6to4 Tunnels

Eric de Thouars

Tom Eastep

Copyright © 2003-2004 Eric de Thoars and Tom Eastep

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.

2004-01-05

Table of Contents

Connecting two IPv6 Networks

Warning

The 6to4 tunnel feature of Shorewall only facilitates IPv6 over IPv4 tunneling. It does not provide any IPv6 security measures.

6to4 tunneling with Shorewall can be used to connect your IPv6 network to another IPv6 network over an IPv4 infrastructure.

More information on Linux and IPv6 can be found in the Linux IPv6 HOWTO. Details on how to setup a 6to4 tunnels are described in the section Setup of 6to4 tunnels.

Connecting two IPv6 Networks

Suppose that we have the following situation:

We want systems in the 2002:100:333::/64 subnetwork to be able to communicate with the systems in the 2002:488:999::/64 network. This is accomplished through use of the /etc/shorewall/tunnels file and the “ip” utility for network interface and routing configuration.

Unlike GRE and IPIP tunneling, the /etc/shorewall/policy, /etc/shorewall/interfaces and /etc/shorewall/zones files are not used. There is no need to declare a zone to represent the remote IPv6 network. This remote network is not visible on IPv4 interfaces and to iptables. All that is visible on the IPv4 level is an IPv4 stream which contains IPv6 traffic. Separate IPv6 interfaces and ip6tables rules need to be defined to handle this traffic.

In /etc/shorewall/tunnels on system A, we need the following:

#TYPE     ZONE     GATEWAY        GATEWAY ZONE
6to4      net      134.28.54.2

This entry in /etc/shorewall/tunnels, opens the firewall so that the IPv6 encapsulation protocol (41) will be accepted to/from the remote gateway.

Use the following commands to setup system A:

>ip tunnel add tun6to4 mode sit ttl 254 remote 134.28.54.2
>ip link set dev tun6to4 up
>ip addr add 3ffe:8280:0:2001::1/64 dev tun6to4
>ip route add 2002:488:999::/64 via 3ffe:8280:0:2001::2

Similarly, in /etc/shorewall/tunnels on system B we have:

#TYPE     ZONE     GATEWAY        GATEWAY ZONE
6to4      net      206.191.148.9

And use the following commands to setup system B:

>ip tunnel add tun6to4 mode sit ttl 254 remote 206.191.148.9
>ip link set dev tun6to4 up
>ip addr add 3ffe:8280:0:2001::2/64 dev tun6to4
>ip route add 2002:100:333::/64 via 3ffe:8280:0:2001::1

On both systems, restart Shorewall and issue the configuration commands as listed above. The systems in both IPv6 subnetworks can now talk to each other using IPv6.