I noticed an addition in the web form that sets up a secondary zone for a TSIG key.  As HE hasn’t yet announced it, I assume it’s under test.  However, my question is:

Will there be a way to add this for existing zones without having to delete and re-add them?

Thank you.

OK.  It could also be on the server end.

To determine which, run a packet sniffer on the server side, watching for traffic involving the clients IPv6 address.  Then ping an internet host from the client.  Doing this on both interfaces on the server allows you to determine just how far the packets get. 

If you can't get anything on the interface to the client, the problem is routing on the client.  If you get the packets in one direction on one interface and not the other, the problem is server routing (or firewalling).  If you get packets in both directions on both interfaces, the problem is probably on the client (and might be firewall).  If you get packets only in the outbound direction, the problem is further upstream, and if that's your exterior border, might be an announcement issue.

sounds like a problem with the routing table on the CLIENT side.  It needs to know to route internet IPv6 traffic to your server.

HE needs to approve the BGP tunnel after a vetting process. Sorry your other ticket didn't get responded to yet.

Sorry I don't understand the procedure: to ping the peer I should have approved the BGP tunnel?
is that why I cannot ping the peer?

I have received this confirmation on February 25th:

Your message ("Problem: I cannot ping peer for tunnel broker") has been assigned the tracking ID [HE#4045337].
One of our engineers will reply to your email within 24 hours.

Please include the string '[HE#4045337]' in the subject of any future email about
this case.  You may do that by simply replying to this message.

Please be aware that our system currently rejects binary attachments.  If you
are submitting a traceroute or ping output please generate it in text and
followup to this email.

Thank You.
Hurricane Electric Support
http://www.he.net/faq
http://www.he.net/info

Thanks for answering,

BGP tunnels are manually approved. They are not configured until approved.
Your ticket to request one was opened 44 hours ago by our system.
No replies from you to that ticket.
If you are emailing our ticket system, you should be getting back an autoresponder for any new ticket you created.
If not, your emails aren't making it to our system.

Have tried using another Tunnel Broker and it works like a charm. However, I need BGP(6).

I've also sent an email to he.net but no one replied.

Can anybody help?

I don't see anything glaring with your config, but I don't have enough experience building a tunnel on a Cisco router to say for sure.  My only other suggestion is to check your MTU.  Hopefully someone else sees what I missed.

!
!
ipv6 unicast-routing
!
!
interface Tunnel0
 description Hurricane Electric IPv6 Tunnel Broker
 no ip address
 ipv6 address 2001:470:10:B2::2/64
 ipv6 enable
 ipv6 mtu 1480
 tunnel source 200.87.162.225
 tunnel mode ipv6ip
 tunnel destination 216.66.70.2
!
interface GigabitEthernet0/0/0
 description WAN
 ip address 200.87.162.225 255.255.255.248 secondary
 ip address 191.184.27.78 255.255.255.252
 ip nat outside
 negotiation auto
!
!

ipv6 route ::/0 Tunnel0
!


The ISP says it is not filtering any protocol

I have ping(ed) from HE looking glass and I get packets matched by a test access-list

FASTA-ASR#show access-lists 100
Extended IP access list 100
    10 permit 41 any any log (252 matches)

The easiest way is to ask them, although they will probably be confused

You could also do a packet capture, but that takes more work.  Can you post your config with the addresses visible?  If you don’t want to, send it in a message instead