Hurricane Electric's IPv6 Tunnel Broker Forums

I had a separate internet connection installed and have a Cisco 1811 configured  at my tunnel broker.  My 1811 is connected directly to the cable modem.
I can ping the outside world.  Tunnel wont establish.
Here is my config.  Any suggestions on what I may have missed ?
!
ipv6 unicast-routing
ipv6 cef
!
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ip nat inside
ip virtual-reassembly
ipv6 address 2001:470:1F10:102::1/64
ipv6 enable
tunnel source 192.168.1.100
tunnel destination 209.51.181.2
tunnel mode ipv6ip
!
interface FastEthernet0
description LAN
ip address 192.168.1.100 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ipv6 address 2001:470:1F11:102::1/64
ipv6 enable
!
interface FastEthernet1
description WAN
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
access-list 1 permit 192.168.1.0 0.0.0.255
ip route 0.0.0.0 0.0.0.0 FastEthernet1
ipv6 route ::/0 Tunnel0
!


I did a debug tunnel on the router and see this -

Feb  2 02:35:28.208: FIBtunnel: Tu0: stacking IPV6 :: to Default:209.51.181.2
Feb  2 02:35:28.208: Tunnel0: IPv6/IP encapsulated 192.168.1.100->209.51.181.2 (linktype=79, len=84)
Feb  2 02:35:28.208: Tunnel0 count tx, adding 20 encap bytes
Feb  2 02:35:29.208: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
Feb  2 02:35:29.208: Tunnel0: IPv6/IP encapsulated 192.168.1.100->209.51.181.2 (linktype=79, len=84)
Feb  2 02:35:29.208: Tunnel0 count tx, adding 20 encap bytes
Feb  2 02:35:29.208: Tunnel0: IPv6/IP encapsulated 192.168.1.100->209.51.181.2 (linktype=79, len=96)
Feb  2 02:35:29.208: Tunnel0 count tx, adding 20 encap bytes
Feb  2 02:35:29.208: Tunnel0: IPv6/IP encapsulated 192.168.1.100->209.51.181.2 (linktype=79, len=96)
Feb  2 02:35:29.208: Tunnel0 count tx, adding 20 encap bytes
Feb  2 02:35:29.208: Tunnel0: IPv6/IP encapsulated 192.168.1.100->209.51.181.2 (linktype=79, len=96)
Feb  2 02:35:29.208: Tunnel0 count tx, adding 20 encap bytes
Feb  2 02:35:29.208: Tunnel0: IPv6/IP encapsulated 192.168.1.100->209.51.181.2 (linktype=79, len=84)
Feb  2 02:35:29.208: Tunnel0 count tx, adding 20 encap bytes
Feb  2 02:35:29.821: Tunnel0: IPv6/IP encapsulated 192.168.1.100->209.51.181.2 (linktype=79, len=96)
Feb  2 02:35:29.821: Tunnel0 count tx, adding 20 encap bytes
Feb  2 02:35:29.821: Tunnel0: IPv6/IP encapsulated 192.168.1.100->209.51.181.2 (linktype=79, len=96)
Feb  2 02:35:29.821: Tunnel0 count tx, adding 20 encap bytes
Feb  2 02:35:30.209: Tunnel0: IPv6/IP encapsulated 192.168.1.100->209.51.181.2 (linktype=79, len=84)
Feb  2 02:35:30.209: Tunnel0 count tx, adding 20 encap bytes
Feb  2 02:35:30.321: Tunnel0: IPv6/IP encapsulated 192.168.1.100->209.51.181.2 (linktype=79, len=96)
Feb  2 02:35:30.321: Tunnel0 count tx, adding 20 encap bytes
Feb  2 02:37:24.550: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0
Feb  2 02:37:24.798: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0
Feb  2 02:37:25.494: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0
Feb  2 02:37:25.794: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0
Feb  2 02:37:26.494: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0
Feb  2 02:37:26.794: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0
Feb  2 02:37:27.494: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0
Feb  2 02:37:27.794: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0
Feb  2 02:37:28.494: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0
Feb  2 02:37:28.798: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0
Feb  2 02:37:29.498: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0
Feb  2 02:37:29.798: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0
Feb  2 02:37:31.502: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0
Feb  2 02:37:31.802: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0
Feb  2 02:37:35.502: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0
Feb  2 02:37:35.802: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0
Feb  2 02:37:43.518: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0
Feb  2 02:37:43.818: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0
Feb  2 02:37:59.530: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0
Feb  2 02:37:59.834: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0
Feb  2 02:38:31.558: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0
Feb  2 02:38:31.862: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0

When I tried to ping the IPv6 DNS server at HE.net, here is what I see -

IPv6_Tunnel#ping ipv6 2001:470:20::2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:470:20::2, timeout is 2 seconds:

Feb  2 02:40:14.184: Tunnel0: IPv6/IP encapsulated 192.168.1.100->209.51.181.2 (linktype=79, len=120)
Feb  2 02:40:14.184: Tunnel0 count tx, adding 20 encap bytes.
Feb  2 02:40:16.184: Tunnel0: IPv6/IP encapsulated 192.168.1.100->209.51.181.2 (linktype=79, len=120)
Feb  2 02:40:16.184: Tunnel0 count tx, adding 20 encap bytes.
Feb  2 02:40:18.184: Tunnel0: IPv6/IP encapsulated 192.168.1.100->209.51.181.2 (linktype=79, len=120)
Feb  2 02:40:18.184: Tunnel0 count tx, adding 20 encap bytes.
Feb  2 02:40:20.185: Tunnel0: IPv6/IP encapsulated 192.168.1.100->209.51.181.2 (linktype=79, len=120)
Feb  2 02:40:20.185: Tunnel0 count tx, adding 20 encap bytes.
Feb  2 02:40:22.185: Tunnel0: IPv6/IP encapsulated 192.168.1.100->209.51.181.2 (linktype=79, len=120)
Feb  2 02:40:22.185: Tunnel0 count tx, adding 20 encap bytes.
Success rate is 0 percent (0/5)

I can ping the the 209.51.181.2 endpoint so I know the path is good.  Cant ping anything via IPv6.
Please bear with me as I am learning IPv6, so it is something simple that I have missed.

Thanks for assistance on this,
Ron

Try changing tunnel source fro rfc1918 to your WAN interface, either the ip or see if you can specify the interface.

Here is what the config looks like now -

interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ip nat inside
ip virtual-reassembly
ipv6 address 2001:470:1F10:102::1/64
ipv6 enable
tunnel source FastEthernet1
tunnel destination 209.51.181.2
tunnel mode ipv6ip
!
interface FastEthernet0
description LAN
ip address 192.168.1.100 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ipv6 address 2001:470:1F11:102::1/64
ipv6 enable
!
interface FastEthernet1
description WAN
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto

Here is what I see when I try to ping the he.net dns server -

IPv6_Tunnel#ping ipv6 2001:470:20::2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:470:20::2, timeout is 2 seconds:

Feb  1 21:08:20: Tunnel0: IPv6/IP encapsulated 72.128.41.109->209.51.181.2 (linktype=79, len=120)
Feb  1 21:08:20: Tunnel0 count tx, adding 20 encap bytes.
Feb  1 21:08:22: Tunnel0: IPv6/IP encapsulated 72.128.41.109->209.51.181.2 (linktype=79, len=120)
Feb  1 21:08:22: Tunnel0 count tx, adding 20 encap bytes.
Feb  1 21:08:24: Tunnel0: IPv6/IP encapsulated 72.128.41.109->209.51.181.2 (linktype=79, len=120)
Feb  1 21:08:24: Tunnel0 count tx, adding 20 encap bytes.
Feb  1 21:08:26: Tunnel0: IPv6/IP encapsulated 72.128.41.109->209.51.181.2 (linktype=79, len=120)
Feb  1 21:08:26: Tunnel0 count tx, adding 20 encap bytes.
Feb  1 21:08:28: Tunnel0: IPv6/IP encapsulated 72.128.41.109->209.51.181.2 (linktype=79, len=120)
Feb  1 21:08:28: Tunnel0 count tx, adding 20 encap bytes.
Success rate is 0 percent (0/5)

Shouldn't the ipv6 address on your outside interface be ::2 not ::1?

Yes, you are right.  That was an oversight on my part, again.  Got the tunnel up late last night.  Now to start finding content  available only on IPv6.

Thanks to both of you for your help !!

Ron

You may want to consider adding some firewall rules (ipv6 access list, ipv6 traffic filter) and vty access lists to that basic configuration depending what features your IOS supports.

Quote from: nickbeee on February 02, 2012, 03:29:57 PM
You may want to consider adding some firewall rules (ipv6 access list, ipv6 traffic filter) and vty access lists to that basic configuration depending what features your IOS supports.

For example

!         
ipv6 inspect name V6-INSPECT tcp
ipv6 inspect name V6-INSPECT udp
ipv6 inspect name V6-INSPECT ftp
ipv6 inspect name V6-INSPECT icmp
!
!
ipv6 access-list IPV6_OUTSIDE
permit icmp any any
!
!
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 address 2001:DB8:1F00:1D0G::2/64
ipv6 enable
ipv6 traffic-filter IPV6_OUTSIDE in
ipv6 inspect V6-INSPECT out
tunnel source FastEthernet1
tunnel destination 209.51.181.2
tunnel mode ipv6ip
!


Will block everything apart from ICMP from the IPv6 internet and allow your return traffic back in.