Hurricane Electric's IPv6 Tunnel Broker Forums

Hi all,

I am trying to get the IPv6 tunnel working but I am facing problems ...

I have a Cisco router 1801W, with the following commands entered:


configure terminal
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 enable
ipv6 address 2001:470:1f14:131a::2/64
tunnel source Dialer0
tunnel destination 216.66.84.46
tunnel mode ipv6ip
ipv6 route ::/0 Tunnel0
end

Those commands are coming from tunnelbroker.net, I just replaced my IPv4 address with Dialer0.
I have a Win7 station connected via WiFi to the Internet, with the 1801W Router.

As asked on the tunnelbroker.net website, I clicked on the link to check if I'am IPv6, but always receive a message saying that I'm not.

What do I miss?

Thanks for your help.

did you add: ipv6 unicast-routing ?

Hi,

well yes.
My IPv6 is pingable from outside, this mean that the Tunnel is correctly working, but on my Cisco router.
My client (laptop) is not working as IPv6 ...
I probably miss something important ... but what ...

show the rest of the config.  how are you assigning the IPv6 on your LAN?  is the ipv6 enable on the LAN as well??

To be honest I am planning to learn IPv6 from http://ipv6.he.net/certification/
The step I have to do is just: create the tunnel ... which is not very detailed if you plan to learn :)

Following, my 1801W configuration:

Current configuration : 6183 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 1801W-GARAGE
!
boot-start-marker
boot-end-marker
!
enable secret 5 *********
enable password 7 *********
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-2884345684
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2884345684
revocation-check none
rsakeypair TP-self-signed-2884345684
!
!
crypto pki certificate chain TP-self-signed-2884345684
certificate self-signed 01
     *********
        quit
!
dot11 ssid HOME_FLO
   authentication open
   authentication key-management wpa
   guest-mode
   infrastructure-ssid
   wpa-psk ascii 7 *********
!
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.5.1 192.168.5.199
ip dhcp excluded-address 192.168.5.254
!
ip dhcp pool LOCAL
   import all
   network 192.168.5.0 255.255.255.0
   domain-name Flo-Lan
   default-router 192.168.5.254
   dns-server 192.168.5.254
!
!
ip domain name bardack.be
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip ddns update method DynDNS
HTTP
  add http://*********@members.dyndns.org/nic/update?system=dyndns&hostname=*********&myip=
interval maximum 0 6 0 0
interval minimum 0 6 0 0
!
!
ipv6 unicast-routing
multilink bundle-name authenticated
!
!
username bardack privilege 15 secret 5 *********
!
!
archive
log config
  hidekeys
!
!
ip ssh version 2
bridge irb
!
!
!
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 address 2001:470:1F14:131A::2/64
ipv6 enable
tunnel source Dialer0
tunnel destination 216.66.84.46
tunnel mode ipv6ip
!
interface FastEthernet0
no ip address
ip virtual-reassembly
duplex auto
speed auto
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet1
shutdown
speed 100
!
interface FastEthernet2
shutdown
duplex full
speed 100
!
interface FastEthernet3
shutdown
!
interface FastEthernet4
shutdown
!
interface FastEthernet5
shutdown
!
interface FastEthernet6
shutdown
!
interface FastEthernet7
shutdown
!
interface FastEthernet8
shutdown
!
interface Dot11Radio0
no ip address
ip virtual-reassembly
!
encryption mode ciphers tkip
!
ssid HOME_FLO
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
shutdown
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 8/35
  pppoe-client dial-pool-number 1
!
!
interface Vlan1
no ip address
shutdown
!
interface Dialer0
ip ddns update hostname *********
ip ddns update DynDNS host members.dyndns.org
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname *********
ppp chap password 7 *********
ppp ipcp dns request
ppp ipcp wins request
ppp ipcp address accept
!
interface BVI1
ip address 192.168.5.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
router ospf 1
log-adjacency-changes
network 192.168.5.0 0.0.0.255 area 0.0.3.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip dns server
ip nat inside source list 101 interface Dialer0 overload
ip nat inside source static udp 192.168.5.108 9 interface Dialer0 9
ip nat inside source static tcp 192.168.5.108 9000 interface Dialer0 9000
ip nat inside source static tcp 192.168.5.108 3483 interface Dialer0 3483
ip nat inside source static udp 192.168.5.108 3483 interface Dialer0 3483
ip nat inside source static tcp 192.168.5.108 22 interface Dialer0 22
ip nat inside source static tcp 192.168.5.108 80 interface Dialer0 80
!
access-list 101 permit ip 192.168.5.0 0.0.0.255 any
dialer-list 1 protocol ip permit
arp 192.168.5.108 001d.60d4.54ae ARPA
!
!
ipv6 route ::/0 Tunnel0
!
!
!
!
control-plane
!
bridge 1 route ip
banner motd ^C
*******************************************
DO NOT LOG ON
*******************************************
^C
!
line con 0
logging synchronous
line aux 0
line vty 0 4
logging synchronous
login local
transport input ssh
!
end

What I apparently miss is the IPv4 + v6 stacks working together ...

At the moment I do have DHCP server enabled on my router, but providing IPv4 ...
This thus make sense that I am not able to access IPv6 sites using my laptop since it has an IPv4 address ...

I do not understand ...

I do not plan to have DHCP under IPv6.
I do have a Linux server which has a static IPv4: 192.168.5.108.

The idea is to have that one with an IPv6.

I also have a laptop running Win7 (WIFI + DHCP IPv4). It would be great to have IPv6 on it also.

If somebody can give me some pists, it would be great.

Thanks in advance;

hello,

so quickly looking at your config, you are using wireless?  in any case, your BVI1 interface does not have a IPv6 address, therefore it is not doing anything for your client.

change this to;

interface BVI1
ip address 192.168.5.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ipv6 enable
ipv6 address 2001:4709:xxxx::1/64
!

I don't know what IPv6 address space was assigned to you by HE, but you need to add an IPv6 address to that interface in order for your 1801 to start sending RAs and basically enable you to have IPv6 forwarded accross those interfaces.

http://dinco.bardack.be/uploads/detailsIPv6.JPG (http://dinco.bardack.be/uploads/detailsIPv6.JPG)
Then if I follow you correctly, I must provide the 2001:470:1f15:131a:: IPv6 address in the BVI1 interface?

To answer, yes I am using Wireless.

Anyway thanks for your time.

I cannot do that :(

1801W-GARAGE(config-if)#ipv6 address 2001:470:1f14:131a::2/64
%BVI1: Error: 2001:470:1F14:131A::/64 is overlapping with 2001:470:1F14:131A::/64 on Tunnel0
1801W-GARAGE(config-if)#ipv6 address 2001:470:1f14:131a::1/64
%BVI1: Error: 2001:470:1F14:131A::/64 is overlapping with 2001:470:1F14:131A::/64 on Tunnel0

you shouldn't be trying to use 1f14 space, use 1f15 like we provide details for as your routed subnet.

in fact, just do this:

conf t
int bvi1
ipv6 add 2001:470:1f15:131a::1/64
end

OK I start to understand :)

I configured my router with ipv6 add 2001:470:1f15:131a::1/64   for my BVI1 interface.

I configured my server with:
iface eth0 inet6 static
        address 2001:470:1f15:131a::2
        netmask 64
        gateway 2001:470:1f15:131a::1

From outside, I am able to ping:
- 2001:470:1f14:131a::2/64  (1801W - client tunnel ipv6)
- 2001:470:1f15:131a::1       (1801W - local address)

But I am not able to ping: 2001:470:1f15:131a::2

From my server, I am not able to ping 2001:470:1f15:131a::1 . But I am able to ping myself: 2001:470:1f15:131a::2.

Almost done :-) but still one detail apparently.

Thx for your help;

you put "ipv6 enable" on the bvi interface?  thats strange, you should at least be able to ping the 2001:470:1f15:131a::1 if you truly have 2001:470:1f15:131a::2 as an IP on your server.

if you put a IPv4 address on this server, can you ping the IPv4 IP of the BVI1?

I can ping your BVI1 IP from my workstation, so you either have a cabling or other issue;

C:\Users\cconn>ping 2001:470:1f15:131a::1

Pinging 2001:470:1f15:131a::1 with 32 bytes of data:
Reply from 2001:470:1f15:131a::1: time=137ms
Reply from 2001:470:1f15:131a::1: time=123ms
Reply from 2001:470:1f15:131a::1: time=124ms
Reply from 2001:470:1f15:131a::1: time=125ms

From my server:

bardack@dinco:~$ ping6 2001:470:1f15:131a::2
PING 2001:470:1f15:131a::2(2001:470:1f15:131a::2) 56 data bytes
64 bytes from 2001:470:1f15:131a::2: icmp_seq=1 ttl=64 time=0.016 ms
^C
--- 2001:470:1f15:131a::2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.016/0.016/0.016/0.000 ms
bardack@dinco:~$ ping6 2001:470:1f15:131a::1
PING 2001:470:1f15:131a::1(2001:470:1f15:131a::1) 56 data bytes
^C
--- 2001:470:1f15:131a::1 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

bardack@dinco:~$ ping 192.168.5.254
PING 192.168.5.254 (192.168.5.254) 56(84) bytes of data.
64 bytes from 192.168.5.254: icmp_seq=1 ttl=255 time=0.711 ms
^C
--- 192.168.5.254 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.711/0.711/0.711/0.000 ms


I am able to ping myself: 2001:470:1f15:131a::2
I am not able to ping the router: 2001:470:1f15:131a::1
I am able to ping the router: 192.168.5.254

There is nothing wrong from my point of view, except that ipv6 does not work ...

More details:

My laptop (on WIN7, using Wifi) has now the IPv6: 2001:470:1f15:131a::3

from the laptop:
- ping 2001:470:1f15:131a::2          -> WORKS   - This is the server
- ping 2001:470:1f15:131a::1          -> FAIL        - Cisco Router

From the server:
- ping 2001:470:1f15:131a::3           -> WORKS  - This is the laptop
- ping 2001:470:1f15:131a::1           -> FAIL       - This is the Router


There is a real problem when trying to connect the router ... But on IPv4 it works correctly.
Can it be related to my Cisco switch?

From my point of view not, because laptop -> router does not pass the switch (wifi, directly to router).

If somebody has an idea, it is almost done :)

Thx :)

The funny thing is that from outside it is the opposite:

outside -> router (::1)  -> OK
outside -> server (::2)  -> NOT OK
outside -> laptop (::3)  -> NOT OK

This is very strange, but probably a small detail apparently ...

What is the running config of the router? You don't have any IPv6 ACLs on it do you?

Please check the first page, complete config of my 1801W is there.

I suspect the problem is coming from the router but where ... ?

Thx :)

hopefully my google-fu is working;

from http://www.gossamer-threads.com/lists/cisco/nsp/52397


I think you need "ipv6 enable" on your FastEthernet0 interface.  Is this where you are plugging in the server???


also, what is your IOS version?  I remember reading that IPv6 over BVI interfaces was iffy/non-functional.  But in your case the BVI seems to be working....so I suspect that is not the issue.

Well I already tested to "ipv6 enable" on Fa0 and also on BVI1, but nothing worked.

My Router is on version: Version 12.4(15)T4

My server is connected to Cisco 2900 switch, and my switch is then connected to the Router

I kept 'ipv6 enable' activated on Fa0 + BVI1.
I cannot use that command for my Dot11Radio0 ... strange.

It doesn't look as an acl or something ... this is just weird ... :(

what port is your 2900 switch connecting to?  Fe0?

run a tcpdump/wireshark and see if you are getting RAs from the 1801.

Server is connected on Fa0/1
Layer 2 switch, then no power on any Fa0/* interfaces.

I'll run wireshark and check what's going wrong ...

# tcpdump -t -n -i eth0 -s 512 -vv ip6 or proto ipv6

ping from laptop (::3) to router (::1) :


IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) 2001:470:1f15:131a::3 > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2001:470:1f15:131a::1
  source link-address option (1), length 8 (1): 00:23:14:c1:14:40
    0x0000:  0023 14c1 1440
IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) 2001:470:1f15:131a::3 > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2001:470:1f15:131a::1
  source link-address option (1), length 8 (1): 00:23:14:c1:14:40
    0x0000:  0023 14c1 1440
IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) 2001:470:1f15:131a::3 > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2001:470:1f15:131a::1
  source link-address option (1), length 8 (1): 00:23:14:c1:14:40
    0x0000:  0023 14c1 1440
IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) 2001:470:1f15:131a::3 > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2001:470:1f15:131a::1
  source link-address option (1), length 8 (1): 00:23:14:c1:14:40
    0x0000:  0023 14c1 1440


It seems that nobody is answering that, from inside.
From outside, the ping works on 2001:470:1f15:131a::1 ... which means that from outside it answer ...

Rahhh so weird :(:(:(

I enabled debug:

# debug ipv6 packet detail
# terminal monitor

on my Cisco router ...

I issued the same ping again (from laptop/server -> router) ... no debug written ...

bardack,

The version of IOS you are running does not support IPv6 on BVI interfaces.

You will need to run IOS 15.1T, not IOS 12.4(15)T.

Upgrading IOS may also require a DRAM upgrade.

yeah I thought I had read that somewhere....

welcome to the new world of cisco licensing of IOS15  ::)

according to this tho, you could try and move your IP processing from the BVI to the Fe interface;

http://www.gossamer-threads.com/lists/cisco/nsp/52397

leaving your IPv4 stuff on the BVI and IPv6 on an interface that is in the bridge group...worth a try, I have no BVI routers to test on.

Arghhhhh :(:(:(

At least, many thanks for the final answer.
I cannot move ipv6 to Fa interface because the only layer3 Fa I have on my router is Fa0 ...

Well ... What other solution do I have? ... :(

I tested with my Cisco router 837 (no wifi but I use a LinkSys as AP) and it works perfectly :)

from laptop/server, I am able to ping the other client and the router :):):)
It finally works locally.

From outside, I am able to ping the inside address of the router (1F15 ::1) but not the addresses of the clients ...
Almost done :)

Thx for your help anyway

laptop->outside : works
server -> outside: works

outside -> laptop : not working
outside -> server: works

:):):)

I am having a similar issue.   Did you get an answer on the fix with the Cisco IOS? 

When I do show IPV6 neighbor,  I see my device I want to ping.   However, when I ping it, I cannot from the router, or from the network. 

Let me know,

Quote from: broquea on January 28, 2011, 08:19:47 AM
did you add: ipv6 unicast-routing ?

Best. Advice. Ever. Thank you!

-E