + ipv6 configuration on a domain controller?Hi,
Thanks for your post.
It's recommended to keep IPv6 enabled on DC.
Please refer to this similar thread:
Disabling IPv6 on 2008R2 Domain Controllers... Best Practice?
http://social.technet.microsoft.com/Forums/windowsserver/en-US/18001bd9-e79f-4f80-973c-3ef0f0b3d2ff/disabling-ipv6-on-2008r2-domain-controllers-best-practice?forum=winservergen
Regards.
Vivian Wang -
6VPE and Dual Stack Core?
Hi,
I've been following this discussion on a MPLS migration to IPv6.
https://supportforums.cisco.com/thread/2181573
I have the following customer requirements:
- Dual stack IPv4/IPv6 across the entire network including the core.
- Run 6VPE between the PE routers
Is it true to say that this is not a supported configuration? 6VPE only runs on a native IPv4 core?
Thanks
Sean6VPE is a tunneling technology to allow you to run IPv4 and IPv6 over an IPv4-only core and provide dual-stack at the customer edge. The customer is blissfully unaware that there is anything other than dual-stack - or better described as IPv4 and IPv6 capabilities - at their demarcation.
If you configure your entire core with dual-stack, there isn't really a need for 6VPE. What you will need is a solution for LDPv6 or what is sometimes referred to as MPLSv6 (http://blogs.cisco.com/tag/ldpv6/).
cheers. -
dears,
three questions
1) is the 7206VXR support dual stack ipv4 and ipv6?
2) is 7606 with sup720-B SUPPORT DUAL STACK IPV4 AND IPV6?
3) is 6513 with FW and IPD module support dual stack?
4) is GSR 12410 support dual stack?
thank you in advanceAhmed,
FWSM support for IPv6 is not dependant on mode of operation, to process IPv6 in a stateful way we need to handle traffic in CPU (note that ASA SM should not have this limitation).
Regarding IDSM, I found a quote internally (from Oct 2009, but should be still relevant).
The IDSM-2, AIM-IPS, and NME-IPS are not supported for IPv6 monitoring.
No roadmap yet for this support as far as I am aware.
HTH,
Marcin -
Dual-Stack LNS - ppp negotiation fails if no ipv6 prefix assigned by Radius
Hello,
We have an LNS (asr1k), dual-stack CPE and Radius server.
Everything works fine if both ipv4 and ipv6 prefix is assigned to CPE by Radius
If we set Radius server not to assign v6 prefix, we expect to build up an ipv4-only session over ppp.
This is not what happens. PPP negotiation fails with the following debug lines:
IPv6 DHCP_AAA: No authorization data from SSS
Vi2.2364 PPP DISC: Non-PPP hang up
some config parts of LNS:
no ipv6 source-route
ipv6 unicast-routing
ipv6 dhcp binding track ppp
ipv6 dhcp pool IPv6_DHCP_POOL
ipv6 dhcp pool POOL_DHCP_PD
ipv6 multicast-routing
ipv6 multicast rpf use-bgp
interface Virtual-Template99
mtu 1460
ip unnumbered Loopback0
ip tcp adjust-mss 1420
no logging event link-status
ipv6 enable
no ipv6 nd prefix framed-ipv6-prefix
no ipv6 nd ra suppress
ipv6 dhcp server POOL_DHCP_PD allow-hint
peer default ip address pool adslpool_1 adslpool_2
ppp max-configure 3
ppp authentication pap AAA_AUTHEN_PPP_noc3x
ppp authorization AAA_AUTHOR_NET_noc3x
ppp accounting AAA_ACCT_NET_noc3x
ppp ipcp address required
ppp ipcp address accept
ppp ipcp no-renegotiation send-termreq
ppp link reorders
ppp timeout retry 5
ppp timeout ncp 30
ppp timeout authentication 30
end
Can anyone help?
Regards,
AntalHave opend a case with cisco. The solution for me is to put
no ipv6 dhcp ppp terminate
in to the global config.
Hope that helps anyone who has the same problem. -
I have a design I'm working on which will require among other things dual stack across MPLS. Configuring CE routers for dual stack seems very straight forward, however I'm having trouble finding documentation describing the BGP config for multihoming and load sharing with 2 routers and 2 service providers. I've configured this quite a few times with HSRP and BGP for IPv4 similar to this example:
http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a00800945bf.shtml#conf5
Am I looking at this wrong or are these scenarios just not widely published yet?
Any help is greatly appreciated!
thanks,
JoshHi Josh,
You will have to understand the MBGP address families. One of the basic rule of MBGP is that when I'm advertising a route from a specific address family, the next hop has to be from the same address family. So, you will have to make sure the next hop is from the same address family. Couple of examples for you:
1. IPv6 NLRI in IPv4
router bgp 201
bgp router-id 192.168.30.1
neighbor 150.1.1.2 remote-as 301
address-family ipv6
neighbor 150.1.1.2 activate
neighbor 150.1.1.2 route-map SETNH out
network 2192:10::/48
route-map SETNH permit 10
set ipv6 next-hop 2150:1:1::3
2. IPv4 NLRI in IPv6
router bgp 201
bgp router-id 192.168.30.1
neighbor 2150:1:1::2 remote-as 301
address-family ipv4
neighbor 2150:1:1::2 activate
neighbor 2150:1:1::2 route-map SETNH out
network 192.10.0.0
route-map SETNH permit 10
set ip next-hop 150.1.1.3
I also came across this document which should help you: http://fengnet.com/book/Cisco.IOS.Cookbook.2nd/I_0596527225_CHP_25_SECT_11.html
Regards,
Salman -
[ASR1K] ISG Dual Stack configuration
Hello
Is it possible to configure l3-connected ISG dual stack on ASR1000?Hi,
According to document http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/isg/configuration/xe-3s/asr1000/isg-xe-3s-asr1000-book/isg-ipv6.html, it is possible:
Restrictions for ISG IPv6 Support
Layer 2 connected interfaces are not supported. Only Layer 3 routed in-band IPv6 sessions are supported.
Session Coexistence on ISG Interfaces
The following session combinations can exist on the same ISG interface in Cisco IOS XE Release 3.5S and later releases:
Native IPv6 and native IPv4 sessions
Regards -
Hi,
I have a Dual Stacked DMVPN Hub site, VPN for ether IPv4 oder IPv6 is working properly, but not both at the same time.
If the IPv4 Peers connect first, then the IPv6 Peers are unable to form an IPsec security association and the other way around. Crypto ISAKMP Phase1 is build correctly.
A "show crypto ipsec sa" on the Hub shows only sa's for the kind of Peers that connected first. A "show crypto ipsec sa" on the Spoke that is unable to form an security association with the Hub shows an security association, but with no proposals and raising send error counters:
Spoke (IPv4) SA
interface: Tunnel1
Crypto map tag: My-Profile-v4-head-1, local addr 2.2.2.1
protected vrf: (none)
local ident (addr/mask/prot/port): (2.2.2.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)
current_peer 1.1.1.1 port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 23255, #recv errors 0
local crypto endpt.: 2.2.2.1, remote crypto endpt.: 1.1.1.1
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb (none)
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
I'm running IOS Version 15.3(2)T, is there some kind of known bug and/or a workaround for this?
Interface Configuration
interface GigabitEthernet0
description ** Outside **
ip address 1.1.1.1 255.255.255.0
duplex auto
speed auto
ipv6 address 2001:1:1:1::1/64
Crypto Configuration
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 14
crypto isakmp key cisco address 0.0.0.0 no-xauth
crypto isakmp key cisco address ipv6 ::/0 no-xauth
crypto isakmp keepalive 10 periodic
crypto ipsec transform-set My-Set esp-aes 256 esp-sha512-hmac
mode tunnel
crypto ipsec profile My-Profile-v4
description ** IPsec Profile fuer IPv4 Peers **
set transform-set My-Set
set pfs group2
crypto ipsec profile My-Profile-v6
description ** IPsec Profile fuer IPv6 Peers **
set transform-set My-Set
set pfs group2
Tunnel Configuration
interface Tunnel1
description ** DMVPN Intranet IPv4 **
bandwidth 1000
ip vrf forwarding VPN
ip address 10.0.10.1 255.255.255.0
no ip redirects
ip mtu 1416
no ip next-hop-self eigrp 65351
no ip split-horizon eigrp 65351
ip pim sparse-mode
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 360
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1360
load-interval 30
shutdown
keepalive 10 3
tunnel source GigabitEthernet0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile My-Profile-v4 shared
interface Tunnel2
description ** DMVPN Intranet IPv6 **
bandwidth 1000
ip vrf forwarding VPN
ip address 10.0.12.1 255.255.255.0
ip mtu 1416
no ip next-hop-self eigrp 65351
no ip split-horizon eigrp 65351
ip pim sparse-mode
ip nhrp map multicast dynamic
ip nhrp network-id 2
ip nhrp holdtime 360
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1360
load-interval 30
keepalive 10 3
tunnel source GigabitEthernet0
tunnel mode gre multipoint ipv6
tunnel key 2
tunnel protection ipsec profile My-Profile-v6 shared
Regards,
ThomasHello Marcin,
it is working now :-)
First I was running a dual stacked spoke as well, but now I am using one IPv4 and one IPv6 only spoke. The ipsec profiles are "shared", because besides the two shown tunnels I have one more IPv4 and IPv6 Tunnel for Extranetuse. The Spoke sites use "shared" as well, because they build a backup VPN Tunnel to a second Hub router.
I have removed the "keepalive 10 3" from my Tunnel interfaces and rebooted the routers and everything is working now.
Here are my final configurations:
Crypto
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 14
crypto isakmp key cisco address 0.0.0.0 no-xauth
crypto isakmp key cisco address ipv6 ::/0 no-xauth
crypto isakmp keepalive 10 periodic
crypto ipsec transform-set My-Set esp-aes 256 esp-sha512-hmac
mode tunnel
crypto ipsec profile My-Profile-v4
description ** IPsec Profile fuer IPv4 Peers **
set transform-set My-Set
set pfs group2
crypto ipsec profile My-Profile-v6
description ** IPsec Profile fuer IPv6 Peers **
set transform-set My-Set
set pfs group2
Tunnel Hub Dual Stacked
interface Tunnel1
description ** DMVPN Intranet IPv4 **
bandwidth 1000
ip vrf forwarding VPN
ip address 10.0.10.1 255.255.255.0
no ip redirects
ip mtu 1416
no ip next-hop-self eigrp 65351
no ip split-horizon eigrp 65351
ip pim sparse-mode
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 360
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1360
load-interval 30
tunnel source GigabitEthernet0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile My-Profile-v4 shared
interface Tunnel2
description ** DMVPN Intranet IPv6 **
bandwidth 1000
ip vrf forwarding VPN
ip address 10.0.12.1 255.255.255.0
ip mtu 1416
no ip next-hop-self eigrp 65351
no ip split-horizon eigrp 65351
ip pim sparse-mode
ip nhrp map multicast dynamic
ip nhrp network-id 2
ip nhrp holdtime 360
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1360
load-interval 30
tunnel source GigabitEthernet0
tunnel mode gre multipoint ipv6
tunnel key 2
tunnel protection ipsec profile My-Profile-v6 shared
end
Tunnel Spoke IPv4
interface Tunnel1
description ** DMVPN Intranet IPv4 **
ip vrf forwarding VPN
ip address 10.0.10.2 255.255.255.0
no ip redirects
ip mtu 1416
ip pim sparse-mode
ip nhrp map 10.0.10.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 1
ip nhrp holdtime 360
ip nhrp nhs 10.0.10.1
ip nhrp shortcut
ip tcp adjust-mss 1360
delay 1000
tunnel source GigabitEthernet0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile My-Profile-v4 shared
end
Tunnel Spoke IPv6
interface Tunnel1
description ** DMVPN Intranet IPv6 **
ip vrf forwarding VPN
ip address 10.0.12.2 255.255.255.0
no ip redirects
ip mtu 1416
ip pim sparse-mode
ip nhrp map 10.0.12.1 2001:1:1:1::1
ip nhrp map multicast 2001:1:1:1::1
ip nhrp network-id 2
ip nhrp holdtime 360
ip nhrp nhs 10.0.12.1
ip nhrp shortcut
ip tcp adjust-mss 1360
delay 1000
tunnel source GigabitEthernet0
tunnel mode gre multipoint ipv6
tunnel key 2
tunnel protection ipsec profile My-Profile-v6 shared
end
Thanks again
Thomas -
Dual stack on tunnel interface
Is it possible to run dual stack IP schemes over an ipsec-protected tunnel interface on IOS? I am able to assign the IPv6 addresses like a normal interface on both ends however when i try to ping across the tunnel with IPv6 there is no response. Here is an example of my config:
R1
interface Tunnel0
description Tunnel to R2
ip address 172.30.1.237 255.255.255.252
ip mtu 1400
ip nat inside
ip virtual-reassembly
load-interval 30
ipv6 address FE80::172:30:1:1 link-local
ipv6 address 2001:1::172:30:1:1/126
keepalive 5 4
tunnel source GigabitEthernet0/1
tunnel mode ipsec ipv4
tunnel destination 1.2.3.4
tunnel protection ipsec profile protect-gre
R2
interface Tunnel0
description Tunnel to R1
ip address 172.30.1.238 255.255.255.252
ip mtu 1400
ip nat inside
ip virtual-reassembly
load-interval 30
ipv6 address 2001:1::172:30:1:2/126
ipv6 address FE80::172:30:1:2 link-local
keepalive 5 4
tunnel source FastEthernet0/1
tunnel destination 1.2.3.5
tunnel mode ipsec ipv4
tunnel protection ipsec profile protect-gre
The only solution i can clearly see is running a separate tunnel, which i would like to avoid. Any assistance is greatly appreciated!Hello,
In my System preferences the IPv6 settings are set to "automatic", my DSL router (Cisco 787) supports IPv6. When visiting sites like www.sixxs.net and www.apnic.org (which are reachable by both IPv6 and IPv4), some pages are reached by IPv6 and some by IP4. Even the same page may load in IPv6 first, but a second time via IPv4. This behaviour has changed since my upgrade to Leopard, under Tiger the behaviour was much more stable.
Gerard -
Hi guys,
In a dual stack network, how can we decide whether IPv4 or IPv6 address is used in a simulator software? How to test this?
Thank you in advance.The preference for either v4 or v6 is embedded in the applications.
Just do a google search on: ipv4 ipv6 preference.
If your network uses dns, you could somewhat steer this by only providing a response for one protocol or the other.
The best option would be to configure the application appropriately, if possible.
If you have no options to configure this, you can test the default behavior by using a packet tracer or ultimately configure the machine on which such an application runs to use only one protocol.
regards,
Leo -
Dual stack BGP Configuration guide for enterprise CPE
Hi,
I couldn't find the config guide for BGP in a IPv4 & IPv6 dual stack environment for CPE in Cisco website. Hope someone can share the URL.
ThanksThe following URL shows how to configure Multi-protocol BGP - http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-mt/irg-15-mt-book.html.
hth,
-jim -
Hi All,
My question is :
Once we have configured the ABAP-Stack of a dual-stack system into the transport domain through CTS, so can we now move the JAVA-based objects as well or we need to do something else also.
If so, what is that?
RegardsHi Chilbul,
Your question is pretty vague. As per it, we don't know if you have actually carried out all the steps of CTS+ configuration prior to including the abap stack in transport routes or not.
If you have already completed CTS+ configuration and this was the last step you did, then your java developers should be able to include their objects in a transport request.
However, if you haven't done the CTS+ configuration yet, then please do that. For reference, these are some documents that should help you:
CTS+ config for dual stack systems -->
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/10456aac-44f7-2a10-1fbe-8b7bcd7bcd58?quicklink=index&overridelayout=true
Other helpful guides:
/people/dolores.correa/blog/2009/06/05/cts-configuration-in-solution-manager-70-ehp1
http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/e0249083-c0ab-2a10-78b8-b7a7854b1070
Regards,
Shitij -
Hello...
I have configured a dual stack VLAN on cisco 6500 switch and assign a ipv6 address on my LAPTOP and connected to the VLAN .but my laptop is not identifying the ipv6 address and gateway is also not pinging from the laptop. rest configuration on swich is ok . what may be the issue . can anyone suggest waht may be the issue.Dear Sunny,
thank you for your answer.
I've already tried this method. Unfortunately it didn't help, because the upgrade tool is not searching for those packages in other directories.
In the meantime I found out a possible reason of the problem. It seems the usage type of the JAVA is not correct. In configtool I saw it is DW. The list of the problematic components contains all of the XSS components and one other.
I will try the following workaround:
- Undeploy all 'wrong' components before the upgrade
- Remove the components from the stack xml
- Deploy the missing components
BR,
Veronika
Maybe you are looking for
-
I wish to request that a comedy, Dutch Treat or/and its companion Detective School Dropouts released in 1987 be included in the iTunes US store for me to down load. i will pay any thing to download them.
-
Having updated all my iOS devices to iOS 8.0 I now need to update xCode to match. I've tried several times, and on each occasion have received an "unknown error -50" message after getting about 500Mb. After this my internet connection appears to be f
-
Why would I get a bright green vertical line down the middle of my screen after playing a game?
-
Best practice in PowerPoint conversions?
I'm running into PowerPoint files, especially those from PowerPoint 2007, that don't properly convert to Flash for display in Adobe Acrobat Connect Professional. Other than redesigning the files (usually impractical), what can one do to minimize this
-
Import failed with RC=12
Hi, I did one transport and it came back with RC12. From the message log the error displayed was "LIMU INDX COEP Z03: Object information could not be imported". can any one suggest as to what needs to be done.