• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Can't ping ipv6 HE server

Started by ftmksix, August 20, 2009, 02:09:02 AM

Previous topic - Next topic

ftmksix

Hello guys!

Need some help here,

I already gain a range of IPv6 given by HE as below,


   Server IPv4 address:    216.66.80.30
   Server IPv6 address:    2001:470:1f0a:6b0::1/64
   Client IPv4 address:    112.137.168.177
   Client IPv6 address:    2001:470:1f0a:6b0::2/64

I'm using Cisco 2821 router running behind NAT. My public IP is 112.137.168.177 natting to private IP 10.73.39.250.

This my router's configuration

interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 enable
ipv6 address 2001:470:1f0a:6b0::2/64
tunnel source 112.137.168.177
tunnel destination 216.66.80.30
tunnel mode ipv6ip
ipv6 route ::/0 Tunnel0


The problem is I can't ping IPv6 HE server but succeed if ping using IPv4...


<script type="text/javascript" language="javascript" src="http://ipv6.he.net/certification/badge.js"></script>
<script type="text/javascript">/*
<![CDATA[*/
var user = "ftmksix";
display_swf(user);
//]]></script>

jrowens

I know I can't ping your IPv4 address from here.  Did you enable ping response for just the server mentioned in the directions?  Or maybe just at that time?  If not, then I don't think the tunnel will actually be set up for you yet, until it is pingable.

If it's not that, well, I got nuthin' yet.

snarked

In your side's configuration, should you be using your public IP there, or your private network IP and let NAT translate it to the public IP.  I suspect that you may be pinging successfully but not hearing the replies as when they come back, your router has no NAT table lookup to associate the answer with.

jimb

Quote from: ftmksix on August 20, 2009, 02:09:02 AM
Hello guys!

Need some help here,

I already gain a range of IPv6 given by HE as below,


   Server IPv4 address:    216.66.80.30
   Server IPv6 address:    2001:470:1f0a:6b0::1/64
   Client IPv4 address:    112.137.168.177
   Client IPv6 address:    2001:470:1f0a:6b0::2/64

I'm using Cisco 2821 router running behind NAT. My public IP is 112.137.168.177 natting to private IP 10.73.39.250.

This my router's configuration

interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 enable
ipv6 address 2001:470:1f0a:6b0::2/64
tunnel source 112.137.168.177
tunnel destination 216.66.80.30
tunnel mode ipv6ip
ipv6 route ::/0 Tunnel0


The problem is I can't ping IPv6 HE server but succeed if ping using IPv4...
There's your problem right there.  If your router is behind a NAT, you must use the NATTED IP address as the tunnel source.  You must also set up your NAT device to translate all incoming IPv4 protocol 41 traffic destined to your public IP address to the private (NATTED) IP, and vica-versa.

So change "tunnel source 112.137.168.177" to "tunnel source 10.73.39.250", and configure a protocol forward on your NAT device.

ftmksix

Thanks guys.. I'll try it soon.. hopefully it will works.

Then, i wonder how to configure protocol forward on CISCO IOS?
<script type="text/javascript" language="javascript" src="http://ipv6.he.net/certification/badge.js"></script>
<script type="text/javascript">/*
<![CDATA[*/
var user = "ftmksix";
display_swf(user);
//]]></script>

jimb

#5
It's just a NAT.  You'd set it up as you would a normal static NAT, but you'd set up the ACL or "ip nat" statement to match ip proto 41 instead of some TCP or UDP port.

EDIT: You know, I thought about this a bit more and I'm not quite sure if one can do this under IOS.  

What most people want to do is use a single outside IP address to do pretty much everything.  They want to use it for their normal internet access stuff, PAT for their inside servers, and forward IP proto 41 traffic to some host on the inside.  Under iptables and other firewalls, this is easy.  But I'm not quite sure how it's done under IOS.  

I don't think "ip nat inside source static" will take a protocol number.  I think it will only NAT the entire IP, or do a tcp or udp port.  So with this IOS method you could do it if you dedicate an entire IPv4 address to one inside IP.  But if you do that, you might as well just hang an interface off of your IPv6 tunnel router onto your outside net.

You may be able to do it with a dynamic NAT with the "reversible" keyword, or with a NAT which references a route map or something like that.  I've done all sorts of crazy NAT stuff under IOS, but I'm not sure I've ever forwarded an IP protocol before.  I vaguely remember doing a forward of GRE (ip proto 47) under IOS, but I can't remember what I did.  But I could be misremembering (like maybe it was a PIX or something).  Maybe using dynamic NAT entry w/ "reversible" keyword, route map, etc.

Is it possible to terminate the tunnel on the edge router?  It'd make it way easier.

Another possibility is to simply not set up a static NAT at try it.  I believe IOS will set up a dynamic NAT for the proto 41 traffic between your inside host and the HE TS.  Only problem with this is, if the traffic stops flowing, the NAT will time out and it'll drop inbound tunnel traffic until your inside host starts sending traffic again.  You can verify by doing the "show ip nat translations" command.

maestroevolution

You should be able to NAT behind a public IP in IOS, with only the following restriction:  only one device can send protocol 41 traffic out.  A semi-smart device may allow it to unique endpoints, but if there's only one device, it will definitely work.

Joel

jimb

Yeh it should work behind a standard "overload" NAT for a single device.  But the connection table entry would eventually expire if you don't keep traffic flowing.

And of course, as I said, you could dedicate an entire IPv4 to an inside box for this purpose, and it'd work (e.g. static nat for the whole IP).  I'm just not sure if you can specifically forward transport protocol 41 to a given internal IP with IOS NAT, as you can with things like iptables.

maestroevolution

Quote from: jimb on September 11, 2009, 12:33:16 PM
Yeh it should work behind a standard "overload" NAT for a single device.  But the connection table entry would eventually expire if you don't keep traffic flowing.

And of course, as I said, you could dedicate an entire IPv4 to an inside box for this purpose, and it'd work (e.g. static nat for the whole IP).  I'm just not sure if you can specifically forward transport protocol 41 to a given internal IP with IOS NAT, as you can with things like iptables.

Agreed, with your emphasis on should.

Given the restriction that only one host could do it at a time anyway, I'd probably use a static NAT (a VIP in ScreenOS) instead of an overload anyway.  This would let inbound traffic keep the traffic alive.
Of course, if you have a 5gt/SSG5 at home, you'd probably terminate the tunnel on it, and playing with all the fun stateful IPv6 firewalling in ScreenOS, making the whole topic above moot anyway.

Joel


jimb

Ah I was using Cisco speak for a typical many-to-one NAT situation (overload).  I'm also still not sure if IOS NAT can do a "protocol forward" like Linux iptables, screenos, etc.  It does fine with UDP and TCP ports, but I didn't see an immediate way to set up a static NAT to just 'forward all IP proto 41 to this internal IP' (without dedicating an entire IP of course).

Of course if you're using ScreenOS it changes everything.  I actually have an old NS-5gt laying around collecting dust.  Which version of ScreenOS does IPv6 and 6in4?  I wish Juniper didn't require a contract which costs more than the old 5gt is worth in order to DL OS updates for it.   ::)

maestroevolution

Quote from: jimb on September 15, 2009, 12:01:21 PM
Ah I was using Cisco speak for a typical many-to-one NAT situation (overload).  I'm also still not sure if IOS NAT can do a "protocol forward" like Linux iptables, screenos, etc.  It does fine with UDP and TCP ports, but I didn't see an immediate way to set up a static NAT to just 'forward all IP proto 41 to this internal IP' (without dedicating an entire IP of course).

Of course if you're using ScreenOS it changes everything.  I actually have an old NS-5gt laying around collecting dust.  Which version of ScreenOS does IPv6 and 6in4?  I wish Juniper didn't require a contract which costs more than the old 5gt is worth in order to DL OS updates for it.   ::)

I'm running the latest: 6.2R something.  I believe IPv6 support has been there for a while: 5.2, maybe, at government request.  It's not enabled by default, though, but the procedure to enable it is in the docs (something like 'set envar ipv6 enable' ).

Assuming you're in the IT industry, one of the semi-official jobs of the SE is to encourage interest in the product, and can generally assist with support of 'evaluation / demo' gear.  By support, I mean 'latest ScreenOS' for a product that's end of sale anyway.  (5gt was end of saled last December, I think.  Still supported for a few years, though).

Joel


jimb

#11
Yeh unfortunately I don't have any, or have any clients with any Juniper network stuff in production ATM (so no SE relationship at present).  It'd be nice if they put EOLed product images up for free, since they're EOL anyway.  Hrm.  I'll check the site again maybe.  :P

Otherwise, maybe I could find the latest image "elsewhere" <cough>. :P