< Home

Example for Configuring the 6to4 Tunnel (6to4 Network-IPv6 Network)

This section provides an example for configuring the 6to4 tunnel for the hosts on 6to4 networks and IPv6 networks to communicate. Configuring the 6to4 relay router is the same as configuring the 6to4 router. However, to ensure the communication between the hosts on the 6to4 network and IPv6 network, you need to configure static routes to the IPv6 network on the 6to4 router.

Networking Requirements

As shown in Figure 1, both FW_A and FW_B support the IPv6/IPv4 dual stack and connect to the IPv4 and IPv6 networks. FW_A is a 6to4 router, and its connected IPv6 network is a 6to4 network. FW_B is a 6to4 relay router, and its connected IPv6 network is a common one. A 6to4 tunnel is required between FW_A and FW_B to enable hosts on the two IPv6 networks to communicate.

Figure 1 Networking diagram of IPv6 over IPv4 relay

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure addresses for the interfaces that connect FW_A and FW_B to the IPv4 and the IPv6 networks and enable IPv6 packet forwarding. This is because FW_A and FW_B support the IPv4/IPv6 dual stack and both connect to the IPv4 and the IPv6 networks.

  2. To establish a 6to4 tunnel, set a source address and an IPv6 address for the 6to4 tunnel on the 6to4 router.

    Because FW_A and FW_B are border devices of the 6to4 networks, the IPv6 address prefix of each interface connected to the IPv6 networks is 6to4 prefix. The IPv6 address prefix of PC1 is a 6to4 prefix. PC2 is on a native IPv6 network.

  3. Configure routes.(This example uses static routes.)

Procedure

  • Configure FW_A.
    1. Enable the IPv6 packet forwarding function.

      <FW_A> system-view
[FW_A] ipv6

    2. Configure addresses for interfaces and add the interfaces to security zones.

      # Configure an IP address for GE0/0/2.

      [FW_A] interface GigabitEthernet 0/0/2
[FW_A-GigabitEthernet0/0/2] ip address 2.1.1.1 24
[FW_A-GigabitEthernet0/0/2] quit
[FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet 0/0/2
[FW_A-zone-untrust] quit

      # Configure an IPv6 address for GE0/0/1.

      [FW_A] interface GigabitEthernet 0/0/1
[FW_A-GigabitEthernet0/0/1] ipv6 enable
[FW_A-GigabitEthernet0/0/1] ipv6 address 2002:0201:0101:1::1 64
[FW_A-GigabitEthernet0/0/1] quit
[FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet 0/0/1
[FW_A-zone-trust] quit

    3. Configure a 6to4 tunnel.

      # Configure Tunnel0 of the 6to4 tunnel.

      [FW_A] interface Tunnel 0
[FW_A-Tunnel0] tunnel-protocol ipv6-ipv4 6to4
[FW_A-Tunnel0] source GigabitEthernet 0/0/2
[FW_A-Tunnel0] ipv6 enable
[FW_A-Tunnel0] ipv6 address 2002:0201:0100::1 64
[FW_A-Tunnel0] quit

      # Assign Tunnel0 to the Untrust zone.

      [FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface tunnel 0
[FW_A-zone-untrust] quit

    4. Configure a security policy.

      [FW_A] security-policy
[FW_A-policy-security] rule name policy1
[FW_A-policy-security-policy1] source-zone trust untrust
[FW_A-policy-security-policy1] destination-zone trust untrust
[FW_A-policy-security-policy1] action permit
[FW_A-policy-security-policy1] quit
[FW_A-policy-security] rule name policy2
[FW_A-policy-security-policy2] source-zone local untrust
[FW_A-policy-security-policy2] destination-zone local untrust
[FW_A-policy-security-policy2] action permit

    5. Configure IPv6 routes.

      # Configure a static route from FW_A to the IPv6 network connected to FW_B and set the next-hop address to the IPv6 address of the tunnel interface on FW_B.

      [FW_A] ipv6 route-static 2001:: 64 tunnel 0 2002:0201:0201::1
[FW_A] ip route-static 0.0.0.0 2.1.1.2

  • Configure FW_B.
    1. Enable the IPv6 packet forwarding function.

      <FW_B> system-view
[FW_B] ipv6

    2. Configure addresses for interfaces and add the interfaces to security zones.

      # Configure an IP address for GE0/0/2.

      [FW_B] interface GigabitEthernet 0/0/2
[FW_B-GigabitEthernet0/0/2] ip address 2.1.2.1 24
[FW_B-GigabitEthernet0/0/2] quit
[FW_B] firewall zone untrust
[FW_B-zone-untrust] add interface GigabitEthernet 0/0/2
[FW_B-zone-untrust] quit

      # Configure an IPv6 address for GE0/0/1.

      [FW_B] interface GigabitEthernet 0/0/1
[FW_B-GigabitEthernet0/0/1] ipv6 enable
[FW_B-GigabitEthernet0/0/1] ipv6 address 2001::1 64
[FW_B-GigabitEthernet0/0/1] quit
[FW_B] firewall zone trust
[FW_B-zone-trust] add interface GigabitEthernet 0/0/1
[FW_B-zone-trust] quit

    3. Configure a 6to4 tunnel.

      # Configure Tunnel0 of the 6to4 tunnel.

      [FW_B] interface Tunnel 0
[FW_B-Tunnel0] tunnel-protocol ipv6-ipv4 6to4
[FW_B-Tunnel0] source GigabitEthernet 0/0/2
[FW_B-Tunnel0] ipv6 enable
[FW_B-Tunnel0] ipv6 address 2002:0201:0201::1 64
[FW_B-Tunnel0] quit

      # Assign Tunnel0 to the Untrust zone.

      [FW_B] firewall zone untrust
[FW_B-zone-untrust] add interface tunnel 0
[FW_B-zone-untrust] quit

    4. Configure an interzone security policy.

      [FW_B] security-policy
[FW_B-policy-security] rule name policy1
[FW_B-policy-security-policy1] source-zone trust untrust
[FW_B-policy-security-policy1] destination-zone trust untrust
[FW_B-policy-security-policy1] action permit
[FW_B-policy-security-policy1] quit
[FW_B-policy-security] rule name policy2
[FW_B-policy-security-policy2] source-zone local untrust
[FW_B-policy-security-policy2] destination-zone local untrust
[FW_B-policy-security-policy2] action permit

    5. Configure a route from FW_B to the 6to4 network connected to FW_A.

      [FW_B] ipv6 route-static 2002:: 16 tunnel 0
[FW_B] ip route-static 0.0.0.0 2.1.2.2

  • Configure PC1.

    Based on the 6to4 prefix, set the address to 2002:0201:0101:1::2/64 for PC1. This address is on the same network segment as that of GigabitEthernet0/0/1 on FW_A. (The method for setting IPv6 addresses is determined by the operating system of PC1.)

  • Configure PC2.

    Based on the 6to4 prefix, set the address to 2001::2/64 for PC2. This address is on the same network segment as that of GigabitEthernet0/0/1 on FW_B. (The method for setting IPv6 addresses is determined by the operating system of PC1.)

Verification

After you complete the preceding configurations, run the display interface tunnel command in any view to check the status and configuration of Tunnel0. The command output on FW_A is as follows:

[FW_A] display interface Tunnel 0                                                
Tunnel0 current state : UP                                                      
Line protocol current state : up                                              
Description: Tunnel0 Interface                           
Route Port,The Maximum Transmit Unit is 1500                                    
Internet protocol processing : disabled                                         
Encapsulation is TUNNEL, loopback not set                                       
Tunnel source 2.1.1.1 (GigabitEthernet0/0/0), destination auto               
Tunnel protocol/transport IPv6 over IPv4(6to4)

# Configure FW_A to ping the 6to4 address of GigabitEthernet0/0/1 on FW_B.

[FW_A] ping ipv6 2001::1
  PING 2001::1 : 56  data bytes, press CTRL_C to break
    Reply from 2001::1
    bytes=56 Sequence=1 hop limit=255  time = 8 ms
    Reply from 2001::1
    bytes=56 Sequence=2 hop limit=255  time = 25 ms
    Reply from 2001::1
    bytes=56 Sequence=3 hop limit=255  time = 4 ms
    Reply from 2001::1
    bytes=56 Sequence=4 hop limit=255  time = 5 ms
    Reply from 2001::1
    bytes=56 Sequence=5 hop limit=255  time = 5 ms

  --- 2001::1 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 4/9/25 ms

PC1 can ping PC2.

Configuration Scripts

  • Configuration script of FW_A

    #
sysname FW_A
#
ipv6
#
interface GigabitEthernet0/0/2
 ip address 2.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 ipv6 enable
 ipv6 address 2002:0201:0101:1::1/64
#
interface tunnel 0
 ipv6 enable
 ipv6 address 2002:0201:0100::1/64
 tunnel-protocol ipv6-ipv4 6to4
 source GigabitEthernet0/0/2
#                                                                               
firewall zone trust                                                             
 add interface GigabitEthernet0/0/1
#                                                                               
firewall zone untrust                                                             
 add interface GigabitEthernet0/0/2
 add interface tunnel0
#
 ipv6 route-static 2002:: 16 Tunnel 0
 ipv6 route-static 2001:: 64 2002:0201:0201::1
 ip route-static 0.0.0.0 2.1.1.2
#                                                                               
security-policy                                                                 
 rule name policy1                                               
  source-zone trust                                                             
  source-zone untrust                                                             
  destination-zone trust                                                             
  destination-zone untrust                                                             
  action permit
 rule name policy2                                               
  source-zone local                                                             
  source-zone untrust                                                             
  destination-zone local                                                             
  destination-zone untrust                                                             
  action permit
#
return

  • Configuration script of FW_B

    #
sysname FW_B
#
ipv6
#
interface GigabitEthernet0/0/2
 ip address 2.1.2.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 ipv6 enable
 ipv6 address 2001::1/64
#
interface tunnel 0
 ipv6 enable
 ipv6 address 2002:0201:0201::1/64
 tunnel-protocol ipv6-ipv4 6to4
 source GigabitEthernet0/0/2
#                                                                               
firewall zone trust                                                             
 add interface GigabitEthernet0/0/1
#                                                                               
firewall zone untrust                                                             
 add interface GigabitEthernet0/0/2
 add interface tunnel0
#
 ipv6 route-static 2002:: 16 Tunnel 0
 ip route-static 0.0.0.0 2.1.2.2
#                                                                               
security-policy                                                                 
 rule name policy1                                               
  source-zone trust                                                             
  source-zone untrust                                                             
  destination-zone trust                                                             
  destination-zone untrust                                                             
  action permit
 rule name policy2                                               
  source-zone local                                                             
  source-zone untrust                                                             
  destination-zone local                                                             
  destination-zone untrust                                                             
  action permit
#
return
Parent Topic: Configuration Examples for IPv6 over IPv4 tunnel
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >