Hello guys,
I'am trying to get an IPv6 connection for a LAN by creating a tunnel with HE( because european's ISP are so laaazy getting IPv6 on their WAN).
Here's the thing : my internet connection is behind an ASA connected to my DMZ and my LAN. Using a router between the internet connection and the ASA couldn't be done so i created a linux server on my DMZ to act as an ipv6 gateway with the tunnel output.
The IPv6 connection between my server and the ipv6 net is UP, i can ping in IPv6 DMZ <-> LAN plus the default route is configured on the server.
I'm using the /48 gave me for the links in DMZ and in LAN (i created two subnets /64).
My problem : where is the problem ? x')
we need a bunch more information. lets see the commands you used to setup the tunnel and the config of the asa. please dont block out ip addresses.
Ok
Here are the commands for my tunnel on the server (FreeBSD), i paste the one given by HE (replacing my external IP by the internal one with NAT).
Quoteifconfig gif0 create
ifconfig gif0 tunnel 192.168.50.8 216.66.84.42
ifconfig gif0 inet6 2001:470:1f12:34::2 2001:470:1f12:34::1 prefixlen 128
route -n add -inet6 default 2001:470:1f12:34::2
ifconfig gif0 up
Here the interfaces on the server.
Quoteem0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:50:56:b1:00:2e
inet6 fe80::250:56ff:feb1:2e%em0 prefixlen 64 scopeid 0x1
inet6 2001:470:cab4:50::8 prefixlen 64
inet 192.168.50.8 netmask 0xffffff00 broadcast 192.168.50.255
nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3<RXCSUM,TXCSUM>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet 127.0.0.1 netmask 0xff000000
nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
tunnel inet 192.168.50.8 --> 216.66.84.42
inet6 fe80::250:56ff:feb1:2e%gif0 prefixlen 64 scopeid 0x4
inet6 2001:470:1f12:34::2 --> 2001:470:1f12:34::1 prefixlen 128
nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
options=1<ACCEPT_REV_ETHIP_VER>
For the ASA i'm using ASDM and i prefer not to paste the whole conf. I added access list rules for protocol 41 and icmp/icmp6.
On the DMZ interface : 2001:470:cab4:50::1/64
On the inside interface : 2001:470:cab4:3::1/64
RA are disabled everywhere.
I added a default route poiting to the server in the DMZ for ipv6 addresses.
Some ping tests from tunnel :
Quotesrvtunnelv6# ping6 2001:4178:2:1269::2
PING6(56=40+8+8 bytes) 2001:470:1f12:34::2 --> 2001:4178:2:1269::2
16 bytes from 2001:4178:2:1269::2, icmp_seq=0 hlim=58 time=54.833 ms
16 bytes from 2001:4178:2:1269::2, icmp_seq=1 hlim=58 time=127.263 ms
^C
--- 2001:4178:2:1269::2 ping6 statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 54.833/91.048/127.263/36.215 ms
srvtunnelv6# ping6 2001:470:cab4:3::666
PING6(56=40+8+8 bytes) 2001:470:cab4:50::8 --> 2001:470:cab4:3::666
16 bytes from 2001:470:cab4:3::666, icmp_seq=0 hlim=63 time=1.258 ms
16 bytes from 2001:470:cab4:3::666, icmp_seq=1 hlim=63 time=0.925 ms
^C
--- 2001:470:cab4:3::666 ping6 statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.925/1.091/1.258/0.167 ms
And the routing table of the server :
Quotesrvtunnelv6# netstat -r
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.50.1 UGS 1 2511 em0
localhost link#3 UH 0 96 lo0
192.168.50.0 link#1 U 0 0 em0
srvtunnelv6 link#1 UHS 0 0 lo0
Internet6:
Destination Gateway Flags Netif Expire
default 2001:470:1f12:34:: UGS gif0
localhost localhost UH lo0
2001:470:1f12:34:: 2001:470:1f12:34:: UH gif0
2001:470:cab4:3:: 2001:470:cab4:50:: UGS em0
2001:470:cab4:50:: link#1 U em0
2001:470:cab4:50:: link#1 UHS lo0
fe80::%em0 link#1 U em0
fe80::250:56ff:feb link#1 UHS lo0
fe80::%lo0 link#3 U lo0
fe80::1%lo0 link#3 UHS lo0
fe80::%gif0 link#4 U gif0
fe80::250:56ff:feb link#4 UHS lo0
ff01:1:: fe80::250:56ff:feb U em0
ff01:3:: localhost U lo0
ff01:4:: fe80::250:56ff:feb U gif0
ff02::%em0 fe80::250:56ff:feb U em0
ff02::%lo0 localhost U lo0
ff02::%gif0 fe80::250:56ff:feb U gif0
Here's what I use in /etc/rc.conf on FreeBSD..substitute your values accordingly
gifconfig_gif1="12.199.185.10 209.51.181.2"
ipv6_defaultrouter="-interface gif1"
ipv6_enable="YES"
ipv6_gateway_enable="YES"
ipv6_ifconfig_gif1="2001:470:1f10:2aa::2/64"
ipv6_network_interfaces="nfe0 gif1 lo0"
It looks like your tunnel is up
[carl@ipv6router ~]$ ping6 2001:4178:2:1269::2
PING6(56=40+8+8 bytes) 2001:470:1f10:2aa::2 --> 2001:4178:2:1269::2
16 bytes from 2001:4178:2:1269::2, icmp_seq=0 hlim=56 time=152.984 ms
16 bytes from 2001:4178:2:1269::2, icmp_seq=1 hlim=56 time=176.335 ms
16 bytes from 2001:4178:2:1269::2, icmp_seq=2 hlim=56 time=244.726 ms
^C
--- 2001:4178:2:1269::2 ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 152.984/191.348/244.726/38.929 ms
You need to add a routing rule for your /48 on your FreeBSD server. Route the entire /48 to your eth0 interface
Quotedefaultrouter="192.168.50.1"
gateway_enable="YES"
hostname="srvtunnelv6.ipv6imlovinit.org"
ifconfig_em0="inet 192.168.50.8 netmask 255.255.255.0"
gif_interfaces="gif0"
gifconfig_gif0="192.168.50.8 216.66.84.42 up"
ipv6_enable="YES"
ipv6_defaultrouter="-interface gif0"
ipv6_gateway_enable="YES"
ipv6_ifconfig_gif0="2001:470:1f12:34::2 2001:470:1f12:34::1 prefixlen
128"
ipv6_network_interfaces="em0 gif0 loO"
ipv6_ifconfig_em0="2001:470:cab4:50::8 prefixlen 64"
Here is the rc.conf, thanks to your advice and some modifications.
Still the route to my /48 via the interface on the ASA (not eth0 ) is here but i cant ping external ipv6 address from my LAN.
Was asking myself if its a good idea to have only one "physical" interface.
Edit : The problem is elsewhere, i think the ipv6 default route to get through the ASA is wrong.
Edit2 : Yeah , that was the route on ASA. Thanks anyway for rc.conf cholzhauer.