<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<article>
  <!--$Id$-->

  <articleinfo>
    <title>6to4 and 6in4 Tunnels</title>

    <authorgroup>
      <author>
        <firstname>Eric</firstname>

        <surname>de Thouars</surname>
      </author>

      <author>
        <firstname>Tom</firstname>

        <surname>Eastep</surname>
      </author>
    </authorgroup>

    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>

    <copyright>
      <year>2003-2004</year>

      <year>2008</year>

      <year>2009</year>

      <year>2012</year>

      <holder>Eric de Thouars and Tom Eastep</holder>
    </copyright>

    <legalnotice>
      <para>Permission is granted to copy, distribute and/or modify this
      document under the terms of the GNU Free Documentation License, Version
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>

  <para>6to4 tunneling with Shorewall can be used to connect your IPv6 network
  to another IPv6 network over an IPv4 infrastructure. It can also allow you
  to experiment with IPv6 even if your ISP doesn't provide IPv6
  connectivity.</para>

  <para>More information on Linux and IPv6 can be found in the <ulink
  url="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO">Linux IPv6 HOWTO</ulink>.
  Details on how to setup a 6to4 tunnels are described in the section <ulink
  url="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/configuring-ipv6to4-tunnels.html">Setup
  of 6to4 tunnels</ulink>.</para>

  <section id="FeetWet">
    <title>Getting your Feet Wet with IPv6, by Tom Eastep</title>

    <para>6to4 tunnels provide a good way to introduce yourself to IPv6.
    <ulink url="IPv6Support.html">Shorewall6</ulink> was developed on a
    network whose only IPv6 connectivity was an 6to4 Tunnel; that network is
    described in the remainder of this section. What is shown here requires
    Shorewall6 4.2.4 or later.</para>

    <section>
      <title>Configuring IPv6 using my script</title>

      <para>I have created an init <ulink
      url="/pub/shorewall/contrib/IPv6/ipv6">script</ulink> to make the job of
      configuring your firewall for IPv6 easier.</para>

      <para>The script is installed in /etc/init.d and configures ipv6,
      including a 6to4 tunnel, at boot time. Note that the script is included
      in the Shorewall6 distribution but is not installed in /etc/init.d by
      default. The RPMs from shorewall.net, install the file in the package
      documentation directory.</para>

      <para>The script works on OpenSuSE 11.0 and may need modification for
      other distributions. On OpenSuSE, the script is installed by copying it
      to <filename>/etc/init.d/</filename> then running the command 'chkconfig
      --add ipv6'.</para>

      <para>At the top of the script, you will see several variables:</para>

      <itemizedlist>
        <listitem>
          <para>SIT - The name of the tunnel device. Usually 'sit1'</para>
        </listitem>

        <listitem>
          <para>INTERFACES - local interfaces that you want to configure for
          IPv6</para>
        </listitem>

        <listitem>
          <para>ADDRESS4 - A static IPv4 address on your firewall that you
          want to use for the tunnel.</para>
        </listitem>

        <listitem>
          <para>SLA - The identity of the first local sub-network that you
          want to assign to the interfaces listed in INTERFACES. Normally one
          (0001).</para>
        </listitem>

        <listitem>
          <para>GATEWAY - The default IPv6 gateway. For 6to4, this is
          ::192.88.99.1.</para>
        </listitem>
      </itemizedlist>

      <para>Here is the file from my firewall:</para>

      <blockquote>
        <para><programlisting>SIT="sit1"
ADDRESS4=206.124.146.180
INTERFACES="eth2 eth4"
SLA=1
GATEWAY=::192.88.99.1</programlisting></para>
      </blockquote>

      <para>eth2 is the interface to my local network (both wired and
      wireless). eth4 goes to my DMZ which holds a single server. Here is a
      diagram of the IPv4 network:</para>

      <graphic align="center" fileref="images/Network2009.png" />

      <para>Here is the configuration after IPv6 is configured; the part in
      bold font is configured by the /etc/init.d/ipv6 script.</para>

      <blockquote>
        <para><programlisting>gateway:~ # ip -6 addr ls
1: lo: &lt;LOOPBACK,UP,LOWER_UP&gt; mtu 16436 
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
1: eth1: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qlen 1000
    inet6 fe80::202:e3ff:fe08:484c/64 scope link 
       valid_lft forever preferred_lft forever
2: eth2: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qlen 1000
<emphasis role="bold">    inet6 2002:ce7c:92b4:1::1/64 scope global 
       valid_lft forever preferred_lft forever</emphasis>
    inet6 fe80::202:e3ff:fe08:55fa/64 scope link 
       valid_lft forever preferred_lft forever
3: eth4: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qlen 1000
<emphasis role="bold">    inet6 2002:ce7c:92b4:2::1/64 scope global 
       valid_lft forever preferred_lft forever</emphasis>
    inet6 fe80::2a0:ccff:fed2:353a/64 scope link 
       valid_lft forever preferred_lft forever
4: sit1@NONE: &lt;NOARP,UP,LOWER_UP&gt; mtu 1480 
<emphasis role="bold">    inet6 ::206.124.146.180/128 scope global 
       valid_lft forever preferred_lft forever
    inet6 2002:ce7c:92b4::1/128 scope global 
       valid_lft forever preferred_lft forever</emphasis>
gateway:~ # ip -6 route ls
<emphasis role="bold">::/96 via :: dev sit1  metric 256  expires 21333315sec mtu 1480 advmss 1420 hoplimit 4294967295</emphasis>
<emphasis role="bold">2002:ce7c:92b4::1 dev sit1  metric 256  expires 21333315sec mtu 1480 advmss 1420 hoplimit 4294967295
2002:ce7c:92b4:1::/64 dev eth2  metric 256  expires 21333315sec mtu 1500 advmss 1440 hoplimit 4294967295
2002:ce7c:92b4:2::/64 dev eth4  metric 256  expires 21333315sec mtu 1500 advmss 1440 hoplimit 4294967295</emphasis>
fe80::/64 dev eth1  metric 256  expires 20748424sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth2  metric 256  expires 20748431sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth4  metric 256  expires 20748431sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev sit1  metric 256  expires 21333315sec mtu 1480 advmss 1420 hoplimit 4294967295
<emphasis role="bold">default via ::192.88.99.1 dev sit1  metric 1  expires 21333315sec mtu 1480 advmss 1420 hoplimit 4294967295</emphasis>
gateway:~ # </programlisting></para>
      </blockquote>

      <para>You will notice that sit1, eth2 and eth4 each have an IPv6 address
      beginning with 2002: -- All 6to4 IPv6 addresses have that in their most
      significant 16 bits. The next 32-bits (ce7c:92b4) encode the IPv4
      ADDRESS (206.124.146.180). So once you start the 6to4 tunnel, you are
      the proud owner of 2<superscript>80</superscript> IPv6 addresses! In the
      case shown here, 2002:ce7c:92b4::/48. The SLA is used to assign each
      interface in INTERFACES, a subnet of 2<superscript>64</superscript>
      addresses; in the case of eth2, 2002:ce7c:92b4:1::/64.</para>

      <para>I run <ulink url="http://www.litech.org/radvd/">radvd</ulink> on
      the firewall to allow hosts conntected to eth2 and eth4 to automatically
      perform their own IPv6 configuration. Here is my
      <filename>/etc/radvd.conf</filename> file:</para>

      <blockquote>
        <para><programlisting>interface eth2 { 
        AdvSendAdvert on;
        MinRtrAdvInterval 3; 
        MaxRtrAdvInterval 10;
        prefix 2002:ce7c:92b4:1::/64 {
                AdvOnLink on; 
                AdvAutonomous on; 
                AdvRouterAddr off; 
        };

        RDNSS 2002:ce7c:92b4:2:2a0:ccff:fedb:31c4 {
                AdvRDNSSOpen on;
                AdvRDNSSPreference 2;
        };                              
};

interface eth4 { 
        AdvSendAdvert on;
        MinRtrAdvInterval 3; 
        MaxRtrAdvInterval 10;
        prefix 2002:ce7c:92b4:2::/64 {
                AdvOnLink on; 
                AdvAutonomous on; 
                AdvRouterAddr off; 
        };

        RDNSS 2002:ce7c:92b4:2:2a0:ccff:fedb:31c4 {
                AdvRDNSSOpen on;
                AdvRDNSSPreference 2;
        };                              
};</programlisting></para>
      </blockquote>

      <note>
        <para>radvd terminates immediately if IPv6 forwarding is not enabled.
        So it is a good idea to include this in<filename>
        /etc/sysctl.conf</filename>:</para>

        <programlisting>net.ipv6.conf.all.forwarding = 1</programlisting>

        <para>That way, if radvd starts before Shorewall6, it will continue to
        run.</para>

        <para>An alternative is to modify
        <filename>/etc/init.d/radvd</filename> so that radvd starts after
        Shorewall6:</para>

        <programlisting># Should-Start: shorewall6</programlisting>
      </note>

      <para>Here is the automatic IPv6 configuration on my server attached to
      eth4:</para>

      <blockquote>
        <para><programlisting>webadmin@lists:~/ftpsite/contrib/IPv6&gt; /sbin/ip -6 addr ls
1: lo: &lt;LOOPBACK,UP,LOWER_UP&gt; mtu 16436 
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth2: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qlen 1000
<emphasis role="bold">    inet6 2002:ce7c:92b4:2:2a0:ccff:fedb:31c4/64 scope global dynamic 
       valid_lft 2591995sec preferred_lft 604795sec</emphasis>
    inet6 fe80::2a0:ccff:fedb:31c4/64 scope link 
       valid_lft forever preferred_lft forever
webadmin@lists:~/ftpsite/contrib/IPv6&gt; /sbin/ip -6 route ls
<emphasis role="bold">2002:ce7c:92b4:2::/64 dev eth2  proto kernel  metric 256  expires 2592161sec mtu 1500 advmss 1440 hoplimit 4294967295</emphasis>
fe80::/64 dev eth2  metric 256  expires 20746963sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev ifb0  metric 256  expires 20746985sec mtu 1500 advmss 1440 hoplimit 4294967295
<emphasis role="bold">default via fe80::2a0:ccff:fed2:353a dev eth2  proto kernel  metric 1024  expires 29sec mtu 1500 advmss 1440 hoplimit 64</emphasis>
webadmin@lists:~/ftpsite/contrib/IPv6&gt; </programlisting></para>
      </blockquote>

      <para>You will note that the public IPv6 address of eth2
      (2002:ce7c:92b4:2:2a0:ccff:fedb:31c4) was formed by concatenating the
      prefix for eth2 shown in radvd.conf (2002:ce7c:92b4:2) and the lower 64
      bits of the link level address of eth2 (2a0:ccff:fedb:31c4). You will
      also notice that the address 2002:ce7c:92b4:2:2a0:ccff:fedb:31c4 appears
      in the RDNSS clauses in radvd.conf; that causes my server to be
      automatically configured as a DNS server.</para>

      <para>The default route is described using the link level address of
      eth2 on the firewall (fe80::2a0:ccff:fed2:353a).</para>

      <para>On my laptop, ursa:</para>

      <blockquote>
        <para><programlisting>ursa:~ # ip -6 addr ls dev eth0
3: eth0: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qlen 1000
 <emphasis role="bold">   inet6 2002:ce7c:92b4:1:21a:24ff:fecb:2bcc/64 scope global dynamic 
       valid_lft 2591996sec preferred_lft 604796sec</emphasis>
    inet6 fe80::21a:73ff:fedb:8c35/64 scope link 
       valid_lft forever preferred_lft forever
ursa:~ # ip -6 route ls dev eth0
<emphasis role="bold">2002:ce7c:92b4:1::/64  proto kernel  metric 256  expires 2592160sec mtu 1500 advmss 1440 hoplimit 4294967295</emphasis>
fe80::/64  metric 256  expires 21314573sec mtu 1500 advmss 1440 hoplimit 4294967295
<emphasis role="bold">default via fe80::202:e3ff:fe08:55fa  proto kernel  metric 1024  expires 28sec mtu 1500 advmss 1440 hoplimit 64</emphasis>
ursa:~ #</programlisting></para>
      </blockquote>

      <para>Here is the resulting simple IPv6 Network:</para>

      <graphic align="center" fileref="images/Network2009b.png" />
    </section>

    <section>
      <title>Configuring IPv6 the Debian Way</title>

      <para>In May 2009, I rebuilt the above firewall using Debian GNU/Linux
      and decided to configure IPv6 using the
      <filename>/etc/network/interfaces</filename> file.</para>

      <para>When I installed Debian Lenny on the system, the network
      interfaces were reunmbered as follows:</para>

      <table frame="void">
        <title>Interface Renaming</title>

        <tgroup cols="2">
          <tbody>
            <row>
              <entry><emphasis role="bold">Old
              Configuration</emphasis></entry>

              <entry><emphasis role="bold">New
              Configuration</emphasis></entry>
            </row>

            <row>
              <entry>eth0 (Avvanta Interface)</entry>

              <entry>eth3</entry>
            </row>

            <row>
              <entry>eth3 (Comcast Interface)</entry>

              <entry>eth0</entry>
            </row>

            <row>
              <entry>eth2 (Local Interface)</entry>

              <entry>eth1</entry>
            </row>

            <row>
              <entry>eth4 (DMZ Interface)</entry>

              <entry>eth2</entry>
            </row>
          </tbody>
        </tgroup>
      </table>

      <para>So the IPv4 network was transformed to this:</para>

      <graphic align="center" fileref="images/Network2009a.png" />

      <para>To implement the same IPv6 network as described above, I used this
      /etc/shorewall/interfaces file:</para>

      <blockquote>
        <para><programlisting>auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp
        hwaddress ether 00:11:85:89:da:9b

auto eth1
iface eth1 inet static
        address 172.20.1.254
        netmask 255.255.255.0
        network 172.20.1.0
        broadcast 172.20.1.255

<emphasis role="bold">iface eth1 inet6 static
        address 2002:ce7c:92b4:1::1
        netmask 64 </emphasis>

auto eth2
iface eth2 inet static
        address 206.124.146.176
        netmask 255.255.255.255
        up ip route add 206.124.146.177/32 dev eth2

<emphasis role="bold">iface eth2 inet6 static
        address 2002:ce7c:92b4:2::1
        netmask 64
</emphasis>
auto eth3 eth3:0 eth3:1 eth3:2
iface eth3 inet static
        address 206.124.146.176
        netmask 255.255.255.0
        network 206.124.146.0
        broadcast 206.124.146.255

iface eth3:0 inet static
        address 206.124.146.178
        netmask 255.255.255.0
        broadcast 206.124.146.255

iface eth3:1 inet static
        address 206.124.146.179
        netmask 255.255.255.0
        broadcast 206.124.146.255

iface eth3:2 inet static
        address 206.124.146.180
        netmask 255.255.255.0
        broadcast 206.124.146.255

<emphasis role="bold">auto sit1
iface sit1 inet6 v4tunnel
      address 2002:ce7c:92b4::1
      netmask 64
      endpoint 192.88.99.1
      local 206.124.146.180
      gateway ::192.88.99.1
      ttl 64
      post-up echo 1 &gt; /proc/sys/net/ipv6/conf/all/forwarding</emphasis></programlisting></para>
      </blockquote>

      <para>That file produces the following IPv6 network.</para>

      <graphic align="center" fileref="images/Network2008c.png" />
    </section>

    <section>
      <title>Configuring Shorewall</title>

      <para>We need to add an entry in /etc/shorewall/tunnels and restart
      Shorewall:</para>

      <blockquote>
        <para><programlisting>#TYPE                   ZONE    GATEWAY         GATEWAY
#                                               ZONE
6to4                    net
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting></para>
      </blockquote>
    </section>

    <section>
      <title>Configuring Shorewall6</title>

      <para><emphasis role="bold">STOP</emphasis> -- If you have followed the
      instructions above, you should have a completely functional IPv6
      network. Try:</para>

      <programlisting><emphasis role="bold">ping6 www.kame.net
ping6 ipv6.chat.eu.freenode.net</emphasis>
</programlisting>

      <para>If neither of those work from your firewall and from any local
      IPv6 systems that you have behind your firewall, do not go any further
      until one of them does work. If you ask for help from the Shorewall
      team, the first question we will ask is 'With Shorewall6 cleared, can
      you ping6 kame or freenode?'.</para>

      <para>The Shorewall6 configuration on my firewall is a very basic
      three-interface one.</para>

      <para>Key entry in
      <filename>/etc/shorewall6/shorewall6.conf</filename>:</para>

      <blockquote>
        <para><programlisting>IP_FORWARDING=On</programlisting></para>
      </blockquote>

      <para><filename>/etc/shorewall6/zones</filename>:</para>

      <blockquote>
        <para><programlisting>#ZONE	TYPE	OPTIONS			IN			OUT
#					OPTIONS			OPTIONS
fw	firewall
net	ipv6
loc	ipv6
dmz	ipv6
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting></para>
      </blockquote>

      <para><filename>/etc/shorewall6/interfaces</filename>:</para>

      <blockquote>
        <para><programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
net     sit1            detect          tcpflags,forward=1,nosmurfs
loc     eth0            detect          tcpflags,forward=1
dmz     eth2            detect          tcpflags,forward=1
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting></para>
      </blockquote>

      <para><filename>/etc/shorewall6/policy</filename>:</para>

      <blockquote>
        <para><programlisting>#SOURCE    DEST    POLICY    LOG LEVEL    LIMIT:BURST
net        all     DROP      info
loc        net     ACCEPT
dmz        net     ACCEPT
all        all     REJECT    info</programlisting></para>
      </blockquote>

      <para><filename>/etc/shorewall6/rules</filename>:</para>

      <blockquote>
        <para><programlisting>#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK
#                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
#
#       Accept DNS connections from the firewall to the network
#
DNS(ACCEPT)      $FW             net
#
#       Accept SSH connections from the local network for administration
#
SSH(ACCEPT)      loc             $FW
#
#       Allow Ping everywhere
#
Ping(ACCEPT)     all             all

#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting></para>
      </blockquote>
    </section>
  </section>

  <section id="SixInFour">
    <title>6in4 Tunnel</title>

    <para>6in4 is very similar to 6to4:</para>

    <itemizedlist>
      <listitem>
        <para>Both Tunnel IPv6 traffic over IPv4 using Protocol 41</para>
      </listitem>

      <listitem>
        <para>Both allow you access to the IPv6 network even though your ISP
        doesn't offer native IPv6 connectivity.</para>
      </listitem>
    </itemizedlist>

    <para>The differences are:</para>

    <itemizedlist>
      <listitem>
        <para>6in4 gives you a /64 prefix outside of the 2002::0/16
        network</para>
      </listitem>

      <listitem>
        <para>You have a dedicated fixed endpoint for the tunnel rather than
        the nebulous anycast endpoint 192.88.99.1. This is:</para>

        <itemizedlist>
          <listitem>
            <para>Much more reliable</para>
          </listitem>

          <listitem>
            <para>Much easier to troubleshoot (there is ONE host and one
            company to call on the other end of the tunnel rather than an
            indefinite cloud with noone in charge)</para>
          </listitem>
        </itemizedlist>
      </listitem>
    </itemizedlist>

    <para>I converted to a 6in4 Tunnel from <ulink
    url="http://tunnelbroker.net/">Hurricane Electric</ulink> in April of
    2010. Converting from the 6to4 tunnel configuration above to a 6in4 tunnel
    from HE took less than an hour.</para>

    <para>When I signed up for a tunnel with HE, I received these
    assignments:</para>

    <blockquote>
      <para>Server IPv4 address: 216.218.226.238</para>

      <para>Server IPv6 address: 2001:470:a:227::1/64</para>

      <para>Client IPv4 address: 206.124.146.180 (Same as the 6to4
      tunnel)</para>

      <para>Client IPv6 address: 2001:470:a:227::2/64</para>
    </blockquote>

    <para>I also took advantage of their offer for a /48 prefix routed via
    2001:470:a:227::2. The prefix I was assigned is</para>

    <blockquote>
      <para>2001:470:e857::/48</para>
    </blockquote>

    <para>Here are the key changes:</para>

    <para><filename>/etc/network/interfaces:</filename></para>

    <programlisting>iface eth1 inet6 static
        address <emphasis role="bold">2001:470:e857:1::1</emphasis>
        netmask 64 

auto eth2
...
iface eth2 inet6 static
      address 2<emphasis role="bold">001:470:e857:2::1</emphasis>
      netmask 64

auto sit1
iface sit1 inet6 v4tunnel
      address <emphasis role="bold">2001:470:a:227::2</emphasis>
      netmask 64
      endpoint <emphasis role="bold">216.218.226.238 </emphasis>
      local 206.124.146.180
      gateway <emphasis role="bold">2001:470:a:227::1</emphasis>
      ttl 64
      post-up echo 1 &gt; /proc/sys/net/ipv6/conf/all/forwarding

</programlisting>

    <para><filename>/etc/radvd.conf (I'm currently not using RDNSS so I've
    simply commented out the existing entries)</filename>:</para>

    <programlisting>interface eth1 { 
        AdvSendAdvert on;
        MinRtrAdvInterval 60; 
        MaxRtrAdvInterval 600;
        AdvDefaultLifetime 9000;
        prefix <emphasis role="bold">2001:470:e857:1</emphasis>::/64 {
                AdvOnLink on; 
                AdvAutonomous on; 
                AdvRouterAddr off; 
        };
        
        route ::/0 {
                AdvRouteLifetime infinity;
        };
        
<emphasis role="bold">#       RDNSS 2002:ce7c:92b4:2:221:5aff:fe22:ace0 {
#                AdvRDNSSOpen on;
#                AdvRDNSSPreference 2;
#        };</emphasis>
};

interface eth2 { 
        AdvSendAdvert on;
        MinRtrAdvInterval 60; 
        MaxRtrAdvInterval 600;
        prefix <emphasis role="bold">2001:470:e857:2</emphasis>::/64 {
                AdvOnLink on; 
                AdvAutonomous on; 
                AdvRouterAddr off; 
        };

<emphasis role="bold">#       RDNSS 2002:ce7c:92b4:2:221:5aff:fe22:ace0 {
#              AdvRDNSSOpen on;
#               AdvRDNSSPreference 2;
#        };         </emphasis>  
};
</programlisting>
  </section>

  <section id="Tunnel6to4">
    <title>Connecting two IPv6 Networks, by Eric de Thouars</title>

    <para>Suppose that we have the following situation:</para>

    <graphic fileref="images/TwoIPv6Nets1.png" />

    <para>We want systems in the 2002:100:333::/64 subnetwork to be able to
    communicate with the systems in the 2002:488:999::/64 network. This is
    accomplished through use of the
    <filename>/etc/shorewall/tunnels</filename> file and the <quote>ip</quote>
    utility for network interface and routing configuration.</para>

    <para>Unlike GRE and IPIP tunneling, the
    <filename>/etc/shorewall/policy</filename>,
    <filename>/etc/shorewall/interfaces</filename> and
    <filename>/etc/shorewall/zones</filename> files are not used. There is no
    need to declare a zone to represent the remote IPv6 network. This remote
    network is not visible on IPv4 interfaces and to iptables. All that is
    visible on the IPv4 level is an IPv4 stream which contains IPv6 traffic.
    Separate IPv6 interfaces and ip6tables rules need to be defined to handle
    this traffic.</para>

    <para>In <filename>/etc/shorewall/tunnels</filename> on system A, we need
    the following:</para>

    <programlisting>#TYPE     ZONE     GATEWAY        GATEWAY ZONE
6to4      net      134.28.54.2</programlisting>

    <para>This entry in <filename>/etc/shorewall/tunnels</filename> opens the
    firewall so that the IPv6 encapsulation protocol (41) will be accepted
    to/from the remote gateway.</para>

    <para>Use the following commands to setup system A:</para>

    <programlisting>&gt;<command>ip tunnel add tun6to4 mode sit ttl 254 remote 134.28.54.2</command>
&gt;<command>ip link set dev tun6to4 up</command>
&gt;<command>ip addr add 3ffe:8280:0:2001::1/64 dev tun6to4</command>
&gt;<command>ip route add 2002:488:999::/64 via 3ffe:8280:0:2001::2</command></programlisting>

    <para>Similarly, in <filename>/etc/shorewall/tunnels</filename> on system
    B we have:</para>

    <programlisting>#TYPE     ZONE     GATEWAY        GATEWAY ZONE
6to4      net      206.191.148.9</programlisting>

    <para>And use the following commands to setup system B:</para>

    <programlisting>&gt;<command>ip tunnel add tun6to4 mode sit ttl 254 remote 206.191.148.9</command>
&gt;<command>ip link set dev tun6to4 up</command>
&gt;<command>ip addr add 3ffe:8280:0:2001::2/64 dev tun6to4</command>
&gt;<command>ip route add 2002:100:333::/64 via 3ffe:8280:0:2001::1</command></programlisting>

    <para>On both systems, restart Shorewall and issue the configuration
    commands as listed above. The systems in both IPv6 subnetworks can now
    talk to each other using IPv6.</para>
  </section>
</article>