Example for Configuring an IPv6 over IPv4 GRE Tunnel

To configure an IPv6 over IPv4 GRE tunnel, configure source and destination IPv4 addresses for the tunnel on the devices at both ends of the tunnel. GRE enhances tunnel security.

Networking Requirements

As shown in Figure 1, FW_A and FW_B support the IPv6/IPv4 dual stack and connect to the IPv6 networks and IPv4 network. To enhance security, an IPv6 over IPv4 GRE tunnel needs to be established between FW_A and FW_B, so that hosts on the two IPv6 networks can communicate. Figure 1 Networking diagram of configuring the IPv6 over IPv4 GRE tunnel

Figure 1 Networking diagram of an IPv6 over IPv4 GRE tunnel

Configuration Roadmap

The configuration roadmap is as follows:

Configure addresses for the interfaces that connect FW_A and FW_B to the IPv4 and the IPv6 networks and enable IPv6 packet forwarding. This is because FW_A and FW_B support the IPv4/IPv6 dual stack and both connect to the IPv4 and the IPv6 networks.
To establish an IPv6 over IPv4 GRE tunnel, set an encapsulation type, a source address or interface, a destination address, and an IPv6 address for the tunnel on FW_A and FW_B.
Configure routes. (This example uses static routes.)

Procedure

Configure FW_A.

Enable the IPv6 packet forwarding function.
```
<FW_A> system-view
[FW_A] ipv6
```

Set addresses for interfaces and add the interfaces to security zones.

# Configure an IP address for GE0/0/2.

[FW_A] interface GigabitEthernet 0/0/2
[FW_A-GigabitEthernet0/0/2] ip address 1.1.1.1 255.255.255.0
[FW_A-GigabitEthernet0/0/2] quit
[FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet 0/0/2
[FW_A-zone-untrust] quit

# Configure an IPv6 address for GE0/0/1.

[FW_A] interface GigabitEthernet 0/0/1
[FW_A-GigabitEthernet0/0/1] ipv6 enable
[FW_A-GigabitEthernet0/0/1] ipv6 address 3002::1 64
[FW_A-GigabitEthernet0/0/1] quit
[FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet 0/0/1
[FW_A-zone-trust] quit

Configure an IPv6 over IPv4 GRE tunnel.

# Configure Tunnel1 of the IPv6 over IPv4 GRE tunnel.

[FW_A] interface Tunnel 1
[FW_A-Tunnel1] tunnel-protocol gre
[FW_A-Tunnel1] source GigabitEthernet 0/0/2
[FW_A-Tunnel1] destination 1.1.2.1
[FW_A-Tunnel1] gre checksum
[FW_A-Tunnel1] gre key 1
[FW_A-Tunnel1] ipv6 enable
[FW_A-Tunnel1] ipv6 address 3001::1 64
[FW_A-Tunnel1] quit

# Assign Tunnel1 to the Untrust zone.

[FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface tunnel 1
[FW_A-zone-untrust] quit

Configure a security policy.

[FW_A] security-policy
[FW_A-policy-security] rule name policy1
[FW_A-policy-security-policy1] source-zone trust untrust
[FW_A-policy-security-policy1] destination-zone trust untrust
[FW_A-policy-security-policy1] action permit
[FW_A-policy-security-policy1] quit
[FW_A-policy-security] rule name policy2
[FW_A-policy-security-policy2] source-zone local untrust
[FW_A-policy-security-policy2] destination-zone local untrust
[FW_A-policy-security-policy2] action permit

Configure routes.
# Configure an IPv6 route from FW_A to the IPv6 network connected to FW_B.
```
[FW_A] ipv6 route-static 3003:: 64 tunnel 1
```

Configure FW_B.

Enable the IPv6 packet forwarding function.
```
<FW_B> system-view
[FW_B] ipv6
```

Configure addresses for interfaces and add the interfaces to security zones.

# Configure an IP address for GE0/0/2.

[FW_B] interface GigabitEthernet 0/0/2
[FW_B-GigabitEthernet0/0/2] ip address 1.1.2.1 255.255.255.0
[FW_B-GigabitEthernet0/0/2] quit
[FW_B] firewall zone untrust
[FW_B-zone-untrust] add interface GigabitEthernet 0/0/2
[FW_B-zone-untrust] quit

# Configure an IPv6 address for GE0/0/1.

[FW_B] interface GigabitEthernet 0/0/1
[FW_B-GigabitEthernet0/0/1] ipv6 enable
[FW_B-GigabitEthernet0/0/1] ipv6 address 3003::1/64
[FW_B-GigabitEthernet0/0/1] quit
[FW_B] firewall zone trust
[FW_B-zone-trust] add interface GigabitEthernet 0/0/1
[FW_B-zone-trust] quit

Configure an IPv6 over IPv4 GRE tunnel.

# Configure Tunnel1 of the IPv6 over IPv4 GRE tunnel.

[FW_B] interface Tunnel 1
[FW_B-Tunnel1] tunnel-protocol gre
[FW_B-Tunnel1] source GigabitEthernet 0/0/2
[FW_B-Tunnel1] destination 1.1.1.1
[FW_B-Tunnel1] gre checksum
[FW_B-Tunnel1] gre key 1
[FW_B-Tunnel1] ipv6 enable
[FW_B-Tunnel1] ipv6 address 3001::2 64
[FW_B-Tunnel1] quit

# Assign Tunnel1 to the Untrust zone.

[FW_B] firewall zone untrust
[FW_B-zone-untrust] add interface tunnel 1
[FW_B-zone-untrust] quit

Configure a security policy.

[FW_B] security-policy
[FW_B-policy-security] rule name policy1
[FW_B-policy-security-policy1] source-zone trust untrust
[FW_B-policy-security-policy1] destination-zone trust untrust
[FW_B-policy-security-policy1] action permit
[FW_B-policy-security-policy1] quit
[FW_B-policy-security] rule name policy2
[FW_B-policy-security-policy2] source-zone local untrust
[FW_B-policy-security-policy2] destination-zone local untrust
[FW_B-policy-security-policy2] action permit

Configure routes.
# Configure an IPv6 route from FW_B to the IPv6 network connected to FW_A.
```
[FW_B] ipv6 route-static 3002:: 64 tunnel 1
```

Configure PC1 and PC2.
You must configure an address and a gateway for each PC. The methods for configuring addresses and routes for PCs vary according to the operating systems of the PCs.

Verification

After you complete the preceding configurations, run the display interface tunnel command in any view to check the status and configuration of Tunnel1. The command output on FW_A is as follows:

[FW_A]display interface Tunnel 1 
Tunnel1 current state : UP                                                      
Line protocol current state : DOWN                                              
Description:Huawei,  Tunnel1 Interface    
Route Port,The Maximum Transmit Unit is 1500                                    
Internet protocol processing : disabled                                         
Encapsulation is TUNNEL, loopback not set                                       
Tunnel source 192.168.50.2 (GigabitEthernet0/0/2), destination 1.1.2.1         
Tunnel protocol/transport GRE/IP, key 1                                         
keepalive disabled                                                              
Checksumming of packets enabled                                                 
    5 minutes input rate 0 bits/sec, 0 packets/sec                              
    5 minutes output rate 0 bits/sec, 0 packets/sec                             
    0 seconds input rate 0 bits/sec, 0 packets/sec                              
    0 seconds output rate 0 bits/sec, 0 packets/sec                             
    0 packets input,  0 bytes                                                   
    0 input error                                                               
    0 packets output,  0 bytes                                                  
    0 output error                                                              
    Input:                                                                      
      Unicast: 0 packets, Multicast: 0 packets                                  
    Output:                                                                     
      Unicast: 0 packets, Multicast: 0 packets

# Configure FW_B to ping the IPv6 address of Tunnel1 on FW_A. FW_B can receive reply packets from FW_A.

[FW_B] ping ipv6 3001::1
  PING 3001::1 : 56  data bytes, press CTRL_C to break
    Reply from 3001::1
    bytes=56 Sequence=1 hop limit=255  time = 28 ms
    Reply from 3001::1
    bytes=56 Sequence=2 hop limit=255  time = 27 ms
    Reply from 3001::1
    bytes=56 Sequence=3 hop limit=255  time = 26 ms
    Reply from 3001::1
    bytes=56 Sequence=4 hop limit=255  time = 27 ms
    Reply from 3001::1
    bytes=56 Sequence=5 hop limit=255  time = 27 ms
    Reply from 3001::1
  --- 3001::1 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
round-trip min/avg/max = 26/26/28 ms

# PC1 can ping through PC2.

C:\> ping6 3003::2
from 3002::2 with 32 bytes of data:
Reply from 3003::2: time<1ms
Reply from 3003::2: time<1ms
Reply from 3003::2: time<1ms
Reply from 3003::2: time<1ms
Ping statistics for 3003::2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

Configuration Scripts

Configuration script of FW_A:

#
 sysname FW_A
#
ipv6
#
interface GigabitEthernet0/0/2
 ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 ipv6 enable
 ipv6 address 3002::1 64 
#
interface Tunnel 1    
 tunnel-protocol gre
 ipv6 enable    
 source GigabitEthernet0/0/2        
 destination 1.1.2.1
 gre checksum
 gre key 1
 ipv6 address 3001::1 64 
#                                                                               
firewall zone trust                                                             
 add interface GigabitEthernet0/0/1
#                                                                               
firewall zone untrust                                                             
 add interface GigabitEthernet0/0/2
 add interface tunnel1
#
 ipv6 route-static 3003:: 64 Tunnel 1
#                                                                               
security-policy                                                                 
 rule name policy1                                               
  source-zone trust                                                             
  source-zone untrust                                                             
  destination-zone trust                                                             
  destination-zone untrust                                                             
  action permit
 rule name policy2                                               
  source-zone local                                                             
  source-zone untrust                                                             
  destination-zone local                                                             
  destination-zone untrust                                                             
  action permit
#
return

Configuration script of FW_B:

#
 sysname FW_B
#
ipv6
#
interface GigabitEthernet0/0/2
 ip address 1.1.2.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 ipv6 enable
 ipv6 address 3003::1 64
#                                                                               
interface Tunnel 1    
 tunnel-protocol gre
 ipv6 enable    
 source GigabitEthernet0/0/2        
 destination 1.1.1.1
 gre checksum
 gre key 1
 ipv6 address 3001::2 64 
#                                                                               
firewall zone trust                                                             
 add interface GigabitEthernet0/0/1
#                                                                               
firewall zone untrust                                                             
 add interface GigabitEthernet0/0/2
 add interface tunnel1
#  
ipv6 route-static 3002:: 64 Tunnel 1
#                                                                               
security-policy                                                                 
 rule name policy1                                               
  source-zone trust                                                             
  source-zone untrust                                                             
  destination-zone trust                                                             
  destination-zone untrust                                                             
  action permit
 rule name policy2                                               
  source-zone local                                                             
  source-zone untrust                                                             
  destination-zone local                                                             
  destination-zone untrust                                                             
  action permit
#
return