A while back I did some experimentation with IPv6 on my Cisco 2611xm. I was using a tunnel provided by Hurricane Electric, which worked well, but I had no firewall and that made me a bit nervous. A little while after I got things set up, I procured a Cisco ASA5505 with a 50 client license via eBay. My hope was that I could use the ASA for the firewall and the router to terminate the tunnel. As it turns out, this would have required a second IP address, because the ASA is not able to pass Protocol 41 traffic.
Time Warner’s reluctance to issue me a second IP address meant that I’d have to find another solution. SixXS is another tunnel broker which makes use of a protocol called AYIYA. AYIYA is capable of traversing NAT, so it would work well in my situation. Unfortunately it’s not supported by Cisco, so the 2611 was of no use to me anymore.
After some failed experiments and lost money with open source firmware and Linksys routers, I decided that a full Linux install would be the best route to go. I built a machine out of spare parts that I had laying around and installed Ubuntu 9.10 on it. Once I got everything up and running, I installed the SixXS client (AICCU) and started working on getting the tunnel up and running.
I hit another snag when I found out that the point of presence (the tunnel broker’s endpoint) was down. I jumped to freenet6 in the interest of keeping things moving. They provide a tunnel via TSP, which also traverses NAT. Their nearest POP is all the way over in Montreal, which means big latencies for someone in LA, but I was able to establish a tunnel, which I was satisfied with for the moment. Here’s my config for their client (gw6c):
userid= passwd= #server=broker.freenet6.net # Always use Montreal POP server=montreal.freenet6.net auth_method=any prefixlen=64 template=linux if_tunnel_v6v4=freenet6 if_tunnel_v6udpv4=freenet6 # Assign the v6 address to eth0 if_prefix=eth0 keepalive=yes keepalive_interval=10 host_type=router
Once I’d established my connection and saw what my v6 IP was going to be, I used a v6 subnet calculator to find out what my /64 networks would be and noted them down. I then entered the v6 address into /etc/network/interfaces so that I could add static routes as the interface came up:
# v6 Interface
auto eth0
iface eth0 inet6 static
#address 169.254.1.2
#netmask 255.255.0.0
address 2001::1
netmask 64
up ip -6 route add 2001:0:0:1::/64 via 2001::2 dev eth0
You may notice the link local v4 address that’s been commented out on the v6 address. The reason for this being there is that gw6c can’t do its magic unless the interface specified is up. Until I had my v6 address, I used this link local address. 2001::2, as specified in the route above, is my ASA, which has had it’s address manually configured. 2001:0:0:1::/64 is the network that I’m using for my LAN. I’ve got 254 more networks that I can make use of if I ever find a reason (2001:0:0:2::/64…2001:0:0:ff::/64).
Configuring the ASA was fairly simple. There’s an outside and an inside interface that need to be configured, then the default route needs to be set:
interface Vlan10 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ipv6 address 2001:0:0:1::1/64 ! interface Vlan30 no forward interface Vlan20 nameif v6tunnel security-level 0 no ip address ipv6 address 2001::2/64 ! ipv6 route v6tunnel ::/0 2001::1
As far as I can tell, there’s really no reason I need to use a second VLAN for the v6 tunnel, so I’m going to eventually try moving it to the outside VLAN, but for now it’s working well, and I don’t need a DMZ at the moment.
Once I configured the ASA properly, it started advertising itself and all of the hosts on my LAN are picking up v6 addresses from it. The problem I’m left with is how to do DNS discovery. Unfortunately there doesn’t seem to be a good answer here. Microsoft seems to be fond of the idea of using DHCPv6, Apple wants to use well-known anycast addresses and I honestly have no idea what’s going on in the Linux world.
[...and lost money with open source firmware and Linksys routers....]
oh yes i hear ya, i ´ve bricked 3 of them
rock on
macbroadcast.org
Interesting article. At my company I’m currently using a SixXs tunnel from a linux server. Due to a network redesign we’ve ordered an ASA5505 firewall, so I’m now wondering how to setup the IPv6 tunnel, while still using the ASA to firewall v4 and v6 traffic.
Where is your tunnel endpoint located? In a DMZ? I would love to see a diagram or description of your network layout.
@Martijn Heemels
My ASA has 3 VLans at present. Vlan10 is the inside network. Vlan20 is the IPv4 outside network and Vlan30 is the IPv6 outside network. The Linux server that is terminating the tunnel on my side has two interfaces. eth0 is the v6 interface, which is connected to a Vlan30 interface on the ASA. eth1 is the v4 interface, which is connected to the inside network.
As far as I understand, the segregation of the v4 outside and v6 outside VLans is unnecessary. I’ll likely be moving the v6 address on the ASA to VLan20.
Using an ASA and a Cisco router together for dual stack IPv4/IPv6 connectivity via a tunnel to Hurricane Electric is actually quite easy. You just put the router in front of the ASA and terminate the tunnel there. Then let the ASA filter everything comming from the router bound for your network.
I did this myself with a 2621xm and an ASA 5505. To avoid having to resatatize my configs I’ll just link to another post I made about how to do this:
http://www.tunnelbroker.net/forums/index.php?topic=356.0
Basically you use some /64′s from the /48 that Hurricane Electric gives you to create networks behind your router. In my case one network to link the ASA and the router and then two more behind the ASA. Since the ASA can’t do dynamic routing protocols like OSPF in IPv6 you need to use static routes to point your /64 networks to the ASA on the router and to make the router the ASA’s default IPv6 gateway. (Ok you could use auto config to make the router the ASA’s gateway but I like to keep things uniform.)
What would the v4 addressing/routing look like in this case?
@Brian Shacklett
Thanks for the info. With these tips, and a bit of trial and error, I managed to get it working too.
Since ASA firmware 8.3 now supports forwarding proto-41, I’m terminating the tunnel on a Linux VM that is physically inside the firewall. The VM runs on our VMware ESXi infrastructure, and is connected by an IPv4 interface to our inside VLAN, and by an IPv6-only interface to the ‘outside’ VLAN on the ASA 5505. So, I’ve combined v4 and v6 like your suggested.
SixXS routes my /32 subnet through the tunnel, and I route the entire /32 to the Cisco ASA. The ASA routes and advertises a separate /64 to each VLAN.
It would have been a lot easier if the ASA just supported creating 6in4 tunnels but my VM & VLAN solution has allowed me to set all this up without any investment in hardware. Just some spare vSphere capacity and (a lot of) time. Of course the design is relatively complex, so documentation is a must. I’ll keep pushing my ISP for native IPv6.