< Home

CLI: Example for Configuring an IPv4 over IPv6 Tunnel

To configure an IPv4 over IPv6 tunnel, configure source and destination IPv6 addresses for the tunnel on the devices at both ends of the tunnel. Hosts on different IPv4 networks can communicate through the IPv4 over IPv6 tunnel.

Networking Requirements

As shown in Figure 1, FW_A and FW_B support the IPv6/IPv4 dual stack and both connect to the IPv4 and the IPv6 networks. FW_A is routable to FW_B on the IPv6 network. An IPv4 over IPv6 tunnel is required between FW_A and FW_B to enable hosts on two IPv4 networks to communicate.

Figure 1 Networking diagram for configuring an IPv4 over IPv6 tunnel

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure addresses for the interfaces that connect FW_A and FW_B to the IPv4 and IPv6 networks and enable IPv6 packet forwarding. This is because FW_A and FW_B support the IPv4/IPv6 dual stack and both connect to the IPv4 and the IPv6 networks.
  2. To establish an IPv4 over IPv6 tunnel, set an encapsulation type, a source IPv6 address or source interface, and a destination IPv6 address for the tunnel and set an IPv4 address for the tunnel interface on FW_A and FW_B.
  3. Configure routes. (This example uses static routes.)

Procedure

  • Configure FW_A
    1. Enable the IPv6 packet forwarding function.

      <FW_A> system-view
[FW_A] ipv6

    2. Configure addresses for interfaces and add the interfaces to security zones.

      # Configure an IP address for GE0/0/1.

      [FW_A] interface GigabitEthernet 0/0/1
[FW_A-GigabitEthernet0/0/1] ip address 10.1.2.1 255.255.255.0
[FW_A-GigabitEthernet0/0/1] quit
[FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet 0/0/1
[FW_A-zone-trust] quit

      # Configure an IPv6 address for GE0/0/2.

      [FW_A] interface GigabitEthernet 0/0/2
[FW_A-GigabitEthernet0/0/2] ipv6 enable
[FW_A-GigabitEthernet0/0/2] ipv6 address 2001::1 64
[FW_A-GigabitEthernet0/0/2] undo shutdown
[FW_A-GigabitEthernet0/0/2] quit
[FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet 0/0/2
[FW_A-zone-untrust] quit

    3. Configure an IPv4 over IPv6 tunnel.

      # Configure Tunnel1 of the IPv4 over IPv6 tunnel.

      [FW_A] interface Tunnel 1
[FW_A-Tunnel1] tunnel-protocol ipv4-ipv6
[FW_A-Tunnel1] source 2001::1
[FW_A-Tunnel1] destination 2001::2
[FW_A-Tunnel1] ip address 10.1.1.1 255.255.255.0
[FW_A-Tunnel1] quit

      # Assign Tunnel1 to the Untrust zone.

      [FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface tunnel 1
[FW_A-zone-untrust] quit

    4. Configure a security policy.

      [FW_A] security-policy
[FW_A-policy-security] rule name policy1
[FW_A-policy-security-policy1] source-zone trust untrust
[FW_A-policy-security-policy1] destination-zone trust untrust
[FW_A-policy-security-policy1] action permit
[FW_A-policy-security-policy1] quit
[FW_A-policy-security] rule name policy2
[FW_A-policy-security-policy2] source-zone local untrust
[FW_A-policy-security-policy2] destination-zone local untrust
[FW_A-policy-security-policy2] action permit

    5. Configure a route to the IPv4 network connected to FW_B.

      [FW_A] ip route-static 10.1.3.0 255.255.255.0 tunnel 1

  • Configure FW_B.
    1. Enable the IPv6 packet forwarding function.

      <FW_B> system-view
[FW_B] ipv6

    2. Configure addresses for interfaces and add the interfaces to security zones.

      # Configure an IP address for GE0/0/1.

      [FW_B] interface GigabitEthernet 0/0/1
[FW_B-GigabitEthernet0/0/1] ip address 10.1.3.1 255.255.255.0
[FW_B-GigabitEthernet0/0/1] quit
[FW_B] firewall zone trust
[FW_B-zone-trust] add interface GigabitEthernet 0/0/1
[FW_B-zone-trust] quit

      # Configure an IPv6 address for GE0/0/2.

      [FW_B] interface GigabitEthernet 0/0/2
[FW_B-GigabitEthernet0/0/2] ipv6 enable
[FW_B-GigabitEthernet0/0/2] ipv6 address 2001::2 64
[FW_B-GigabitEthernet0/0/2] undo shutdown
[FW_B-GigabitEthernet0/0/2] quit
[FW_B] firewall zone untrust
[FW_B-zone-untrust] add interface GigabitEthernet 0/0/2
[FW_B-zone-untrust] quit

    3. Configure an IPv4 over IPv6 tunnel.

      # Configure Tunnel1 of the IPv4 over IPv6 tunnel.

      [FW_B] interface Tunnel 1
[FW_B-Tunnel1] tunnel-protocol ipv4-ipv6
[FW_B-Tunnel1] source 2001::2
[FW_B-Tunnel1] destination 2001::1
[FW_B-Tunnel1] ip address 10.1.1.2 255.255.255.0
[FW_B-Tunnel1] quit

      # Assign Tunnel1 to the Untrust zone.

      [FW_B] firewall zone untrust
[FW_B-zone-untrust] add interface tunnel 1
[FW_B-zone-untrust] quit

    4. Configure a security policy.

      [FW_B] security-policy
[FW_B-policy-security] rule name policy1
[FW_B-policy-security-policy1] source-zone trust untrust
[FW_B-policy-security-policy1] destination-zone trust untrust
[FW_B-policy-security-policy1] action permit
[FW_B-policy-security-policy1] quit
[FW_B-policy-security] rule name policy2
[FW_B-policy-security-policy2] source-zone local untrust
[FW_B-policy-security-policy2] destination-zone local untrust
[FW_B-policy-security-policy2] action permit

    5. Configure a route to the IPv4 network connected to FW_A.

      [FW_B] ip route-static 10.1.2.0 255.255.255.0 tunnel 1

  • Configure PC1 and PC2

    You must configure an address and a gateway for each PC. The methods for configuring addresses and routes for PCs vary according to the operating systems of the PCs.

Verification

After you complete the preceding configurations, view the tunnel interface on FW_A and FW_B. The protocol status of each tunnel interface is UP.

[FW_B] display interface tunnel 1
Tunnel1 current state : UP                                    
Line protocol current state : UP                                                
Last line protocol up time : 2012-11-17 10:53:58 UTC+08:00                      
Description: Tunnel1 Interface
Route Port,The Maximum Transmit Unit is 1452                                    
Internet Address is 10.1.1.1/24                                                 
Encapsulation is TUNNEL1, loopback not set                                      
Tunnel Source 2001::2 (GigabitEthernet0/0/2)                                                
Tunnel Destination 2001::1                                                      
Encapsulation limit 1                                                           
Tunnel Traffic class not set                                                    
Tunnel Flow label not set                                                       
Tunnel Hop limit 64

Configure PC1 to ping PC2.

C:\Documents and Settings\Administrator>ping 10.1.3.2

Pinging 10.1.3.2 with 32 bytes of data:

Reply from 10.1.3.2: bytes=32 time=1ms TTL=128
Reply from 10.1.3.2: bytes=32 time=39ms TTL=128
Reply from 10.1.3.2: bytes=32 time=1ms TTL=128
Reply from 10.1.3.2: bytes=32 time=1ms TTL=128

Ping statistics for 10.1.3.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 39ms, Average = 10ms

If the ping operation succeeds, the IPv4 over IPv6 tunnel configuration is correct.

Configuration Scripts

  • Configuration script of FW_A

    #
 sysname FW_A
#
ipv6
#
interface GigabitEthernet0/0/2
 ipv6 enable
 ipv6 address 2001::1 64 
#
interface GigabitEthernet0/0/1
 ip address 10.1.2.1 255.255.255.0 
#
interface Tunnel 1    
 tunnel-protocol ipv4-ipv6
 source 2001::1        
 destination 2001::2
 ip address 10.1.1.1 255.255.255.0 
#                                                                               
firewall zone trust                                                             
 add interface GigabitEthernet0/0/1
#                                                                               
firewall zone untrust                                                             
 add interface GigabitEthernet0/0/2
 add interface tunnel1
#
 ip route-static 10.1.3.0 255.255.255.0 tunnel 1
#                                                                               
security-policy                                                                 
 rule name policy1                                               
  source-zone trust                                                             
  source-zone untrust                                                             
  destination-zone trust                                                             
  destination-zone untrust                                                             
  action permit
 rule name policy2                                               
  source-zone local                                                             
  source-zone untrust                                                             
  destination-zone local                                                             
  destination-zone untrust                                                             
  action permit
#
return

  • Configuration script of FW_B

    #
 sysname FW_B
#
ipv6
#
interface GigabitEthernet0/0/2
 ipv6 enable
 ipv6 address 2001::2 64
#
interface GigabitEthernet0/0/1
 ip address 10.1.3.1 255.255.255.0
#                                                                               
interface Tunnel 1    
 tunnel-protocol ipv4-ipv6
 source 2001::2        
 destination 2001::1
 ip address 10.1.1.2 255.255.255.0 
#                                                                               
firewall zone trust                                                             
 add interface GigabitEthernet0/0/1
#                                                                               
firewall zone untrust                                                             
 add interface GigabitEthernet0/0/2
 add interface tunnel1
#  
ip route-static 10.1.2.0 255.255.255.0 tunnel 1
#                                                                               
security-policy                                                                 
 rule name policy1                                               
  source-zone trust                                                             
  source-zone untrust                                                             
  destination-zone trust                                                             
  destination-zone untrust                                                             
  action permit
 rule name policy2                                               
  source-zone local                                                             
  source-zone untrust                                                             
  destination-zone local                                                             
  destination-zone untrust                                                             
  action permit
#
return
Parent Topic: IPv4 over IPv6 Tunnel
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic