IPv6 tunnel in zones ?
I posted in the zone forum, so forgive the cross post, but I thought I'd try this question with some networking experts here.
Is it possible to have the below type of configuration in a zone. I have a system with several zones using shared-IP in IPv4. But I want to create a tunnel within each zone to an IPv6 network.
ifconfig ip.tun0 inet6 plumb
ifconfig ip.tun0 inet6 tsrc 10.1.1.1100 tdst 30.1.1.1 up
ifconfig ip.tun0 inet6 addif 2001:DB8:C003::2/64 2001:DB8:C003::1/64 upWhat are my options to get IPv6 tunnels in zones?
Thanks,
Greg
Yes, you need to dedicate a NIC (or VLAN) to the zone. There's quite a bit of documentation explaining how to do this, as well as an example in the zonecfg man page. With OpenSolaris, you can create VNICs (virtual NICs) for this purpose.
Similar Messages
-
My Hurrican Electric Tunnel Broker IPv6 Connection worked fine with 7.6.1, but after upgrading the firmware on my Time Capsule to 7.6.3 I get an error. "There was an error with the IPv6 tunnel endpoint. Wait for the service to be restored and try again. Contact your service provider if the problem persists." It worked before the upgrade. All settings verified. Now it doesn't work.
https://discussions.apple.com/thread/4787229?start=30&tstart=60
I cannot find the reference.. but the fix is clear.. return poste haste to 7.6.1
And wait for the next upgrade installment.. frankly I am amazed this hasn't been pulled. If this is what Apple consider tested firmware updates.. we are all down the tubes. -
Static and dynamic multipoint ipv6 tunnel
Hi everybody.
How is everyone doing?
My book says " the dynamic forwarding logic requires more work per packet as compared to point-point tunnels which is one of the main reason multipoint tunnels are best used for less frequent traffic while point-to-point tunnels are best suited for more frequent traffic"
In case of multipoint ipv6 tunnel, router has to drive the tunnel destination ip which is encoded in ipv6 address . What other work is performed on a packet when it comes to multipoint ipv6 tunnel which is not performed in case of static ipv6 over ip tunnel ?
thanks and have a great dayHi Sarah,
Apart from "extracting" the embedded IPv4 address from the IPv6 address and placing it into a newly constructed IPv4 encapsulating header, I do not think there is any more significant work involved for multipoint tunnels. It is true that with static point-to-point tunnels, you can already have that header prepared beforehand in memory for all packets - you just use it again and again. With dynamic tunnels, you have first to derive the destination IPv4 address and then place it into a new IPv4 header but even this can be done in software so that the difference in the amount of work is negligible.
Best regards,
Peter -
EA3500 IPV6 tunnel resets to automatic--Youtube won't work
Hi
This problem description pops up quite often when searching the net but I,ve never seen a resolution.
I have to go back into settings and deactivate the IPV6 tunnel daily to keep access to youtube. My provider does not support IPV6. Saving changes has no effect
Is there a way to ensure that the IPV6 tunnel remains deactivated?I have firmware version 1.0.30 build 126544 2011-12-24. Firmware update function says I got the latest version.
Thanks for any hintbatiscan wrote:
Thanks for the tip.
Would that mean that I'd have Toset up an account with the Cisco connect cloud? Isn't there another solution?
I believe upgrading to the Linksys Smart Wifi firmware would be the best thing you can do to resolve the issue.
How to manually upgrade the firmware of the Linksys Smart Wi-Fi Routers
Linksys Smart Wi-Fi Frequently Asked Questions
Benefits of using a Linksys Smart Wi-Fi Account? -
Allowing an IPv6 Tunnel Broker to passthrough ASA
I am in the process of setting up an IPv6 Tunnel Broker on a 1811 router I have in my home lab so I can start working with IPv6 and getting access to IPv6 only websites and/or content. I believe that I have the 1811 setup correctly but am having problems getting the Tunnel Broker traffic (which is IPv4 based) to pass through my ASA. I know that I need to allow protocol 41 to come through from the outside but cant seem to find a way to get it to go through.
I am using 8.2.5 firmware on my 5505. I would prefer to not have to upgrade to 8.3 or 8.4 because of the way the NAT rules and some other things change. My ISP only offers me a single IP address. Would prefer not to have to upgrade to business service to get multiple ip addresses. I have been looking for docs on how to do this but so far havent found anything that points me in the right direction.
Ran a protocol capture and noticed this error in the ASDM log - 3Jan 18 2012 19:16:20209.51.181.2regular translation creation failed for protocol 41 src Inside:192.168.1.100 dst Outside:209.51.181.2
In looking at the rules, it appears that I need an access rule to allow the protocol 41 traffic to go outbound.
Added these lines to the ASA config -
object-group protocol IPV6inIP
protocol-object 41
access-list inside_access_in line 2 extended permit object-group IPV6inIP any any
Still getting the above error after putting the config lines just listed. Beginning to suspect that the 8.2.5 binary doesnt support protocol forwarding. I dont see the traffic leaving the ASA, so that would seem to indicate that 8.2.5 cant do protocol forwarding in the NAT rules.
Any suggestions/links appreciated,
RonErik,
Thanks for your reply ...
I have upgraded the software on my ASA 5505 yesterday from 8.2 to 8.4, and I have to tell you ... I have never been so excited by an ASA upgrade ... anyway ... I triend to use a Cisco 3560G-PS-S as a tunnel endpoing on the inside of my network but appearently the software on this hardware does not support this command "tunnel mode ipv6ip" which makes it impossible to set up a tunnel ... I got the tunnel up but there is no way to ping the other site of the IPv6 tunnel ...
Anyway ... I discoveren what NAT rules / object groups / access-lists I need in order to create the NAT rule ... but there is something wlse that I don;t understand...
What IPv6 addresses have you configured on the inside/outside of your ASA?
And what IPv6 addresses have you configured on your iternal hosts on the "inside" of your network?
I recon that the "inside" hosts uses your Ipv6 endpoint device as a defaut gateway and that this tunnel endpoint uses the tunnel interface as a default gateway ... and that this device is also handing out the IPv6 addressesin your "inside" network right?
And what IPv6 address do you have configured on the outside/inside of the ASA? is that the /64 you get from the tunnel provider (Hurricane Electric or Sixxs) and I guess this traffic is routed to the tunnel endpoint device as well?
So IPv6 firewalling is not possible?
Let me know if I have it correct ...
Thanks,
Iwan -
IPv6 Tunnel Input Wedged on 15.1(4)M4/M5
Hi,
I have a problem with an IPv6 tunnel (ipv6ip) on a Cisco 1841 runnining 15.1(4)M4 or 15.1(4)M5.
It appears that a bug was introduced into 15.1(4)M4 and it is related to IPv6 tunnels and IP SLA.
interface Tunnel64
description IPv6 Tunnel to x.x.x.x
ipv6 address 2001:XXXX:XXXX:XXXX::2/64
tunnel source ATM0/1/0.1
tunnel mode ipv6ip
tunnel destination x.x.x.x
After reloading the router, I can see the size of the input queue slowly increasing "Input queue: 30/75/0/0". It appears that specific packets are getting stuck in the input queue while still processing the majority of IPv6 packets. After a short period of time the input queue gets wedged "Input queue: 76/75/0/0" and it stops working for IPv6 unless I reload the router.
Tunnel64 is up, line protocol is up
Hardware is Tunnel
Description: IPv6 Tunnel to x.x.x.x
MTU 17920 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source x.x.x.x (ATM0/1/0.1), destination x.x.x.x
Tunnel Subblocks:
src-track:
Tunnel64 source tracking subblock associated with ATM0/1/0.1
Set of tunnels with source ATM0/1/0.1, 1 member (includes iterators), on interface <OK>
Tunnel protocol/transport IPv6/IP
Tunnel TTL 255
Tunnel transport MTU 1480 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 00:00:15, output 00:00:15, output hang never
Last clearing of "show interface" counters never
Input queue: 76/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
30 second input rate 0 bits/sec, 0 packets/sec
30 second output rate 0 bits/sec, 0 packets/sec
2253 packets input, 1691254 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
1844 packets output, 730645 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
I also have an IP SLA probe on the router to verify if connectivity is working over the IPv6 tunnel:
ip sla 10
icmp-echo 2001:XXXX:XXXX:XXXX::1
ip sla schedule 10 life forever start-time now
It appears that IP SLA return packets are getting stuck in the input queue as the input queue increments every time I receive a response to my IP SLA probe (every 60 seconds). I have tried to change the values in the probe (packet size, tos, etc) without any luck. I am able to ping the same IPv6 address normally from the command line without seeing this behaviour.
Can I deduce that this is a potential buffer leak - I can't find anything on Bug Toolkit relating to this.
Has anyone come across this issue before and know any workarounds?
Thanks in advance,
Chrisi have got exactly the same issue... how did you solved ? (if you did) running M3 ?
Gateway#sh int tun 0 | i queue
Input queue: 76/75/100/0 (size/max/drops/flushes); Total output drops: 0
Output queue: 0/0 (size/max)
Gateway#sh buffers old
Header DataArea Pool Rcnt Size Link Enc Flags Input Output
664C15C0 EEA06EA4 Middl 1 96 79 31 200 Tu0 Tu0
664C1A7C EEA071E4 Middl 1 96 79 31 200 Tu0 Tu0
664C1F38 EEA07524 Middl 1 96 79 31 200 Tu0 Tu0
664C23F4 EEA07864 Middl 1 96 79 31 200 Tu0 Tu0
664C28B0 EEA07BA4 Middl 1 96 79 31 200 Tu0 Tu0
664C2D6C EEA07EE4 Middl 1 96 79 31 200 Tu0 Tu0
664C3228 EEA08224 Middl 1 96 79 31 200 Tu0 Tu0
664C36E4 EEA08564 Middl 1 96 79 31 200 Tu0 Tu0
664C3BA0 EEA088A4 Middl 1 96 79 31 200 Tu0 Tu0
664C405C EEA08BE4 Middl 1 96 79 31 200 Tu0 Tu0
664C4518 EEA08F24 Middl 1 96 79 31 200 Tu0 Tu0
664C49D4 EEA09264 Middl 1 96 79 31 200 Tu0 Tu0
664C4E90 EEA095A4 Middl 1 96 79 31 200 Tu0 Tu0
664C534C EEA098E4 Middl 1 96 79 31 200 Tu0 Tu0
664C5808 EEA09C24 Middl 1 96 79 31 200 Tu0 Tu0
66F2BECC EEE92304 Middl 1 96 79 31 200 Tu0 Tu0
66F2C388 EEE92644 Middl 1 96 79 31 200 Tu0 Tu0
66F2D530 EEE90C44 Middl 1 96 79 31 200 Tu0 Tu0
66F40880 EEE8F8C4 Middl 1 96 79 31 200 Tu0 Tu0
6758A5A0 EEE26C64 Middl 1 96 79 31 200 Tu0 Tu0
6758AA5C EEE26FA4 Middl 1 96 79 31 200 Tu0 Tu0
6758AF18 EEE272E4 Middl 1 96 79 31 200 Tu0 Tu0
6758B3D4 EEE27624 Middl 1 96 79 31 200 Tu0 Tu0
6758B890 EEE27964 Middl 1 96 79 31 200 Tu0 Tu0
6758BD4C EEE27CA4 Middl 1 96 79 31 200 Tu0 Tu0
6758C6C4 EEE28324 Middl 1 96 79 31 200 Tu0 Tu0
6758CB80 EEE28664 Middl 1 96 79 31 200 Tu0 Tu0
6758D03C EEE289A4 Middl 1 96 79 31 200 Tu0 Tu0
676597C4 EEE8CB44 Middl 1 96 79 31 200 Tu0 Tu0
6765A13C EEE8D1C4 Middl 1 96 79 31 200 Tu0 Tu0
6765A5F8 EEE8D504 Middl 1 96 79 31 200 Tu0 Tu0
6784118C EEE94A04 Middl 1 96 79 31 200 Tu0 Tu0
67841648 EEE97444 Middl 1 96 79 31 200 Tu0 Tu0
679D2250 EEE8C804 Middl 1 96 79 31 200 Tu0 Tu0
679D2BC8 EEE8DB84 Middl 1 96 79 31 200 Tu0 Tu0
679D3084 EEE8DEC4 Middl 1 96 79 31 200 Tu0 Tu0
679D3540 EEE8E204 Middl 1 96 79 31 200 Tu0 Tu0
68194A08 EEE91C84 Middl 1 96 79 31 200 Tu0 Tu0
6851CBB8 EEE905C4 Middl 1 96 79 31 200 Tu0 Tu0
68520AC0 EEE91944 Middl 1 96 79 31 200 Tu0 Tu0
68526180 EEE91FC4 Middl 1 96 79 31 200 Tu0 Tu0
68528034 EEEAE644 Middl 1 96 79 31 200 Tu0 Tu0
68529800 EEE90F84 Middl 1 96 79 31 200 Tu0 Tu0
6856A69C EEE97784 Middl 1 96 79 31 200 Tu0 Tu0
6856AB58 EEE98B04 Middl 1 96 79 31 200 Tu0 Tu0
685B4A7C EEEAF344 Middl 1 96 79 31 200 Tu0 Tu0
685B53F4 EEEAF9C4 Middl 1 96 79 31 200 Tu0 Tu0
685B6834 EEEB0A04 Middl 1 96 79 31 200 Tu0 Tu0
685B83AC EEE960C4 Middl 1 96 79 31 200 Tu0 Tu0
685B8868 EEE96404 Middl 1 96 79 31 200 Tu0 Tu0
685B8D24 EEE96744 Middl 1 96 79 31 200 Tu0 Tu0
685B969C EEE96DC4 Middl 1 96 79 31 200 Tu0 Tu0
685BA7D4 EEEAFD04 Middl 1 96 79 31 200 Tu0 Tu0
685BC61C EEE92CC4 Middl 1 96 79 31 200 Tu0 Tu0
685BCAD8 EEE93004 Middl 1 96 79 31 200 Tu0 Tu0
685BCF94 EEE93344 Middl 1 96 79 31 200 Tu0 Tu0
685BD450 EEE93684 Middl 1 96 79 31 200 Tu0 Tu0
685C6D74 EEE953C4 Middl 1 96 79 31 200 Tu0 Tu0
685C7230 EEE95704 Middl 1 96 79 31 200 Tu0 Tu0
685C7BA8 EEE95D84 Middl 1 96 79 31 200 Tu0 Tu0
687C2104 EEE92984 Middl 1 96 79 31 200 Tu0 Tu0
687C2A7C EEE97AC4 Middl 1 96 79 31 200 Tu0 Tu0
687C2F38 EEE97E04 Middl 1 96 79 31 200 Tu0 Tu0
687C33F4 EEE98144 Middl 1 96 79 31 200 Tu0 Tu0
6888076C EEEAE984 Middl 1 96 79 31 200 Tu0 Tu0
688E3164 EEE8F244 Middl 1 96 79 31 200 Tu0 Tu0
689C4684 EEE939C4 Middl 1 96 79 31 200 Tu0 Tu0
689C4B40 EEE93D04 Middl 1 96 79 31 200 Tu0 Tu0
689C54B8 EEE94384 Middl 1 96 79 31 200 Tu0 Tu0
689C5974 EEE946C4 Middl 1 96 79 31 200 Tu0 Tu0
689DAA24 EEE8E544 Middl 1 96 79 31 200 Tu0 Tu0
689DAEE0 EEE8E884 Middl 1 96 79 31 200 Tu0 Tu0
689DB39C EEE8EBC4 Middl 1 96 79 31 200 Tu0 Tu0
689DB858 EEE8EF04 Middl 1 96 79 31 200 Tu0 Tu0
68AE11F4 EEE8F584 Middl 1 96 79 31 200 Tu0 Tu0
68AE2358 EEE8FF44 Middl 1 96 79 31 200 Tu0 Tu0
Header DataArea Pool Rcnt Size Original Flags caller_pc
Public particle pools: -
Hey Guys,
I understand this implementation pretty well, I'm just having trouble understanding one important part. I understand that if you have R1<--->R2,
with IPv4 connectivity, and then R1 and R2 also each has an IPv6 network on the LAN side, you're address will be 2002::/48, but the bits after
2002:xxxx:xxxx will be the IPv4 source address of the tunnel in hexadecimal. I know you need a route saying to get to 2001:DEAD:BEEF::1/64
goto tunnel0 (etc etc). It will know how to get there automatically by going to 2002:303:303:x.y (Which I'm assuming is the IPv4 remote address in hex)
but how does it know to go to 2002:303:303: automatically........
Im assuming that R1 has physical IP going to R2 of 1.1.1.1 and R2 has a physical IP of 2.2.2.2 going to R1.In the classic 6to4 scenario, you would be depending on the existence of two additional 3rd party relay routers. The relay routers would be anycasting 192.88.99.0/24 on the v4 side and 2002::/16 on the v6 side. Typically the sending client would only have v4 connectivity, not v6. Some operating systems build in 6to4 tunneling, and some endpoints might be dual-stack, so the number of relays could be reduced.
Sender:
1. client v6 encapsulated-->192.88.99.1 via next hop R1
2. R1 -> dual stack relay A (advertising 192.88.99.0/24) via v4
3. relay A -> v6 destination via R2
4. R2 -> destination server (v6)
On the reply path,
5a dual-stack server with embedded 6to4 encapsulates reply directly to client IPv4 address via R2
or
5b IPv6-only server sends native v6 reply to relay B at 2002::/16 via R2 using IPv6
6a R2 forwards v4 packet toward final destination
6b R2 forwards v6 packet toward dual stack relay B (advertising 2002::/16)
7a relay B is not involved if the server did its own 6to4 encapsulation
7b relay B encapsulates the v6 packet in a v4 envelope addressed to the decoded v4 address of the client
8 R1 receives a v4 encapsulated packet via either R2 or relay B, depending on step 5 choice
9 client decapsulates v6 reply from v4 envelope received from R1
Geof Huston and others have described why automatic tunnels like Teredo and 6to4 are a bad idea, e.g.
http://www.potaroo.net/ispcol/2010-12/6to4fail.html
-- Jim Leinweber, WI State Lab of Hygiene -
IPv6 Tunnel Input buffer leak on 15.1(4)M4/M5
Hello all, i have run trough the exam same bug showed here:
https://supportforums.cisco.com/thread/2184076
i do not have a valid support contract for my device, but i believe this is a bug that should be reported. Is anyone able to assit to open such a bug report?
We have a memory leak and that should be fixed
Regards
AndreaHello all, i have run trough the exam same bug showed here:
https://supportforums.cisco.com/thread/2184076
i do not have a valid support contract for my device, but i believe this is a bug that should be reported. Is anyone able to assit to open such a bug report?
We have a memory leak and that should be fixed
Regards
Andrea -
Cisco IOS Zone Based Firewall and IPv6
Hello,
I am trying to setup IPv6 tunnel to tunnel-broker Hurrican Electrics. IPv6 connection is working OK only if I disable zone security on WAN interface (Fe0 - IPv4 interface).
Which protocols must be alloved to and from router?
IOS version: 15.1.2T1 (Adv.ip services)
Setup:
HE (tunnel-broker) --- Internet (IPv4) ---- Cisco 1812 (Fe0 (IPv4) and interface tunnel 1 (IPv6))
Config on router:
IPv4 (self to internet and internet to self)
policy-map type inspect Outside2Router-pmap
class type inspect SSHaccess-cmap
inspect
class type inspect ICMP-cmap
inspect
class type inspect IPSEC-cmap
pass
class type inspect Protocol41-cmap
pass log
class class-default
drop
interface Tunnel1
description Hurricane Electric IPv6 Tunnel Broker
no ip address
zone-member security IPv6tunnel
ipv6 address 2001:47:25:105B::2/64
ipv6 enable
ipv6 mtu 1300
tunnel source FastEthernet0
tunnel mode ipv6ip
tunnel destination xxx.66.80.98
interface FastEthernet0
description WAN interface
ip address xxx.xxx.252.84 255.255.0.0
no ip redirects
no ip unreachables
no ip proxy-arp
zone-member security WAN
duplex auto
speed auto
zone-pair security IPv6Tunnel_2_WAN source IPv6tunnel destination WAN
service-policy type inspect IPv6-out-pmap
zone-pair security WAN_2_IPv6tunnel source WAN destination IPv6tunnel
service-policy type inspect IPv6-out-pmap
policy-map type inspect IPv6-out-pmap
class type inspect IPv6-internet-class
inspect
class class-default
drop
class-map type inspect match-all IPv6-internet-class
match protocol tcp
match protocol udp
match protocol icmp
match protocol ftp
ipv6 route ::/0 Tunnel1
ipv6 unicast-routing
ipv6 cef
parameter-map type inspect v6-param-map
ipv6 routing-header-enforcement loose
sessions maximum 10000OK, removed the cmap the packet was getting dropped on, so the current self to wan zone-pair policy map looks like this:
policy-map type inspect pm-selftowan
class type inspect cm-selftowan-he-out
inspect
class type inspect cm-dhcpwan
pass
class class-default
drop
class-map type inspect match-all cm-selftowan-he-out
match access-group name HETunnelOutbound
ip access-list extended HETunnelOutbound
permit 41 any any
permit ip any host 64.62.200.2
permit ip any host 66.220.2.74
permit ip any host 216.66.80.26
Now we see the same error, just on the 'new' first cmap in the pmap:
*Oct 5 02:39:31.316 GMT: %FW-6-DROP_PKT: Dropping Unknown-l4 session :0 216.66.80.26:0 on zone-pair selftowan class cm-selftowan-he-out due to Invalid Segment with ip ident 0
Yet as you can see above, we are allowing proto 41 any any.
I didn't expect any other result really since the previous cmap had 'permit ip any any' but still
any ideas?
Thanks,
//TrX
EDIT: Out of curiosity after reading this post: https://supportforums.cisco.com/thread/2043222?decorator=print&displayFullThread=true
I decided to change the outbound cm-selftowan-he-out action to 'pass'.
I suddently noticed the following log:
*Oct 5 02:39:31.316 GMT: %FW-6-DROP_PKT: Dropping Unknown-l4 session 216.66.80.26:0 :0 on zone-pair wantoself class cm-wantoself-he-in due to Invalid Segment with ip ident 0
Notice this is now inbound having trouble where as before was outbound.
I changed the inbound pmap policy for cmap cm-wantoself-he-in to pass also and IPv6 PACKETS ARE GETTING ICMP6 REPLIES FROM GOOGLE!
Looking at the original outbound PMAP:
policy-map type inspect pm-selftowan
class type inspect cm-selftowan
inspect
class type inspect cm-selftowan-he-out
inspect
class type inspect cm-dhcpwan
pass
class class-default
drop
cm-selftowan has always been infront of cm-selftowan-he-out, and because that is ip any any, it has been 'grabbing' the IP proto 41 packets and doing ip inspect on them (which fails as it seems ip inspect only handles a handful of proto's).
This is why setting cm-selftowan-he-out and cm-wantoself-he-in both to 'pass' instead of 'inspect' in the past has not been doing anything, because the outbound packets were never getting to the cm-selftowan-he-out cmap.
Would never have got to this without ip inspect log. Why didn't I think of just trying ip inspect logging two days ago!
Anyway, thank you, I have now restored my faith in my own knowledge of ZBF!
Hope this helps the OP too
//TrX -
RV220W 1.0.6.6 IPv6 Tunnelbroker tunnel is not working
With firmware 1.0.4.17 I have had our IPv6 tunnel working fine for a couple of years but it does not seem to work after upgrading to firmware 1.0.6.6
I have followed the instructions in 43132-Connecting_RV220W_to_an_IPv6_Tunnel_broker.pdf to no avail.
Has anybody been able to run an IPv6 6in4 tunnel with a firmware later than 1.0.4.17 and if yes, how ?
This is also a question to CiscoI don't recall on which firmware version I set up the tunnel, but anyway I have fallen back to 1.0.4.17 with a factory reset.
It may be important to follow the instructions in https://supportforums.cisco.com/sites/default/files/legacy/2/3/1/43132-Connecting_RV220W_to_an_IPv6_Tunnel_broker.pdf in the proper sequence.
Pay attention to the two entries (different types) in the Advertisement Prefixes section.
In the Tunneling section your tunnelbroker IP-adress will not show up in the IPv6 Tunnel Status Table. I have enabled and entered the Remote End Point IPv4 Address. -
Unexpected case IPv4 tunnel over IPv6 ?
hi,
I wonder if there is one use case one can think of that is not possible with Cisco IOS:
Establish a IPsec tunnel over an IPv6 network tranporting both IPv4 and Ipv6 traffic. Even IPsec tunnel over an IPv6 network transporting IPv4 only does not work.
I tried several things in my lab but couldn't get it running.
I tried to search the net for my use case but I only find the other way round.
Question: is it possible to achieve connectivity of the following IPv4 addresses over an IIPsec tunnel over Ipv6 network?
Ultimately, the same tunnel should be capable transporting both. A dedicated Tunnel for IPv4 and IPv6 tunnel on the same routers would also be OK.
Svr A ( ) Svr B
+----+ , `,( .) +----+
| | +----+ ( .( ...) +----+ | |
| |---| R1 |---` .....)---| R2 |---| |
| | +----+ ( ......) +----+ | |
+----+ +----+
10.0.23.1/24 IPv6 only 10.0.42.1/24
networkSame/similar question but the case is instead of Site to Site VPN, it would be using the Cisco VPN Client. The host on the left side is connected to an IPv6-only network. They need to communicate with IPv4 devices across the Internet (behind a Cisco ASA).
Is this possible?
Cisco VPN Client ( ) Cisco ASA +----+ , `,( .) +----+ | | +----+ ( .( ...) +----+ | | | |---| R1 |---` .....)---| R2 |---| |----IPv4 network | | +----+ ( ......) +----+ | | +----+ +----+IPv6-only HOST IPv6 Network has IPv6 Interface on public side
alexander.koeppe wrote:hi,I wonder if there is one use case one can think of that is not possible with Cisco IOS:Establish a IPsec tunnel over an IPv6 network tranporting both IPv4 and Ipv6 traffic. Even IPsec tunnel over an IPv6 network transporting IPv4 only does not work.I tried several things in my lab but couldn't get it running.I tried to search the net for my use case but I only find the other way round.Question: is it possible to achieve connectivity of the following IPv4 addresses over an IIPsec tunnel over Ipv6 network?Ultimately, the same tunnel should be capable transporting both. A dedicated Tunnel for IPv4 and IPv6 tunnel on the same routers would also be OK. ,_ Svr A ( ) Svr B +----+ , `,( .) +----+ | | +----+ ( .( ...) +----+ | | | |---| R1 |---` .....)---| R2 |---| | | | +----+ ( ......) +----+ | | +----+ +----+ 10.0.23.1/24 IPv6 only 10.0.42.1/24 network -
MTU option of IPv6 router advertisement ignored
I recently turned up an IPv6 tunnel from Hurricane Electric (http://tunnelbroker.net/) to my home router, which is a Cisco 1921 ISR. The IPv6 tunnel works great, save for one small problem. That being that the MTU of the tunnel is 1480 and the MTU on my Mac is 1500. If I manually set the MTU on my Mac to 1480, everything works as expected. However, part of IPv6 autoconfig is setting the MTU for situations like this where there is a tunnel or the more common PPPoE, both of which require a lower MTU. The router is configured to set this option, and I can see it via tcpdump and radvdump:
[root@strongbad]# tcpdump -i en0 -n -XX icmp6
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, link-type EN10MB (Ethernet), capture size 65535 bytes
11:36:09.218626 IP6 fe80::ca9c:1dff:fed6:17a0 > ff02::1: ICMP6, router advertisement, length 64
0x0000: 3333 0000 0001 c89c 1dd6 17a0 86dd 6e00 33............n.
0x0010: 0000 0040 3aff fe80 0000 0000 0000 ca9c ...@:...........
0x0020: 1dff fed6 17a0 ff02 0000 0000 0000 0000 ................
0x0030: 0000 0000 0001 8600 1266 4000 0708 0000 .........f@.....
0x0040: 0000 0000 0000 0101 c89c 1dd6 17a0 0501 ................
0x0050: 0000 0000 05c8 0304 40c0 0027 8d00 0009 ........@..'....
0x0060: 3a80 0000 0000 2001 0470 e9ba 0001 0000 :........p......
0x0070: 0000 0000 0000 ......
[root@strongbad]# radvdump
# radvd configuration generated by radvdump 1.6
# based on Router Advertisement from fe80::ca9c:1dff:fed6:17a0
# received by interface en0
interface en0
AdvSendAdvert on;
# Note: {Min,Max}RtrAdvInterval cannot be obtained with radvdump
AdvManagedFlag off;
AdvOtherConfigFlag off;
AdvReachableTime 0;
AdvRetransTimer 0;
AdvCurHopLimit 64;
AdvDefaultLifetime 1800;
AdvHomeAgentFlag off;
AdvDefaultPreference medium;
AdvSourceLLAddress on;
AdvLinkMTU 1480;
prefix 2001:470:e9ba:1::/64
AdvValidLifetime 2592000;
AdvPreferredLifetime 604800;
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
}; # End of prefix definition
}; # End of interface definition
You can plainly see the MTU is at 1500, when it should be 1480:
[root@strongbad]# ifconfig en0
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 00:16:cb:ab:af:0d
inet6 fe80::216:cbff:feab:af0d%en0 prefixlen 64 scopeid 0x4
inet 192.168.1.44 netmask 0xffffff00 broadcast 192.168.1.255
inet6 2001:470:e9ba:1:216:cbff:feab:af0d prefixlen 64 autoconf
media: autoselect (1000baseT <full-duplex>)
status: active
[root@strongbad]# netstat -in
Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll
lo0 16384 <Link#1> 800471 0 800471 0 0
lo0 16384 ::1/128 ::1 800471 - 800471 - -
lo0 16384 fe80::1%lo0 fe80:1::1 800471 - 800471 - -
lo0 16384 127 127.0.0.1 800471 - 800471 - -
gif0* 1280 <Link#2> 0 0 0 0 0
stf0* 1280 <Link#3> 0 0 0 0 0
en0 1500 <Link#4> 00:16:cb:ab:af:0d 24352460 0 36285322 0 0
en0 1500 fe80::216:c fe80:4::216:cbff: 24352460 - 36285322 - -
en0 1500 192.168.1 192.168.1.44 24352460 - 36285322 - -
en0 1500 2001:470:e9 2001:470:e9ba:1:2 24352460 - 36285322 - -
fw0 2030 <Link#5> 00:1c:b3:ff:fe:9b:6d:d0 0 0 0 0 0
en1 1500 <Link#6> 00:1c:b3:b0:41:f0 0 0 0 0 0
vmnet 1500 <Link#7> 00:50:56:c0:00:01 0 0 0 0 0
vmnet 1500 172.16.130/24 172.16.130.1 0 - 0 - -
vmnet 1500 <Link#8> 00:50:56:c0:00:08 0 0 0 0 0
vmnet 1500 172.16.123/24 172.16.123.1 0 - 0 - -
On my Mac in System Preferences > Network > Ethernet > Advanced > Ethernet the "Configure" value is set to "Automatically". I discovered a manual sysctl setting that looked promising, but had no noticeable effect:
[root@strongbad]# sysctl -w net.inet6.ip6.accept_rtadv=1
net.inet6.ip6.accept_rtadv: 0 -> 1
I'm running the latest version of Snow Leopard (10.6.7) on my Mac, and there doesn't appear to be any updates for it. Just for fun, here's the kernel banner:
[root@strongbad]# uname -a
Darwin strongbad.local 10.7.0 Darwin Kernel Version 10.7.0: Sat Jan 29 15:17:16 PST 2011; root:xnu-1504.9.37~1/RELEASE_I386 i386
Any ideas on how to get my Mac to honor the MTU in IPv6 router advertisements and set the MTU automatically?
Thanks in advance,
-LexI was wrong. The MTU in IPv6 router advertisements is not ignored by my Mac. In fact, it works great. A few things threw me off here:
1. The IPv6 MTU is not relected in ifconfig and netstat output if it's different than IPv4.
2. The MTU size was wrong. The IPv6 MTU also has to account for ADSL PPPoE overhead the same as any other protocol. PPPoE adds 8 bytes overhead per packet. That means with the 6in4 tunneling overhead of 20 bytes, the true MTU for an IPv6 packet over a 6in4 tunnel over PPPoE is 1472.
3. The firewall was correctly configured to pass ICMPv6, so PMTUD was working. However, this created the illusion that some destinations were working and some were not. I wrongly assumed that mucking with the MTU to and from 1480 was making a difference. In reality, it was PMTUD doing its thing, albeit slowly and on a strict destination by destination basis.
In sum, setting the MTU on the router interface closest to my Mac to 1472, made it all work beautifully. I had to wait for a few route advertisements to pass by, but my Mac did end up doing the right thing.
One last thing worth noting. On a Cisco router, setting the "ipv6 mtu" to something non-default will be reflected in the IPv6 route advertisements it sends out.
Hope this helps,
-Lex -
Problem: IPv6 w/ PPPoE on Cisco 2901
Folks: I have this Cisco 2901 configured with PPPoE and IPv6 and connect it through a CO (DSLAM) to an Actiontec xDSL router. PPPoE connections are on FE0/0/0, through virtual template.
The Actiontec router gets NA and PD addresses succesfully and LAN PC connected to Actiontec router can surf the IPv6 Internet w/ no problem. However, Cisco 2901 can't reach the Actiontec router by its NA or TA public IPv6 address. A 'stupid' workaround is to manually add a route w/ the virtual access. It is stupid cuz each new connection will bring up a different virtual acess.
I guess this is a bug on 2901, but want to confirm with you guys first. Now the whole config:
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname AEI_SV_Cisco_2091
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
no aaa new-model
ipv6 unicast-routing
ipv6 dhcp pool HE
prefix-delegation pool HE-48
address prefix 2001:470:1F05:7A::/64
ipv6 cef
ip dhcp pool default
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 10.10.10.1
ip dhcp pool dslam1
network 10.11.11.0 255.255.255.0
default-router 10.11.11.1
dns-server 10.11.11.1
ip domain name yourdomain.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
multilink bundle-name authenticated
vpdn enable
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-3962993046
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3962993046
revocation-check none
rsakeypair TP-self-signed-3962993046
crypto pki certificate chain TP-self-signed-3962993046
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33393632 39393330 3436301E 170D3131 31313232 31363132
31335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 39363239
39333034 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100E6AF 1640A998 F13E9F8B EB9E404C F0D6E105 8DE05E45 9C9C525A 5AAEAF59
456A4578 1C0E283C 39B3751D 3F362D64 13FACD69 A92C31BA 6D2EEFBE 52BCC70C
73359968 2F76B830 A978BD5F 9A86903F C12BB00B C35C47D1 BADBE727 773E205D
A839969D FE3854B3 26E93F21 63DC4E57 D4C44821 FBE88BAA 4A1D5565 DA416138
3A7D0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14BA6DEA 79E4742D 4878C88E D014C7A3 8022546A FE301D06
03551D0E 04160414 BA6DEA79 E4742D48 78C88ED0 14C7A380 22546AFE 300D0609
2A864886 F70D0101 05050003 818100CE C6732F7E 6AB385C5 5BF4E241 BE179F5D
E7C5CC78 2BFB33EC 3181D4D2 90981D2B 1106205F A3C5FEE8 E78A013B ABF3F5E0
52772A22 F3A0A24C C4F62DDB E2E6A21D AC75772B 6FEC9323 3DFC4165 CC645E62
5C8F5842 18B8DF5B C3E3C39C EBB60D3E E7ADA89B A72FB468 92F77F0A A33B5591
F5048271 F074C64E 38291F93 848F09
quit
license udi pid CISCO2901/K9 sn FCZ15489123
username admin privilege 15 secret 5 $1$.CdN$d0DXERD9PqUtu6XPilTv/.
username chap password 0 chap
bba-group pppoe global
virtual-template 1
sessions max limit 256
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 address 2001:470:1F04:7A::2/64
ipv6 enable
tunnel source 173.13.177.215
tunnel mode ipv6ip
tunnel destination 72.52.104.74
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip nat allow-static-host
ip nat enable
ip virtual-reassembly in
shutdown
duplex auto
speed auto
ipv6 enable
ipv6 dhcp server HE1
interface GigabitEthernet0/1
ip address 173.13.177.215 255.255.255.240
ip nat outside
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
interface FastEthernet0/0/0
ip address 10.11.11.1 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
ipv6 address 2001:470:1F05:7A::1/64
ipv6 enable
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
ipv6 dhcp server HE
pppoe enable group global
interface FastEthernet0/0/1
no ip address
shutdown
duplex auto
speed auto
interface Virtual-Template1
mtu 1492
ip unnumbered FastEthernet0/0/0
ip nat inside
ip nat enable
ip virtual-reassembly in
ipv6 enable
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
no ipv6 nd ra suppress
ipv6 dhcp server HE
peer default ip address dhcp-pool dslam1
peer default ipv6 pool HE
ppp authentication chap
no routing dynamic
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat source list 1 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 173.13.177.222
access-list 1 permit any
ipv6 route ::/0 Tunnel0
ipv6 local pool test 2001:470:7007::/48 64
ipv6 local pool HE-48 2001:470:8008::/48 64
control-plane
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
login local
transport preferred none
transport input all
transport output all
line vty 5 15
privilege level 15
login local
transport preferred none
transport input all
transport output all
scheduler allocate 20000 1000
end
See both IPv4 and IPv6 are using virtual template to get PPPoE work. Everything's working fairly well on IPv4. I can ping from cisco to the 10.11.11.x address on Actiontec router. But with IPv6, I can't ping 2001:470:1f05:7a:: address on Actiontec router. The correct route through virtual-access is not installed, or the F0/0/0 interface doesn't pass the IPv6 traffic to the corresponding virtual access interface:
AEI_SV_Cisco_2091#sh ipv6 route
IPv6 Routing Table - default - 7 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, R - RIP, I1 - ISIS L1, I2 - ISIS L2
IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX - EIGRP external
ND - Neighbor Discovery, l - LISP
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
S ::/0 [1/0]
via Tunnel0, directly connected
C 2001:470:1F04:7A::/64 [0/0]
via Tunnel0, directly connected
L 2001:470:1F04:7A::2/128 [0/0]
via Tunnel0, receive
C 2001:470:1F05:7A::/64 [0/0]
via FastEthernet0/0/0, directly connected (this sounds correct, but I'm not able to reach client from this interface)
L 2001:470:1F05:7A::1/128 [0/0]
via FastEthernet0/0/0, receive
S 2001:470:8008::/64 [1/0]
via FE80::21F6:88C4:497E:6F9C, Virtual-Access2.2
L FF00::/8 [0/0]
via Null0, receive
Can some help? Thanks!
HenryHi,
The 'bug' i described above seems to apply only to packets the router generates itself. I tested it by creating a temporary subnet. Even though i had no end-to-end connectivity i could see packets matching the outbound acl which were created from a host on that subnet.
Carsten -
Hi All,
I had a working IPv6 tunnel with my Airport Express to tunnelbroker.net using the 7.6.1 firmware. After updating to 7.6.3, I have tried many things to get it to work and the only one that works is downgrading from 7.6.3 back to 7.6.1. After seeing this new technical note, it appears that the root of my issue is that I can not get the "IPv6 Delegated Prefix" field to stick - it is always empty after the reboot to apply the settings.
Any ideas?
Thanks,
CraigNI'm in the same boat with a 3rd Gen AEBS. Only thing I haven't tried is a complete reset and reconfiguration from nothing, which I may wind up doing this afternoon just to rule it out. The best irony of all of this is that tunnelbroker.net is under my responsibility, and I can't validate the new settings paradigm. At least getting back to 7.6.1 is easy enough and everything works fine there.
IPv6 Delegated prefix doesn't get saved when using the format from their example, then a 6to4 address shows up as the local address on the main Internet page, and no RAs are received once the AEBS comes back from a reload. Something's a little off on this release. -
How can I use IPv6 in Firefox 3.6.13?
I have a functioning IPv6 tunneling connection via Sixxs. Using Opera 11.00, IPv6 works as advertised (several sites show the expected connection information), but running Firefox 3.6.13 at the same time, same system, all connections are via IPv4. I have tried changing the only IPv6-related setting (network.dns.disableIPv6) but I get the same behavior when set True or False.
I have searched the forum, and I do see a few other people who seem to have similar problems. In one case, Firefox on OpenSuse does not work, while Firefox running in a VM under Windows XP does. Clearly I am missing something somewhere.
On my first submission attempt, I got this warning about Troubleshooting Information:
Ensure this value has at most 30,000 characters (it has 54,133).
I removed some info, apparently I use too many printers(?)Install Firefox Portable 3.6.20 to your hard drive for that website. <br />
http://portableapps.com/apps/internet/firefox_portable/localization#legacy36
It won't affect your current Firefox installation, which you should update to Firefox 6.0 - you are missing a bunch of important security fixes by being two versions behind the latest. 3.6.20 doe have all those fixes.
Maybe you are looking for
-
Error message when launching updated iTunes
After updating to iTunes 11, I've been unable to launch iTunes on my computer. (I'm using Windows 7 Home) When I try to open iTunes, I'm shown an error message that looks like this: Any idea what could be wrong? I've tried uninstalling iTunes and all
-
After the latest Mountain Lion Update I am missing emails
I recently installed an update for Mountain Lion on my desktop iMac and now all my emails prior to 9/24 of this year are missing. Did something change in how they are stored? I can't think of why they would be gone!
-
I am trying to write a VI that will set the system time zone (in Windows). The user needs to be given the option to pick which time zone they are in. Then whatever changes are needed, must be written back out to Windows. I want Windows to handle all
-
Hi, I am creating Good receipt with tc: MB1C, but when I put document date: 08.09.2008 & posting date 08.09.2008 an error message is coming: "Posting only possible in periods 1998/03 and 1998/02 in company code 1480" & when I put document date: 05.0
-
I need to use Web PL/SQL Packages
how can i configure my DADs & mod_plsql to use web plsql i already install http and i configure dads to use htmldb 2.0 and it working fine with me . put how can i use the same dads to use web plsql is there any step or installation is needed to use t