Suggestions on what is wrong with my Tunnel config ?

RonaldNutterLab · February 01, 2012, 06:38:39 PM

I had a separate internet connection installed and have a Cisco 1811 configured at my tunnel broker. My 1811 is connected directly to the cable modem.
I can ping the outside world. Tunnel wont establish.
Here is my config. Any suggestions on what I may have missed ?
!
ipv6 unicast-routing
ipv6 cef
!
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ip nat inside
ip virtual-reassembly
ipv6 address 2001:470:1F10:102::1/64
ipv6 enable
tunnel source 192.168.1.100
tunnel destination 209.51.181.2
tunnel mode ipv6ip
!
interface FastEthernet0
description LAN
ip address 192.168.1.100 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ipv6 address 2001:470:1F11:102::1/64
ipv6 enable
!
interface FastEthernet1
description WAN
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
access-list 1 permit 192.168.1.0 0.0.0.255
ip route 0.0.0.0 0.0.0.0 FastEthernet1
ipv6 route ::/0 Tunnel0
!

I did a debug tunnel on the router and see this -

Feb 2 02:35:28.208: FIBtunnel: Tu0: stacking IPV6 :: to Default:209.51.181.2
Feb 2 02:35:28.208: Tunnel0: IPv6/IP encapsulated 192.168.1.100->209.51.181.2 (linktype=79, len=84)
Feb 2 02:35:28.208: Tunnel0 count tx, adding 20 encap bytes
Feb 2 02:35:29.208: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
Feb 2 02:35:29.208: Tunnel0: IPv6/IP encapsulated 192.168.1.100->209.51.181.2 (linktype=79, len=84)
Feb 2 02:35:29.208: Tunnel0 count tx, adding 20 encap bytes
Feb 2 02:35:29.208: Tunnel0: IPv6/IP encapsulated 192.168.1.100->209.51.181.2 (linktype=79, len=96)
Feb 2 02:35:29.208: Tunnel0 count tx, adding 20 encap bytes
Feb 2 02:35:29.208: Tunnel0: IPv6/IP encapsulated 192.168.1.100->209.51.181.2 (linktype=79, len=96)
Feb 2 02:35:29.208: Tunnel0 count tx, adding 20 encap bytes
Feb 2 02:35:29.208: Tunnel0: IPv6/IP encapsulated 192.168.1.100->209.51.181.2 (linktype=79, len=96)
Feb 2 02:35:29.208: Tunnel0 count tx, adding 20 encap bytes
Feb 2 02:35:29.208: Tunnel0: IPv6/IP encapsulated 192.168.1.100->209.51.181.2 (linktype=79, len=84)
Feb 2 02:35:29.208: Tunnel0 count tx, adding 20 encap bytes
Feb 2 02:35:29.821: Tunnel0: IPv6/IP encapsulated 192.168.1.100->209.51.181.2 (linktype=79, len=96)
Feb 2 02:35:29.821: Tunnel0 count tx, adding 20 encap bytes
Feb 2 02:35:29.821: Tunnel0: IPv6/IP encapsulated 192.168.1.100->209.51.181.2 (linktype=79, len=96)
Feb 2 02:35:29.821: Tunnel0 count tx, adding 20 encap bytes
Feb 2 02:35:30.209: Tunnel0: IPv6/IP encapsulated 192.168.1.100->209.51.181.2 (linktype=79, len=84)
Feb 2 02:35:30.209: Tunnel0 count tx, adding 20 encap bytes
Feb 2 02:35:30.321: Tunnel0: IPv6/IP encapsulated 192.168.1.100->209.51.181.2 (linktype=79, len=96)
Feb 2 02:35:30.321: Tunnel0 count tx, adding 20 encap bytes
Feb 2 02:37:24.550: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0
Feb 2 02:37:24.798: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0
Feb 2 02:37:25.494: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0
Feb 2 02:37:25.794: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0
Feb 2 02:37:26.494: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0
Feb 2 02:37:26.794: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0
Feb 2 02:37:27.494: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0
Feb 2 02:37:27.794: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0
Feb 2 02:37:28.494: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0
Feb 2 02:37:28.798: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0
Feb 2 02:37:29.498: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0
Feb 2 02:37:29.798: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0
Feb 2 02:37:31.502: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0
Feb 2 02:37:31.802: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0
Feb 2 02:37:35.502: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0
Feb 2 02:37:35.802: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0
Feb 2 02:37:43.518: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0
Feb 2 02:37:43.818: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0
Feb 2 02:37:59.530: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0
Feb 2 02:37:59.834: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0
Feb 2 02:38:31.558: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0
Feb 2 02:38:31.862: Tunnel0: IPv6/IP adjacency fixup, 192.168.1.100->209.51.181.2, tos set to 0x0

When I tried to ping the IPv6 DNS server at HE.net, here is what I see -

IPv6_Tunnel#ping ipv6 2001:470:20::2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:470:20::2, timeout is 2 seconds:

Feb 2 02:40:14.184: Tunnel0: IPv6/IP encapsulated 192.168.1.100->209.51.181.2 (linktype=79, len=120)
Feb 2 02:40:14.184: Tunnel0 count tx, adding 20 encap bytes.
Feb 2 02:40:16.184: Tunnel0: IPv6/IP encapsulated 192.168.1.100->209.51.181.2 (linktype=79, len=120)
Feb 2 02:40:16.184: Tunnel0 count tx, adding 20 encap bytes.
Feb 2 02:40:18.184: Tunnel0: IPv6/IP encapsulated 192.168.1.100->209.51.181.2 (linktype=79, len=120)
Feb 2 02:40:18.184: Tunnel0 count tx, adding 20 encap bytes.
Feb 2 02:40:20.185: Tunnel0: IPv6/IP encapsulated 192.168.1.100->209.51.181.2 (linktype=79, len=120)
Feb 2 02:40:20.185: Tunnel0 count tx, adding 20 encap bytes.
Feb 2 02:40:22.185: Tunnel0: IPv6/IP encapsulated 192.168.1.100->209.51.181.2 (linktype=79, len=120)
Feb 2 02:40:22.185: Tunnel0 count tx, adding 20 encap bytes.
Success rate is 0 percent (0/5)

I can ping the the 209.51.181.2 endpoint so I know the path is good. Cant ping anything via IPv6.
Please bear with me as I am learning IPv6, so it is something simple that I have missed.

Thanks for assistance on this,
Ron

broquea · February 01, 2012, 06:53:03 PM

Try changing tunnel source fro rfc1918 to your WAN interface, either the ip or see if you can specify the interface.

RonaldNutterLab · February 01, 2012, 07:10:54 PM

Here is what the config looks like now -

interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ip nat inside
ip virtual-reassembly
ipv6 address 2001:470:1F10:102::1/64
ipv6 enable
tunnel source FastEthernet1
tunnel destination 209.51.181.2
tunnel mode ipv6ip
!
interface FastEthernet0
description LAN
ip address 192.168.1.100 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ipv6 address 2001:470:1F11:102::1/64
ipv6 enable
!
interface FastEthernet1
description WAN
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto

Here is what I see when I try to ping the he.net dns server -

IPv6_Tunnel#ping ipv6 2001:470:20::2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:470:20::2, timeout is 2 seconds:

Feb 1 21:08:20: Tunnel0: IPv6/IP encapsulated 72.128.41.109->209.51.181.2 (linktype=79, len=120)
Feb 1 21:08:20: Tunnel0 count tx, adding 20 encap bytes.
Feb 1 21:08:22: Tunnel0: IPv6/IP encapsulated 72.128.41.109->209.51.181.2 (linktype=79, len=120)
Feb 1 21:08:22: Tunnel0 count tx, adding 20 encap bytes.
Feb 1 21:08:24: Tunnel0: IPv6/IP encapsulated 72.128.41.109->209.51.181.2 (linktype=79, len=120)
Feb 1 21:08:24: Tunnel0 count tx, adding 20 encap bytes.
Feb 1 21:08:26: Tunnel0: IPv6/IP encapsulated 72.128.41.109->209.51.181.2 (linktype=79, len=120)
Feb 1 21:08:26: Tunnel0 count tx, adding 20 encap bytes.
Feb 1 21:08:28: Tunnel0: IPv6/IP encapsulated 72.128.41.109->209.51.181.2 (linktype=79, len=120)
Feb 1 21:08:28: Tunnel0 count tx, adding 20 encap bytes.
Success rate is 0 percent (0/5)

cholzhauer · February 01, 2012, 07:33:14 PM

Shouldn't the ipv6 address on your outside interface be ::2 not ::1?

RonaldNutterLab · February 02, 2012, 10:36:16 AM

Yes, you are right. That was an oversight on my part, again. Got the tunnel up late last night. Now to start finding content available only on IPv6.

Thanks to both of you for your help !!

Ron

nickbeee · February 02, 2012, 03:29:57 PM

You may want to consider adding some firewall rules (ipv6 access list, ipv6 traffic filter) and vty access lists to that basic configuration depending what features your IOS supports.

nickbeee · February 02, 2012, 03:40:55 PM

Quote from: nickbeee on February 02, 2012, 03:29:57 PM
You may want to consider adding some firewall rules (ipv6 access list, ipv6 traffic filter) and vty access lists to that basic configuration depending what features your IOS supports.

For example

Code Select


!         
ipv6 inspect name V6-INSPECT tcp
ipv6 inspect name V6-INSPECT udp
ipv6 inspect name V6-INSPECT ftp
ipv6 inspect name V6-INSPECT icmp
!
!
ipv6 access-list IPV6_OUTSIDE
 permit icmp any any
! 
!
interface Tunnel0
 description Hurricane Electric IPv6 Tunnel Broker
 no ip address
 ipv6 address 2001:DB8:1F00:1D0G::2/64
 ipv6 enable
 ipv6 traffic-filter IPV6_OUTSIDE in
 ipv6 inspect V6-INSPECT out
 tunnel source FastEthernet1
 tunnel destination 209.51.181.2
 tunnel mode ipv6ip
!

Will block everything apart from ICMP from the IPv6 internet and allow your return traffic back in.

News:

Suggestions on what is wrong with my Tunnel config ?

RonaldNutterLab

broquea

RonaldNutterLab

cholzhauer

RonaldNutterLab

nickbeee

nickbeee