Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: HE.NET Tunnel Issues On Cisco 2851 (Protocol 41 NOT Blocked (Inbound atleast))  (Read 12255 times)

zodiack

  • Newbie
  • *
  • Posts: 3


Hello and good day to all of you!

I'm at the end of my rope with this and I'm turning to you, the community collective for help!

The Problem:
-------------


The Tunnel0 interface comes up/up and I can see Protocol 41 traffic (via a logging access-list) hitting my router (from the Internet) but it looks like my return (outbound) traffic is failing because I can't successfully IPv6 ping myself from the outside world (with no filters/access-lists applied).

NOTE: All IPv4 connectivity is working 100% with no issues; I can ping the TB server and it/they can ping me.

The Topology:
--------------


Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.1(4)M3, RELEASE SOFTWARE (fc1)

LAN <----> Gi0/1 [CISCO 2851] Gi0/0 <-------> Motorola SB5100 Modem <-------------> Internet

The Cisco Configuration:
-----------------------


ipv6 unicast-routing
ipv6 cef
ipv6 route ::/0 Tunnel0


core-r1#sh ip int bri | inc Tunnel
Tunnel0                    unassigned      YES unset  up                    up

core-r1#

interface Tunnel0
 description Hurricane Electric IPv6 Tunnel Broker
 no ip address
 ipv6 address <tunnel-routed-64-block>::2/64
 ipv6 enable
 tunnel source <my.external.ipv4.address>
 tunnel mode ipv6ip
 tunnel destination 209.51.161.14
end

interface GigabitEthernet0/0
 description WAN Gateway
 ip address dhcp
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting access-violations
 ip nat outside
 ip virtual-reassembly in
 load-interval 30
 duplex auto
 speed auto
 no cdp enable
end


core-r1#sh ip access 100
Extended IP access list 100
    10 permit 41 any any log
    20 permit ip any any

core-r1#

The Results:
------------


When I try to ping my <tunnel-routed-64-block>::2/64 from the HE.NET Looking Glass, I see five (5) "Timed Out" ping attempts on the web interface.

HOWEVER... if I do:

core-r1#sh ip access 100 | inc permit 41
     10 permit 41 any any log (5 matches)
core-r1#


I see the 5 ping probes from the HE.NET Looking Glass reach my router!

But when I do:

core-r1#ping <tunnel-routed-64-block>::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to <tunnel-routed-64-block>::1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

core-r1#

Here's the IPv6 Routing Table:

S   ::/0 [1/0]
     via Tunnel0, directly connected
C   <tunnel-routed-64-block>::/64 [0/0]
     via Tunnel0, directly connected
L   <tunnel-routed-64-block>::2/128 [0/0]
     via Tunnel0, receive


The Conclusion:
---------------


Am I crazy? 
Is Protocol 41 allowed INBOUND from my ISP (Rogers) but then blocked OUTBOUND?
Am I overlooking something in my configuration?

Many thanks would be showered upon the scholar who can figure this one out!

Thanks in advance,

  - zodi

Logged

SomeJoe7777

  • Newbie
  • *
  • Posts: 13

I have a virtually identical configuration on a Cisco 2811 and I'm not running into any issues.  However, I am running 15.0, not 15.1.

Instead of

tunnel source <external.IPv4.address>

try

tunnel source g0/0

Logged

zodiack

  • Newbie
  • *
  • Posts: 3

Hey SomeJoe7777,

Thanks for the reply!

I've tried to re-configure the tunnel using the interface as the tunnel source instead of the ip address but it exhibits the same behavior:

core-r1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
core-r1(config)#int tun0
core-r1(config-if)#shut
core-r1(config-if)#no tunnel source
core-r1(config-if)#tunnel source gi0/0
core-r1(config-if)#no shut
core-r1(config-if)#
^Z
core-r1#

core-r1#clear ip access-l counters

<ping tun0 IPv6 address from lg.he.net>

core-r1#sh ip access 100 | inc permit 41
    280 permit 41 any any log (5 matches)

core-r1#

If I turn on "debug ipv6 icmp" and take a look at my logs, I have 5 entries identical to this:

Dec 17 20:36:15.539 EST: ICMPv6: Received echo request, Src=2001:470:0:1EF::2, Dst=2001:470:X:X::2
Dec 17 20:36:15.539 EST: ICMPv6: Sent echo reply, Src=2001:470:X:X::2, Dst=2001:470:0:1EF::2


I've tried it wide open with no access-list and still no luck.  It's almost like an asynchronous routing issue, traffic from outside/HE.NET gets too me, but traffic from me never gets to the outside/HE.NET.  The default IPv6 route is there, my router knows to send it out (in IPv4) via the tunnel destination

I've talked to my ISP and they swear up and down that they don't filter anything (like protocol 41) anywhere in their network.

I'm not sure what else do to at this point, perhaps a new ISP for for a month for "testing purposes" ;)

Thanks again,

Cheers,

  - zodi

« Last Edit: December 17, 2011, 05:38:30 PM by zodiack »
Logged

rwg

  • Newbie
  • *
  • Posts: 12

core-r1#ping <tunnel-routed-64-block>::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to <tunnel-routed-64-block>::1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)


Are you sure that you're using the correct address on the Tunnel0 interface?  Put another way, if you do a reverse lookup on the IPv6 address you're assigning to the Tunnel0 interface, do you get a hostname back that looks like "username-N-pt.tunnel.tservN.cityN.ipv6.he.net"?

If you're using the "routed /64" that appears on your tunnel details page, that's not gonna fly.  Use the "client IPv6 address" instead.
Logged

SomeJoe7777

  • Newbie
  • *
  • Posts: 13

Indeed, rwg is correct.  HE.Net gives you 2 /64 blocks, one is used as the point-to-point address for the tunnel itself (referred to on the tunnel details page as the "Server IPv6 Address" and the "Client IPv6 Address").  The other is your block to be used on your LAN (referred to on the tunnel details page as the "Routed /64").

The correct configuration is:

Code: [Select]
interface Tunnel1001
 description My Tunnel (Hurricane Electric)
 no ip address
 ip virtual-reassembly max-reassemblies 64
 ipv6 address 2001:470:xxxx:xxxx::2/64              (This is the "Client IPv6 Address")
 ipv6 enable
 ipv6 virtual-reassembly
 tunnel source GigabitEthernet0/0
 tunnel mode ipv6ip
 tunnel destination xxx.xxx.xxx.xxx                 (This is the "Server IPv4 Address")

interface GigabitEthernet0/0
 description My WAN
 ip address xxx.xxx.xxx.xxx                         (This is the "Client IPv4 Address")

interface GigabitEthernet0/1
 description My LAN
 ip address xxx.xxx.xxx.xxx                         (This is your internal IPv4 address for your LAN)
 ipv6 address 2001:470:xxxx:xxxx::1/64              (This is the "Routed /64 Address", host :1)

ipv6 route ::/0 Tunnel1001                          (Send all IPv6 traffic through the tunnel)

Note that I've left out some configuration items, like NAT for IPv4, access lists, CBAC/Firewall, and IPS.
Logged

zodiack

  • Newbie
  • *
  • Posts: 3


Hey guys, thanks for the replies and Happy New Year!

I've confirmed that the "Client IPv6 Address" is what I'm using on my Tunnel0 interface and I'm pinging the "Server IPv6 Address". 

I didn't bother setting up the Routed /64 on my LAN until I could get the tunnel point-to-point up! :)

core-r1#clear logging
Clear logging buffer [confirm]y


core-r1#debug ipv6 icmp
  ICMP Packet debugging is on


core-r1#ping ipv6 2001:470:X:X::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:470:X:X::1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

core-r1#

Jan  1 14:19:16.466 EST: ICMPv6: Sent echo request, Src=2001:470:X:X::2, Dst=2001:470:X:X::1
Jan  1 14:19:18.466 EST: ICMPv6: Sent echo request, Src=2001:470:X:X::2, Dst=2001:470:X:X::1
Jan  1 14:19:20.466 EST: ICMPv6: Sent echo request, Src=2001:470:X:X::2, Dst=2001:470:X:X::1
Jan  1 14:19:22.466 EST: ICMPv6: Sent echo request, Src=2001:470:X:X::2, Dst=2001:470:X:X::1
Jan  1 14:19:24.466 EST: ICMPv6: Sent echo request, Src=2001:470:X:X::2, Dst=2001:470:X:X::1


core-r1#sh run int tun0
Building configuration...

Current configuration : 231 bytes
!
interface Tunnel0
 description Hurricane Electric IPv6 Tunnel Broker
 no ip address
 ipv6 address 2001:470:X:X::2/64                                (Client IPv6 Address)
 ipv6 enable
 tunnel source GigabitEthernet0/0
 tunnel mode ipv6ip
 tunnel destination 209.51.161.14                                (Server IPv4 Address)
end


core-r1#

<relevant config>

ipv6 unicast-routing
ipv6 cef

interface GigabitEthernet0/0
 description WAN Gateway
 ip address dhcp                                                       (Client IPv4 Address)
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting access-violations
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly in
 load-interval 30
 duplex auto
 speed auto
 no cdp enable

ipv6 route ::/0 Tunnel0



Thanks guys!

Cheers,

  - zodi

Logged

nickbeee

  • tunneld
  • Jr. Member
  • **
  • Posts: 72
  • I do this just for fun.


My working config uses the ipv4 address of the interface rather than the interface name (shouldn't make any difference. I'm using RFC1918 address as it's behind a nat (which passes protocol 41).

This is on a 1711 router with 12.4 advipservices IOS.

Code: [Select]
!
interface Tunnel0
 description Hurricane Electric IPv6 Tunnel Broker
 no ip address
 ipv6 address 2001:DB8:1F00:2F00::2/64
 ipv6 enable
 ipv6 traffic-filter IPV6_OUTSIDE_F0 in
 ipv6 inspect V6-INSPECT out
 tunnel source 192.0.2.1
 tunnel destination 216.66.80.26
 tunnel mode ipv6ip
end
It looks like a protocol 41 issue.
Quote
I've talked to my ISP and they swear up and down that they don't filter anything (like protocol 41) anywhere in their network.
No, ISPs never filter or traffic shape - unless you can prove otherwise  :-\
Logged
Nick B.

Tunnelling with [Open|Net|Free]BSD and IOS.
IPv6 courtesy of   HE and   Sixxs.

antillie

  • Full Member
  • ***
  • Posts: 104

The working config on my 3745 running 12.4(25d) Adv. Enterprise is pretty much the same as yours:

Code: [Select]
ipv6 unicast-routing
no ipv6 source-route
ipv6 cef

interface Tunnel0
 description Hurricane Electric IPv6 Tunnel Broker
 no ip address
 ipv6 address 2001:470:1F0E:6CA::2/64
 ipv6 enable
 ipv6 traffic-filter Block-IPv6-SSH in
 no ipv6 redirects
 ipv6 verify unicast reverse-path
 tunnel source 70.114.48.211
 tunnel destination 216.218.224.42
 tunnel mode ipv6ip
!
interface FastEthernet0/0
 ip address 10.1.1.1 255.255.255.252
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 ipv6 address 2001:470:B98A:1::/64 eui-64
 ipv6 mtu 1480
 ipv6 nd prefix 2001:470:B98A:1::/64
!
interface FastEthernet0/1
 ip address dhcp
 no ip redirects
 no ip unreachables
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map vpn_alpha
 
ip nat inside source list 2000 interface FastEthernet0/1 overload

access-list 2000 deny ip 192.168.100.0 0.0.0.255 192.168.250.0 0.0.0.255
access-list 2000 deny ip 192.168.200.0 0.0.0.255 192.168.250.0 0.0.0.255
access-list 2000 deny ip 10.1.1.0 0.0.0.3 192.168.250.0 0.0.0.255
access-list 2000 deny ip 172.30.1.0 0.0.0.255 192.168.250.0 0.0.0.255
access-list 2000 permit ip any any

ipv6 route ::/0 2001:470:1F0E:6CA::1
ipv6 route 2001:470:B98A::/48 FastEthernet0/0 FE80::21F:9EFF:FE45:2422
ipv6 route 2001:DB8::/32 Null0
ipv6 route FC00::/7 Null0

ipv6 access-list Block-IPv6-SSH
 deny tcp any any eq 22
 permit ipv6 any any

I did notice that I am using the actual IPv6 address of HE's side of the tunnel as my next hop in my default route. Which shouldn't really matter but who knows.
Logged