• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

Ipv6 tunnel

Started by cholzhauer, December 16, 2009, 01:28:15 PM

Previous topic - Next topic

cholzhauer

I would like to create a tunnel between two locations over IPv6 using FreeBSD.  I would like to do it like so:


freebsd router w/ Public IP > ASA > freebsd router w/ private IP


So the tunnel would be something  12.12.12.12 > 10.10.10.10

It seems like that wouldn't work properly though.

Can I get away with doing public ip to private IP or would I be better off assigning a public IP and doing static nat?

jimb

#1
Not sure exactly what you're trying to do...

Are you saying you want to create a tunnel for IPv4 traffic over an IPv6 native network?  If so, this is possible.  You could do it with something like GRE or IPSEC ESP, etc.  The fact that one is public and one is private doesn't matter, since it's all privately routed.  This presumes GRE supports IPv6 tunnel endpoint on BSD.  I know Cisco supports GRE over IPv6, but not sure about BSD, or linux (I poked around a bit on Linux and it looks like its GRE implementation only runs over IPv4).  Linux also supports "mode ipip6" tunneling, which can tunnel IPv4 over IPv6, using the ip6_tunnel kernel driver.  Things like vtun can also work with for this.  I'm just not sure what BSD supports as far as native IPv6 tunneling.

If you're just talking a 6in4 tunnel, this is doable too, but you'll have to set up a static NAT on the ASA directing proto 41 traffic to the public IP to your 6in4 router (well, you could also rely on the connection table on the ASA, but you'd have to set up some sort of keepalive IPv6 ping to keep the connection alive, just as you would w/ a tunnel to HE w/o using a static NAT).  Then you just set up the tunnel as you would with HE, with opposite IPv6s on each end of the tunnel (just take a /64 of one of your /48s), and routes added on each end for the respective IPv6 networks located on each end.  You could also use GRE to do the same thing.

Also, what about terminating the tunnel on the ASA?

cholzhauer

I'll try and explain better.

I currently have a IPv4 MPLS that connects the two sites; the second site pulls Internet traffic through my location; however, that is changing today...they will be getting a 20mbps Internet connection and will be using the MPLS to connect to our servers.  I would like to set up a IPv6 connection between the two of them, so I assume that means I will need a tunnel between the two.  Although the more I think about it, I think I would be smart to also request a new /64 for that location as well (so Internet bound IPv6 traffic can leave at 20mbps instead of 400kbps.

My current IPv6 router is outside the firewall, so any traffic intended from it to the second location would be sent over the MPLS.

ASA's do not support tunnels.

jimb

Quote from: cholzhauer on December 17, 2009, 05:26:11 AM
I'll try and explain better.

I currently have a IPv4 MPLS that connects the two sites; the second site pulls Internet traffic through my location; however, that is changing today...they will be getting a 20mbps Internet connection and will be using the MPLS to connect to our servers.  I would like to set up a IPv6 connection between the two of them, so I assume that means I will need a tunnel between the two.  Although the more I think about it, I think I would be smart to also request a new /64 for that location as well (so Internet bound IPv6 traffic can leave at 20mbps instead of 400kbps.

My current IPv6 router is outside the firewall, so any traffic intended from it to the second location would be sent over the MPLS.

ASA's do not support tunnels.
It'd probably be a good idea to just get a second tunnel and /64 or /48 for the second site so you can use its new inet connection to connect to the IPv6 internet.

But there's nothing stopping you from routing any IPv6 networks you wish between the two sites via the MPLS connection for site to site traffic.  It would make sense if the MPLS connection is faster than both sites' internet connections.  Also, it'd be a bit more privacy for your inter-site IPv6 traffic.

You can simply set up a 6in4 tunnel through the MPLS connection and route your IPv6 networks across that.

Or, if your MPLS routers support IPv6, couldn't you set IPv6 addresses on your MPLS interfaces and route it that way?

cholzhauer

I'm sure the MPLS routers support it, but the problem is, they're AT&T managed and AT&T doesn't do IPv6, although they are using it for their U-verse TV.

The MPLS is the same speed as the internet connection of the first location and slower than the Internet connection of the second location


cholzhauer

Just to update, I did figure this out.

I ended up doing a static nat translation to my California server which gave that location IPv6 access, then used my ASA to control access and perform routing between all the networks.