Example for Configuring the 6to4 Tunnel (6to4 Network-6to4 Network)

To configure a 6to4 tunnel, configure the source IPv4 address of the tunnel on the routers at both ends of the tunnel. Hosts on different IPv6 networks can communicate through the 6to4 tunnel.

Networking Requirements

As shown in Figure 1, both FW_A and FW_B support the IPv6/IPv4 dual stack and connect to the IPv4 and IPv6 networks. FW_A and FW_B are 6to4 routers, and their connected IPv6 networks are 6to4 networks. A 6to4 tunnel is required between FW_A and FW_B to enable hosts on the two IPv6 networks to communicate.

Figure 1 Networking diagram of an IPv6 over IPv4 tunnel

Configuration Roadmap

The configuration roadmap is as follows:

Configure addresses for the interfaces that connect FW_A and FW_B to the IPv4 and the IPv6 networks and enable IPv6 packet forwarding. This is because FW_A and FW_B support the IPv4/IPv6 dual stack and both connect to the IPv4 and the IPv6 networks.
To establish a 6to4 tunnel, set a source address and an IPv6 address for the 6to4 tunnel on the 6to4 routers.

Because FW_A and FW_B are border devices of the 6to4 networks, the IPv6 address prefix of each interface connected to the IPv6 networks is 6to4 prefix. Similarly, the IPv6 address prefixes of connected PC1 and PC2 are 6to4 ones.
Configure routes.(This example uses static routes.)

Procedure

Configure FW_A.

Enable the IPv6 packet forwarding function.
```
<FW_A> system-view
[FW_A] ipv6
```

Configure addresses for interfaces and add the interfaces to security zones.

# Configure an IP address for GE0/0/2.

[FW_A] interface GigabitEthernet 0/0/2
[FW_A-GigabitEthernet0/0/2] ip address 2.1.1.1 24
[FW_A-GigabitEthernet0/0/2] quit
[FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet 0/0/2
[FW_A-zone-untrust] quit

# Configure an IPv6 address for GE0/0/1.

[FW_A] interface GigabitEthernet 0/0/1
[FW_A-GigabitEthernet0/0/1] ipv6 enable
[FW_A-GigabitEthernet0/0/1] ipv6 address 2002:0201:0101:1::1 64
[FW_A-GigabitEthernet0/0/1] quit
[FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet 0/0/1
[FW_A-zone-trust] quit

Configure a 6to4 tunnel.

# Configure Tunnel0 of the 6to4 tunnel.

[FW_A] interface Tunnel 0
[FW_A-Tunnel0] tunnel-protocol ipv6-ipv4 6to4
[FW_A-Tunnel0] source GigabitEthernet 0/0/2
[FW_A-Tunnel0] ipv6 enable
[FW_A-Tunnel0] ipv6 address 2002:0201:0101::1 64
[FW_A-Tunnel0] quit

# Assign Tunnel0 to the Untrust zone.

[FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface tunnel 0
[FW_A-zone-untrust] quit

Configure a security policy.

[FW_A] security-policy
[FW_A-policy-security] rule name policy1
[FW_A-policy-security-policy1] source-zone trust untrust
[FW_A-policy-security-policy1] destination-zone trust untrust
[FW_A-policy-security-policy1] action permit
[FW_A-policy-security-policy1] quit
[FW_A-policy-security] rule name policy2
[FW_A-policy-security-policy2] source-zone local untrust
[FW_A-policy-security-policy2] destination-zone local untrust
[FW_A-policy-security-policy2] action permit

Configure a route from FW_A to the 6to4 network connected to FW_B.

[FW_A] ipv6 route-static 2002:: 16 tunnel 0
[FW_A] ip route-static 0.0.0.0 2.1.1.2

Configure FW_B.

Enable the IPv6 packet forwarding function.
```
<FW_B> system-view
[FW_B] ipv6
```

Configure addresses for interfaces and add the interfaces to security zones.

# Configure an IP address for GE0/0/2.

[FW_B] interface GigabitEthernet 0/0/2
[FW_B-GigabitEthernet0/0/2] ip address 2.1.2.1 24
[FW_B-GigabitEthernet0/0/2] quit
[FW_B] firewall zone untrust
[FW_B-zone-untrust] add interface GigabitEthernet 0/0/2
[FW_B-zone-untrust] quit

# Configure an IPv6 address for GE0/0/1.

[FW_B] interface GigabitEthernet 0/0/1
[FW_B-GigabitEthernet0/0/1] ipv6 enable
[FW_B-GigabitEthernet0/0/1] ipv6 address 2002:0201:0201:1::1 64
[FW_B-GigabitEthernet0/0/1] quit
[FW_B] firewall zone trust
[FW_B-zone-trust] add interface GigabitEthernet 0/0/1
[FW_B-zone-trust] quit

Configure a 6to4 tunnel.

# Configure Tunnel0 of the 6to4 tunnel.

[FW_B] interface Tunnel 0
[FW_B-Tunnel0] tunnel-protocol ipv6-ipv4 6to4
[FW_B-Tunnel0] source GigabitEthernet 0/0/2
[FW_B-Tunnel0] ipv6 enable
[FW_B-Tunnel0] ipv6 address 2002:0201:0201::1 64
[FW_B-Tunnel0] quit

# Assign Tunnel0 to the Untrust zone.

[FW_B] firewall zone untrust
[FW_B-zone-untrust] add interface tunnel 0
[FW_B-zone-untrust] quit

Configure a security policy.

[FW_B] security-policy
[FW_B-policy-security] rule name policy1
[FW_B-policy-security-policy1] source-zone trust untrust
[FW_B-policy-security-policy1] destination-zone trust untrust
[FW_B-policy-security-policy1] action permit
[FW_B-policy-security-policy1] quit
[FW_B-policy-security] rule name policy2
[FW_B-policy-security-policy2] source-zone local untrust
[FW_B-policy-security-policy2] destination-zone local untrust
[FW_B-policy-security-policy2] action permit

Configure a route from FW_B to the 6to4 network connected to FW_A.

[FW_B] ipv6 route-static 2002:: 16 tunnel 0
[FW_B] ip route-static 0.0.0.0 2.1.2.2

Configure PC1.
Based on the 6to4 prefix, set the address to 2002:0201:0101:1::2/64 for PC1. This address is on the same network segment as that of GigabitEthernet0/0/1 on FW_A. (The method for setting IPv6 addresses is determined by the operating system of PC1.)
Configure PC2.
Based on the 6to4 prefix, set the address to 2002:0201:0201:1::2/64 for PC2. This address is on the same network segment as that of GigabitEthernet0/0/1 on FW_B. (The method for setting IPv6 addresses is determined by the operating system of PC1.)

Verification

After you complete the preceding configurations, run the display interface tunnel command in any view to check the status and configuration of Tunnel0. The command output on FW_A is as follows:

[FW_A] display interface Tunnel 0                                                
Tunnel0 current state : UP                                                      
Line protocol current state : up                                              
Description:Huawei, Tunnel0 Interface                           
Route Port,The Maximum Transmit Unit is 1500                                    
Internet protocol processing : disabled                                         
Encapsulation is TUNNEL, loopback not set                                       
Tunnel source 2.1.1.1 (GigabitEthernet 0/0/2), destination auto               
Tunnel protocol/transport IPv6 over IPv4(6to4)

# FW_A can ping the 6to4 address of GigabitEthernet0/0/1 on FW_B.

[FW_A] ping ipv6 2002:0201:0201:1::1
  PING 2002:201:201:1::1 : 56  data bytes, press CTRL_C to break
    Reply from 2002:201:201:1::1
    bytes=56 Sequence=1 hop limit=255  time = 8 ms
    Reply from 2002:201:201:1::1
    bytes=56 Sequence=2 hop limit=255  time = 25 ms
    Reply from 2002:201:201:1::1
    bytes=56 Sequence=3 hop limit=255  time = 4 ms
    Reply from 2002:201:201:1::1
    bytes=56 Sequence=4 hop limit=255  time = 5 ms
    Reply from 2002:201:201:1::1
    bytes=56 Sequence=5 hop limit=255  time = 5 ms

  --- 2002:0201:201:1::1 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 4/9/25 ms

PC1 can ping PC2.

Configuration Scripts

Configuration script of FW_A:

#
 sysname FW_A
#
ipv6
#
interface GigabitEthernet0/0/2
 ip address 2.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 ipv6 enable
 ipv6 address 2002:0201:0101:1::1 64 
#
interface Tunnel 0    
 tunnel-protocol ipv6-ipv4 6to4
 ipv6 enable    
 source GigabitEthernet0/0/2        
 ipv6 address 2002:0201:0101::1 64 
#                                                                               
firewall zone trust                                                             
 add interface GigabitEthernet0/0/1
#                                                                               
firewall zone untrust                                                             
 add interface GigabitEthernet0/0/2
 add interface tunnel0
#
 ipv6 route-static 2002:: 16 Tunnel 0
 ip route-static 0.0.0.0 2.1.1.2
#                                                                               
security-policy                                                                 
 rule name policy1                                               
  source-zone trust                                                             
  source-zone untrust                                                             
  destination-zone trust                                                             
  destination-zone untrust                                                             
  action permit
 rule name policy2                                               
  source-zone local                                                             
  source-zone untrust                                                             
  destination-zone local                                                             
  destination-zone untrust                                                             
  action permit
#
return

Configuration script of FW_B:

#
 sysname FW_B
#
ipv6
#
interface GigabitEthernet0/0/2
 ip address 2.1.2.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 ipv6 enable
 ipv6 address 2002:0201:0201:1::1 64
#                                                                               
interface Tunnel 0    
 tunnel-protocol ipv6-ipv4 6to4
 ipv6 enable    
 source GigabitEthernet0/0/2        
 ipv6 address 2002:0201:0201::1 64 
#                                                                               
firewall zone trust                                                             
 add interface GigabitEthernet0/0/1
#                                                                               
firewall zone untrust                                                             
 add interface GigabitEthernet0/0/2
 add interface tunnel0
#  
 ipv6 route-static 2002:: 16 Tunnel 0
 ip route-static 0.0.0.0 2.1.2.2
#                                                                               
security-policy                                                                 
 rule name policy1                                               
  source-zone trust                                                             
  source-zone untrust                                                             
  destination-zone trust                                                             
  destination-zone untrust                                                             
  action permit
 rule name policy2                                               
  source-zone local                                                             
  source-zone untrust                                                             
  destination-zone local                                                             
  destination-zone untrust                                                             
  action permit
#
return