![\"IMG_8103\"](\"\/wp-content\/uploads\/2008\/11\/img-8103.jpg\" "\\"IMG_8103\\"")
<\/a> <\/p>\nMain configuration steps<\/p>\n
- \n
- register with a tunnel broker, set up heartbeat and set up the IPv6 over IPv4 tunnel <\/li>\n
- keep the tunnel alive <\/li>\n
- request a IPv6 subnet and make it available via the tunnel <\/li>\n
- configure Windows clients <\/li>\n
- configure Linux clients <\/li>\n
- deal with DNS resolution for IPv6 hosts <\/li>\n<\/ul>\n
<\/p>\n
<\/h3>\n
Get registered with a tunnel broker<\/h3>\n
Because not a lot of ISP\u2019s offer native IPv6 routing towards the internet, we\u2019ll use a tunnel broker service, which will allow us to tunnel IPv6 packets over IPv4 packets. You can find more information about IPv6 tunnel brokers on wikipedia<\/a>.<\/p>\n
In my example, I have registered for a tunnel with SixXS (www.sixxs.net<\/a>). Once your request for a tunnel has been approved, you can set up the tunnel.<\/p>\n
We need this tunnel so we can route IPv6 traffic between your clients and other IPv6 hosts on the internet, and vice versa. Without the tunnel, your options are limited, especially if you want to host servers\/services on the IPv6 network etc.<\/p>\n
Most (if not all) tunnel brokers offer software that can be installed on an individual client (AICCU client software), allowing you to set up the tunnel towards the broker and route your IPv6 subnet with that client. But I wanted to make it more generic and use my SSG5 Juniper firewall to host the tunnel, so I can route my entire IPv6 subnet (see later) through the tunnel without using an AICCU client for routing.<\/p>\n
That doesn\u2019t mean that you don\u2019t need an AICCU client. In fact, my ISP uses dynamic\/DHCP assigned IP addresses, so I cannot register for a static tunnel. I will need to use some sort of heartbeat protocol to keep the tunnel up and re-establish the tunnel when my internet IP changes.<\/p>\n
In my setup, I am using an AICCU client, but only for heartbeat. We\u2019ll come to that in a minute.<\/p>\n
After registering your tunnel (in my case with sixxs.net), you will get the tunnel information, usually containing at least the following items : SixXS IPv6, Your IPv6, SixXS IPv4 and Tunnel Type. As indicated above, because I don\u2019t have a static IP, I needed to register a heartbeat tunnel.<\/p>\n
The \u201cSixXS IPv6\u201d address indicates the IPv6 pop IP address inside the tunnel. The \u201cYour IPv6\u201d address indicates your IPv6 address in the tunnel. These addresses are only used to set up the tunnel. You cannot use these addresses for hosts behind the tunnel. You\u2019ll have to register a subnet with your tunnel broker in order to get an entire subnet of usable and routable IPv6 addresses that are routed via your tunnel.<\/p>\n
The SixXS IPv4 address will be the target address of your tunnel. So the tunnel will be set up between your own public IP address (provided by your own ISP) and this IPv4 address (at SixXS)<\/p>\n
Let\u2019s assume the following parameters :<\/p>\n
\nSixXS IPv6 : 2001:6f8:001:001::1\/64\nYour IPv6 : 2001:6f8:001:001::2\/64\nSixXS IPv4 : 212.100.184.146\nTunnel Type : Dynamic (heartbeat)<\/pre>\n<\/div>\n
<\/p>\n
Set up the heartbeat<\/h3>\n
Before doing anything else, I have set up the AICCU client on a Windows host. The Juniper screenOS does not support the heartbeat protocol, so I will be used an aiccu client to keep the tunnel alive. <\/p>\n
First, download the aiccu client. The client I\u2019m using is aiccu-2006-07-23-windows-gui.exe<\/p>\n
Launch the client, fill out your tunnel information (username, password, etc) and see if you can connect. Make sure to set \u201cBehind NAT\u201d if you are behind NAT, and to enable \u201cAuto Enable\u201d<\/p>\n
![\"image\"](\"\/wp-content\/uploads\/2008\/11\/image-thumb5.png\" "\\"image\\"")
<\/a> <\/p>\nNext, register the application as a service (aiccu-2006-07-23-windows-gui.exe \/i) or use some other script to ensure that, when this host is up, the tunnel is up as well.<\/p>\n
Note : you can do the same thing on a linux host as well. You\u2019ll have to create a .conf file, specify the same parameters, and see if it connects.<\/p>\n
If the tunnel aiccu client is running, you should see that your tunnel state is set to Heartbeat and the Last Alive timestamp gets updated (for SixXS users : look on their website)<\/p>\n
![\"image\"](\"\/wp-content\/uploads\/2008\/11\/image-thumb6.png\" "\\"image\\"")
<\/a> <\/p>\n<\/p>\n
Register a IPv6 subnet<\/h3>\n
Before we can set up the tunnel on ScreenOS and use it to route traffic, we need to register our own IPv6 subnet, so we can use addresses from this subnet for our local hosts.<\/p>\n
When you have registered your tunnel (and when the tunnel is approved) you will get something like this :<\/p>\n
\n-------\n PoP Name : bebru01 (de.easynet [AS4589])\n Subnet IPv6 : 2001:6f8:1430::\/48\n Routed to : 2001:6f8:001:001::2\/64\n Your IPv4 : heartbeat\n-------<\/pre>\n<\/div>\n
As you can see, this subnet (in my case 2001:6f8:1430::\/48) will be routed towards my end of the tunnel (2001:6f8:001:001::2\/64). <\/p>\n
<\/p>\n
<\/p>\n
Create the tunnel on Juniper ScreenOS<\/h3>\n
We have already set up the tunnel using the aiccu client, but we\u2019ll only use that aiccu client for the heartbeat, not for routing. The idea is to use the Juniper ssg firewall to provide the routing towards the tunnel (and to route incoming requests from external IPv6 hosts back to your own subnet). The windows host that is running the aiccu client is just part of my private IPv4 network and that will not change. <\/p>\n
You\u2019ll need 3 interfaces to set this up : 1 public interface (the interface that has the ISP assigned public IP address), 1 private interface (either an interface that is already used for your LAN, or a new dedicated interface if you want to separate IPv4 and IPv6 traffic), and one tunnel interface (a virtual interface that will be used for setting up the tunnel towards the tunnel broker and the route IPv6 traffic into.<\/p>\n
Let\u2019s assume that eth0\/0 is the public interface, eth0\/4 is a dedicated private interface, and tunnel.1 is the tunnel interface.<\/p>\n
Since I\u2019m going to use eth0\/4 as a dedicated interface for IPv6, I\u2019m also going to create a separate zone for this. After all, any IPv6 host from your subnet behind this interface can reachable over the internet. There is no NAT involved, only routing. So if you want to keep things secured, I would strongly recommend created a dedicated interface and setting up a new zone.<\/p>\n
In my setup, the zone that holds my public interface is called \u201cPublic\u201d. (= \u201cUntrust'\u201d zone in most default setups\u201d). We will need to bind the tunnel interface to this zone. The eth0\/4 will act as default gateway for the hosts in my own IPv6 subnet, so we\u2019ll need to set an IPv6 address from this subnet to this interface. In theory, you can use the entire \/48 network, but that would be overkill. A \/64 subnet would be more than big enough, so we\u2019ll subnet the\/48 network into \/64 networks first, and use IPv6 addresses from one of the subnets for now. I\u2019ll use 2001:6f8:1430::1\/64 as IPv6 address for the private eth0\/4 interface. By the way, you can find an excellent subnet calculator at http:\/\/www.subnetonline.com\/pages\/subnet-calculators\/ipv6-subnet-calculator.php<\/a><\/p>\n
\n
Before you can use IPv6, you\u2019ll need to enable IPv6 first, and reboot the firewall<\/p>\n\nset envar ipv6=yes<\/pre>\n<\/div>\n
You\u2019ll notice, after the reboot, that the \u201cANY\u201d policy elements are now gone. \u201cANY\u201d is now replaced with \u201cANY-IPv4\u201d, and a new \u201cANY-IPv6\u201d was added.<\/p>\n
After the reboot, set up the zones and interfaces<\/p>\n
\n#create a new zone\nset zone name PublicIPv6\n#assign eth0\/4 to the new zone\nset interface eth0\/4 zone PublicIPv6\n#set interface mode \nset interface eth0\/4 ipv6 mode "router"\n# set the IPv6 address of this interface to a IPv6 IP address in the subnet that was assigned to you (not the tunnel, use subnet Ip)\nset interface eth0\/4 ipv6 ip 2001:6f8:1430::1\/64\nset interface eth0\/4 ipv6 enable\nset interface eth0\/4 mode route<\/p>
set interface ethernet0\/4 ipv6 nd nud
set interface ethernet0\/4 ipv6 nd dad-count 0<\/p>\n\n#create a tunnel interface\nset interface tunnel.1 zone Public\n#bind tunnel interface to the public interface\nset interface tunnel.1 ip unnumbered interface ethernet0\/0\nset interface "tunnel.1" ipv6 mode "host"\nset interface "tunnel.1" ipv6 enable\nset interface tunnel.1 tunnel encap ip6in4 manual\n#connect the tunnel to your IPv6 tunnel broker pop IP address\nset interface tunnel.1 tunnel local-if ethernet0\/0 dst-ip 212.100.184.146\nset interface tunnel.1 mtu 1480\nset interface tunnel.1 ipv6 nd nud\nset interface tunnel.1 ipv6 nd dad-count 0\n\n#set up the public interface\nset interface eth0\/0 ipv6 mode "host"\n#assign Your IPv6 address to this interface\nset interface eth0\/0 ipv6 ip 2001:6f8:001:001::2\/64\nset interface eth0\/0 ipv6 enable\nset interface ethernet0\/0 ipv6 nd nud<\/p><\/pre>\n<\/div>\n
Note : SixXS will attempt to ping your public interface in order to verify that it can still access your end of the tunnel. This means that you will need to allow incoming ping on your public interface. Add the IPv4 address of the broker to the list of manager-ip and enable ping on eth0\/0 :<\/p>\n
\nset admin manager-ip 212.100.184.146 255.255.255.255\nset interface ethernet0\/0 ip manageable\nset interface ethernet0\/0 manage ping<\/pre>\n<\/div>\n
The interfaces and tunnel are now ready. If you look at the tunnel.1 interface state, it should say \u201clink up\u201d<\/p>\n
\nssg5-1-><\/span> get int tunnel.1\nInterface tunnel.1:\n description tunnel.1\n number 20, if_info 1768, if_index 1, mode route\n link up\n ipv6 is enable\/operable, host mode.\n ipv6 operating mtu 1480, learned mtu 0\n ipv6 Interface-ID: 000000004e157114\n ipv6 fe80::4e15:7114\/64, link local, PREFIX\n ipv6 ff02::1:ff15:7114, solicited-node scope\n vsys Root, zone Public, vr trust-vr\n admin mtu 1480, operating mtu 1480, default mtu 1500\n *ip 0.0.0.0\/0 unnumbered, source interface ethernet0\/0\n *manage ip 0.0.0.0\n pmtu-v4 disabled, pmtu-v6 enabled(1480), \n ping disabled, telnet disabled, SSH disabled, SNMP disabled\n web disabled, ident-reset disabled, SSL disabled\n\n OSPF disabled BGP disabled RIP disabled RIPng disabled mtrace disabled\n PIM: not configured IGMP not configured\n NHRP disabled\n bandwidth: physical 0kbps, configured egress [gbw 0kbps mbw 0kbps]\n configured ingress mbw 0kbps, current bw 0kbps\n total allocated gbw 0kbps\ntunnel: local ethernet0\/0, remote 212.100.184.146\n encap: IP6IN4_MANUAL (2)\n keep-alive: off, interval 10(using default), threshold 3(using default)\n status: last send 0, last recv 0\nNumber of SW session: 8024, hw sess err cnt 0<\/pre>\n<\/div>\n<\/p>\n
Route traffic towards the tunnel<\/h3>\n
Now you need to route your IPv6 traffic towards the tunnel. This will ensure your IPv6 hosts can use eth0\/4 as default gateway, and that IPv6 traffic is sent into the tunnel.<\/p>\n
We need 2 commands to do this : One for \u2018all traffic\u2019, and one specific host route, needed to reach the SixXS IPv6 IP address (the other end of the tunnel) :<\/p>\n
\nset route ::\/0 interface tunnel.1 gateway :: preference 20\nset route 2001:6f8:001:001::1\/128 interface tunnel.1 gateway :: preference 20<\/pre>\n<\/div>\n
On the firewall, you should now be able to ping the SixXS IPv6 address :<\/p>\n
\nping 2001:6f8:001:001::1\nType escape sequence to abort\n\nSending 5, 100-byte ICMP Echos to 2001:6f8:001:001::1, timeout is 1 seconds \n!!!!!\nSuccess Rate is 100 percent (5\/5), round-trip time min\/avg\/max=18\/30\/73 ms<\/pre>\n<\/div>\n
<\/p>\n
Set up Windows clients behind the Juniper firewall : static IP<\/h3>\n
Both Windows 2008 and Vista seem to more or less support IPv6 out of the box, so I\u2019ll use these Operating Systems in this post as example. You can set up IPv6 on XP and 2003 as well, but you\u2019ll need to enable IPv6 first and use netsh CLI commands to set up the IP addresses.<\/p>\n
On 2008\/Vista, you can edit the IPv6 settings by editing the properties of the network connection, enabling IPv6 and editing the IP settings. <\/p>\n
The hosts that need to be able to be IPv6 enabled and need to be able to route to the IPv6 internet via the tunnel, need to be connected to eth0\/4. They will use the IPv6 address as default gateway. So if you want to set static IPv6 2001:6f8:1430::3 (\/64) to a Windows 2008 host, this is what you would have to do :<\/p>\n
![\"image\"](\"\/wp-content\/uploads\/2008\/11\/image-thumb7.png\" "\\"image\\"")
<\/a> <\/p>\n![\"image\"](\"\/wp-content\/uploads\/2008\/11\/image-thumb8.png\" "\\"image\\"")
<\/a> <\/p>\nDon\u2019t worry about DNS yet. Save the settings and see if you can access other IPv6 hosts, and that other IPv6 hosts can reach you.<\/p>\n
You will need to create a new IPv6 policy. So if you want to allow ping from your subnet towards the internet, and to allow hosts on the internet to connect to you, this is what you need to to :<\/p>\n
eth0\/4 is in zone PublicIPv6, and the tunnel interface is in the Public zone (or \u201cUntrust\u201d in a default setup), so we need a policy between those 2 zones :<\/p>\n
\n#allow outbound traffic\nset policy from PublicIPv6 to Public any any ping permit\n#allow incoming traffic\nset policy from Public to PublicIPv6 any any ping permit<\/pre>\n<\/div>\n
From your windows host, try to ping the SixXS IPv6 tunnel IP address. This will ensure your tunnel works and IPv6 routing works as well :<\/p>\n
\nC:\\><\/span>ping -6 2001:6f8:001:001::1\n\nPinging 2001:6f8:001:001::1 from 2001:6f8:1430::3 with 32 bytes of data:\nReply from 2001:6f8:001:001::1: time=27ms\nReply from 2001:6f8:001:001::1: time=19ms\nReply from 2001:6f8:001:001::1: time=18ms\nReply from 2001:6f8:001:001::1: time=18ms\n\nPing statistics for 2001:6f8:001:001::1:\n Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),\nApproximate round trip times in milli-seconds:\n Minimum = 18ms, Maximum = 27ms, Average = 20ms<\/pre>\n<\/div>\nSee if hosts on the internet can ping you. On a regular IPv4 host, navigate to http:\/\/www.subnetonline.com\/pages\/ipv6-network-tools\/online-ipv6-ping.php<\/a>, enter the public IPv6 address of your Windows host (2001:6f8:1430::3) and hit the \u201cPing IPv6\u201d button<\/p>\n
You should get 4 replies :<\/p>\n