I've recently setup a tunnel for a Juniper SSG5 to HE. The tunnel and routing for the /64 assignment works fine and I can access IPv6 sites. :) The problem I am having now is the /48 assignment routing. :(
Per my routing table I have to appropriate routes: (I use the first /64 in the subnet but this should have no effect.)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
IPv6 Dest-Routes for <untrust-vr> (5 entries)
--------------------------------------------------------------------------------------
ID IP-Prefix Interface
Gateway P Pref Mtr Vsys
--------------------------------------------------------------------------------------
* 1 ::/0 tun.6
2001:470:1f06:fdf::1 S 20 1 Root
* 8 2001:470:8c43::/64 n/a trust-vr S 20 0 Root
* 3 2001:470:1f06:fdf::/64 tun.6
:: C 0 0 Root
* 7 2001:470:1f07:fdf::/64 n/a dmz-vr S 20 0 Root
* 4 2001:470:1f06:fdf::2/128 tun.6
:: H 0 0 Root
IPv6 Dest-Routes for <trust-vr> (3 entries)
--------------------------------------------------------------------------------------
ID IP-Prefix Interface
Gateway P Pref Mtr Vsys
--------------------------------------------------------------------------------------
* 4 ::/0 n/a untrust-vr S 20 0 Root
* 6 2001:470:8c43:0:217:cbff:fe8b:d44c/128 bgroup1
:: H 0 0 Root
* 5 2001:470:8c43::/64 bgroup1
:: C 0 0 Root
IPv6 Dest-Routes for <dmz-vr> (3 entries)
--------------------------------------------------------------------------------------
ID IP-Prefix Interface
Gateway P Pref Mtr
--------------------------------------------------------------------------------------
* 1 ::/0 n/a untrust-vr S 20 0
* 7 2001:470:1f07:fdf:217:cbff:fe8b:d44b/128 bgroup0
:: H 0 0
* 6 2001:470:1f07:fdf::/64 bgroup0
:: C 0 0
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The address assignment is correct for both the Trust and DMZ segments and I see the traffic being properly handled but there is no response. The only successful response is to the gateway address.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2011-02-02 13:17:01 0:00:22 2001:470:8c43:0:10ac:8b2c:aafe:8f6049443 2a01:48:1:0:2e0:81ff:fe05:4658 80 HTTP 7411 bgroup1
Close - AGE OUT 6 2001:470:8c43:0:10ac:8b2c:aafe:8f6049443 2a01:48:1:0:2e0:81ff:fe05:4658 80 41 tunnel.6
2011-02-02 13:13:12 0:01:02 2001:470:8c43:0:10ac:8b2c:aafe:8f60 12 2001:4860:b007::63 1 ICMPV6 8035 bgroup1
Close - AGE OUT 58 2001:470:8c43:0:10ac:8b2c:aafe:8f60 12 2001:4860:b007::63 1 41 tunnel.6
2011-02-02 13:13:06 0:01:01 2001:470:8c43:0:10ac:8b2c:aafe:8f60 11 2001:4860:b007::63 1 ICMPV6 7420 bgroup1
Close - AGE OUT 58 2001:470:8c43:0:10ac:8b2c:aafe:8f60 11 2001:4860:b007::63 1 41 tunnel.6
2011-02-02 13:41:10 0:00:03 2001:470:8c43:0:10ac:8b2c:aafe:8f60 23 2001:470:1f06:fdf::1 1 ICMPV6 7905 bgroup1
Close - RESP 58 2001:470:8c43:0:10ac:8b2c:aafe:8f60 23 2001:470:1f06:fdf::1 1 41 tunnel.6
2011-02-02 13:41:10 0:00:04 2001:470:8c43:0:10ac:8b2c:aafe:8f60 22 2001:470:1f06:fdf::1 1 ICMPV6 7713 bgroup1
Close - RESP 58 2001:470:8c43:0:10ac:8b2c:aafe:8f60 22 2001:470:1f06:fdf::1 1 41 tunnel.6
2011-02-02 13:41:08 0:00:03 2001:470:8c43:0:10ac:8b2c:aafe:8f60 21 2001:470:1f06:fdf::1 1 ICMPV6 8002 bgroup1
Close - RESP 58 2001:470:8c43:0:10ac:8b2c:aafe:8f60 21 2001:470:1f06:fdf::1 1 41 tunnel.6
2011-02-02 13:41:08 0:00:04 2001:470:8c43:0:10ac:8b2c:aafe:8f60 20 2001:470:1f06:fdf::1 1 ICMPV6 7409 bgroup1
Close - RESP 58 2001:470:8c43:0:10ac:8b2c:aafe:8f60 20 2001:470:1f06:fdf::1 1 41 tunnel.6
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This leads me to believe the /48, although allocated, is not being routed back to me globally. Can anyone confirm if the /48s should be globally routed?
Static route is in place, however what IPs are actually configured and in use?
2001:470:1f07:fdf::/64 works fine
2001:470:8c43::/64 I can only ping the HE gateway 2001:470:1f06:fdf::1, everything else times out.
I've not tried the whole /48 assignment for my internal network and 2001:470:8c43::/64 should be the same as 2001:470:8c43:0::/64... :-\
After the response, I continued to review the forums and my configuration. Without any changes the tunnel is now up and working. I have valid, separate IPv6 networks defined for both segments. Perhaps there is a lag on the routing for /48 segments?
Per the question:
2001:470:8c43::/64 should be the same as 2001:470:8c43:0::/64
I'll consider the latter correct but redundant.
As you say, it's the same network...as is 2001:0470:8c43:0:0::/64
rgds
lukec