2003-05-18 20:28:25 +02:00
|
|
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
|
|
|
|
<html>
|
|
|
|
|
|
<head>
|
|
|
|
|
|
<meta http-equiv="Content-Type"
|
|
|
|
|
|
content="text/html; charset=windows-1252">
|
|
|
|
|
|
<title>6to4 Tunnels</title>
|
|
|
|
|
|
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
|
|
|
|
|
<meta name="ProgId" content="FrontPage.Editor.Document">
|
|
|
|
|
|
</head>
|
2003-12-03 00:51:46 +01:00
|
|
|
|
<body>
|
|
|
|
|
|
<h1 style="text-align: center;">6to4 Tunnels<br>
|
|
|
|
|
|
</h1>
|
2003-05-18 20:28:25 +02:00
|
|
|
|
<h3>The 6to4 tunnel documentation is provided by Eric de Thouars.<br>
|
2003-12-03 00:51:46 +01:00
|
|
|
|
</h3>
|
|
|
|
|
|
<h3><font color="#ff6633">Warning: </font>The 6to4 tunnel feature of
|
|
|
|
|
|
Shorewall only facilitates IPv6 over IPv4 tunneling. It does not
|
|
|
|
|
|
provide any IPv6
|
|
|
|
|
|
security measures.</h3>
|
|
|
|
|
|
<p>6to4 tunneling with Shorewall can be used to connect your IPv6
|
|
|
|
|
|
network to another IPv6 network over an IPv4 infrastructure</p>
|
|
|
|
|
|
<p>More information on Linux and IPv6 can be found in the <a
|
2003-07-16 20:59:33 +02:00
|
|
|
|
href="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO">Linux IPv6 HOWTO</a>.
|
2003-12-03 00:51:46 +01:00
|
|
|
|
Details on how to setup a 6to4 tunnels are described in the section <a
|
2003-07-16 20:59:33 +02:00
|
|
|
|
href="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/configuring-ipv6to4-tunnels.html">Setup
|
2003-12-03 00:51:46 +01:00
|
|
|
|
of 6to4 tunnels</a>.</p>
|
2003-05-18 20:28:25 +02:00
|
|
|
|
<h2>Connecting two IPv6 Networks</h2>
|
|
|
|
|
|
<p>Suppose that we have the following situation:</p>
|
|
|
|
|
|
<p align="center"> <img border="0" src="images/TwoIPv6Nets1.png"
|
2003-12-03 00:51:46 +01:00
|
|
|
|
width="745" height="427" alt=""> </p>
|
|
|
|
|
|
<p align="left">We want systems in the 2002:100:333::/64 subnetwork to
|
|
|
|
|
|
be able to communicate with the systems in the 2002:488:999::/64
|
|
|
|
|
|
network. This is accomplished through use of the /etc/shorewall/tunnels
|
|
|
|
|
|
file and the "ip" utility for network interface and routing
|
|
|
|
|
|
configuration.</p>
|
|
|
|
|
|
<p align="left">Unlike GRE and IPIP tunneling, the
|
|
|
|
|
|
/etc/shorewall/policy, /etc/shorewall/interfaces and
|
|
|
|
|
|
/etc/shorewall/zones files are not used. There is no need to declare a
|
|
|
|
|
|
zone to represent the remote IPv6 network. This
|
|
|
|
|
|
remote network is not visible on IPv4 interfaces and to iptables. All
|
|
|
|
|
|
that
|
|
|
|
|
|
is visible on the IPv4 level is an IPv4 stream which contains IPv6
|
|
|
|
|
|
traffic. Separate IPv6 interfaces and ip6tables rules need to be
|
|
|
|
|
|
defined to handle
|
2003-07-16 20:59:33 +02:00
|
|
|
|
this traffic. </p>
|
2003-12-03 00:51:46 +01:00
|
|
|
|
<p align="left">In /etc/shorewall/tunnels on system A, we need the
|
|
|
|
|
|
following:</p>
|
|
|
|
|
|
<blockquote>
|
2003-05-18 20:28:25 +02:00
|
|
|
|
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
2003-12-03 00:51:46 +01:00
|
|
|
|
<tbody>
|
|
|
|
|
|
<tr>
|
|
|
|
|
|
<td><b>TYPE</b></td>
|
|
|
|
|
|
<td><b>ZONE</b></td>
|
|
|
|
|
|
<td><b>GATEWAY</b></td>
|
|
|
|
|
|
<td><b>GATEWAY ZONE</b></td>
|
|
|
|
|
|
</tr>
|
|
|
|
|
|
<tr>
|
|
|
|
|
|
<td>6to4</td>
|
|
|
|
|
|
<td>net</td>
|
|
|
|
|
|
<td>134.28.54.2</td>
|
|
|
|
|
|
<td> </td>
|
|
|
|
|
|
</tr>
|
|
|
|
|
|
</tbody>
|
2003-05-18 20:28:25 +02:00
|
|
|
|
</table>
|
2003-12-03 00:51:46 +01:00
|
|
|
|
</blockquote>
|
|
|
|
|
|
<p>This entry in /etc/shorewall/tunnels, opens the firewall so that the
|
|
|
|
|
|
IPv6 encapsulation protocol (41) will be accepted to/from the remote
|
|
|
|
|
|
gateway.</p>
|
2003-05-18 20:28:25 +02:00
|
|
|
|
<p>Use the following commands to setup system A:</p>
|
2003-12-03 00:51:46 +01:00
|
|
|
|
<blockquote>
|
2003-05-18 20:28:25 +02:00
|
|
|
|
<p>>ip tunnel add tun6to4 mode sit ttl 254 remote 134.28.54.2<br>
|
2003-12-03 00:51:46 +01:00
|
|
|
|
>ip link set dev tun6to4 up<br>
|
|
|
|
|
|
>ip addr add 3ffe:8280:0:2001::1/64 dev tun6to4<br>
|
|
|
|
|
|
>ip route add 2002:488:999::/64 via 3ffe:8280:0:2001::2</p>
|
|
|
|
|
|
</blockquote>
|
2003-05-18 20:28:25 +02:00
|
|
|
|
<p>Similarly, in /etc/shorewall/tunnels on system B we have:</p>
|
2003-12-03 00:51:46 +01:00
|
|
|
|
<blockquote>
|
2003-05-18 20:28:25 +02:00
|
|
|
|
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
2003-12-03 00:51:46 +01:00
|
|
|
|
<tbody>
|
|
|
|
|
|
<tr>
|
|
|
|
|
|
<td><b>TYPE</b></td>
|
|
|
|
|
|
<td><b>ZONE</b></td>
|
|
|
|
|
|
<td><b>GATEWAY</b></td>
|
|
|
|
|
|
<td><b>GATEWAY ZONE</b></td>
|
|
|
|
|
|
</tr>
|
|
|
|
|
|
<tr>
|
|
|
|
|
|
<td>6to4</td>
|
|
|
|
|
|
<td>net</td>
|
|
|
|
|
|
<td>206.191.148.9</td>
|
|
|
|
|
|
<td> </td>
|
|
|
|
|
|
</tr>
|
|
|
|
|
|
</tbody>
|
2003-05-18 20:28:25 +02:00
|
|
|
|
</table>
|
2003-12-03 00:51:46 +01:00
|
|
|
|
</blockquote>
|
2003-05-18 20:28:25 +02:00
|
|
|
|
<p>And use the following commands to setup system B:</p>
|
2003-12-03 00:51:46 +01:00
|
|
|
|
<blockquote>
|
2003-05-18 20:28:25 +02:00
|
|
|
|
<p>>ip tunnel add tun6to4 mode sit ttl 254 remote 206.191.148.9<br>
|
2003-12-03 00:51:46 +01:00
|
|
|
|
>ip link set dev tun6to4 up<br>
|
|
|
|
|
|
>ip addr add 3ffe:8280:0:2001::2/64 dev tun6to4<br>
|
|
|
|
|
|
>ip route add 2002:100:333::/64 via 3ffe:8280:0:2001::1</p>
|
|
|
|
|
|
</blockquote>
|
|
|
|
|
|
<p>On both systems, restart Shorewall and issue the configuration
|
|
|
|
|
|
commands as listed above. The systems in both IPv6 subnetworks can now
|
|
|
|
|
|
talk to each other using IPv6.</p>
|
|
|
|
|
|
<p><font size="2">Updated 5/18/2003 - <a href="support.htm">Tom Eastep</a>
|
|
|
|
|
|
</font></p>
|
|
|
|
|
|
<p><a href="copyright.htm"><font size="2">Copyright</font> <20> <font
|
2003-05-28 21:20:23 +02:00
|
|
|
|
size="2">2001, 2002, 2003Thomas M. Eastep and Eric de Thouars.</font></a></p>
|
2003-12-03 00:51:46 +01:00
|
|
|
|
<br>
|
|
|
|
|
|
<br>
|
|
|
|
|
|
<br>
|
|
|
|
|
|
<br>
|
2003-05-18 20:28:25 +02:00
|
|
|
|
</body>
|
|
|
|
|
|
</html>
|
