Saturday, February 16, 2008

HOWTO: ipv6-ipv6 tunnel and ip4-ipv6 tunnel in linux

I had an requirement to setup an ipv6-ipv6 tunnel and ipv4-ipv6 tunnel and i found that there were very few howto's that were worth it. So i decided to write this blog to get people started with ipv6 tunneling.



Figure 1


-What is a IPv6 Tunnel?
A tunnel is a virtual device used to encapsulate any type of packet into a network aware packet type. That is, i can send any ipv4 type of packets over an ipv6 network. For more information click here.

-Types of IPv6 Tunnels:
-ipv6 - ipv6 Tunnel (ipv6 over ipv6 tunnel)
-ipv4 - ipv6 Tunnel (ipv4 over ipv6 tunnel)

-
Requirements:
- Any distro with kernel version 2.6.22 or above.
Note : The ipv4 over ipv6 feature was introduced only in 2.6.22 kernel. Older kernels wont work.
- iproute2 package. Most distro's package the "ip" command. It is to be noted that at the time of writing this blog, most distro's with ip command didnt support ipv4 over ipv6. If thats is the case please download the latest packages from here. For the developers, download from the git repo here.

-Steps to create a ipv6-ipv6 tunnel:
1) Configure Host A of Private Network A :
The configurations:
eth0: ipv6 address : 3001:470:1f00:fff::189
The node "Host A" must be having an ipv6 address. Even an linklocal address is ok.
Add the ip address to the interface if it is not configured already.
#ip -6 addr add 3001:470:1f00:ffff::189 dev eth0
#ip -6 route add 3001::/4 dev eth0
Add the default route to reach the router.
#ip -6 route add default via 3001:470:1f00:ffff::190 dev eth0

2) Configure Host B of Private Network B :
The configurations:
eth0: ipv6 address : 5001:470:1f00:fff::189
The node "Host A" must be having an ipv6 address. Even an linklocal address is ok.
Add the ip address to the interface if it is not configured already.
#ip -6 addr add 5001:470:1f00:ffff::189 dev eth0
#ip -6 route add 5001::/4 dev eth0
Add the default route to reach the router.
#ip -6 route add default via 5001:470:1f00:ffff::190 dev eth0


3) Configure Router A : (I Assume that your router is a linux box with 2 interfaces)
The configurations:
eth0 : ipv6: 3001:470:1f00:ffff::190
eth1 : ipv6: 2001:470:1f00:ffff::190
mytun : ipv6 : 4001:470:1f00:ffff::190

The router "Router A" must be having two physical interfaces with a ipv6 address each as shown above .
Add the ip address to the interface eth0 if it is not configured already.
#ip -6 addr add 3001:470:1f00:ffff::190 dev eth0
Add the ip address to the interface eth1 if it is not configured already.
#ip -6 addr add 2001:470:1f00:ffff::190 dev eth1
Add the route for each interface.
#ip -6 route add 3001::/4 dev eth0
#ip -6 route add 2001::/4 dev eth1
Now to setup the tunnel, we need to make sure we have the right module installed.
A simple modprobe will get you going.
#modprobe ip6_tunnel
Incase the above command results in error then check if it is statically compiled. If it is, then your output for "ifconfig -a" must be as shown below.

Figure 2

If you can see 'ip6tnl0' as one of the interfaces then you are good to go. Else you need to enable that module and compile the kernel.

Now, its time to create the tunnel. We assume that eth0 of this router is connected to private network A and eth1 is connected to "IPv6 network". So we create a tunnel associated with eth1.
#ip -6 tunnel add mytun mode ip6ip6 remote 2001:470:1f00:ffff::189 local 2001:470:1f00:ffff::190 dev eth1
Bring up the link of the interface
#ip link set dev mytun up
Assign an address to our virtual tunnel device.
#ip -6 addr add 4001:470:1f00:ffff::190 dev mytun
The most important step is to redirect all the traffic to our tunnel.
#ip -6 route add 5001::/4 dev mytun
Since we are using a normal linux system as router we have to enable forwarding.
#echo “1” > /proc/sys/net/ipv6/conf/all/forwarding

4) Configure Router B : (I Assume that your router is a linux box with 2 interfaces)
The configurations:
eth0 : ipv6: 5001:470:1f00:ffff::190
eth1 : ipv6: 2001:470:1f00:ffff::189
mytun : ipv6 : 6001:470:1f00:ffff::190

The router "Router B" must be having two physical interfaces with a ipv6 address each as
shown above .
Add the ip address to the interface eth0 if it is not configured already.
#ip -6 addr add 5001:470:1f00:ffff::190 dev eth0
Add the ip address to the interface eth1 if it is not configured already.
#ip -6 addr add 2001:470:1f00:ffff::189 dev eth1
Add the route for each interface.
#ip -6 route add 5001::/4 dev eth0
#ip -6 route add 2001::/4 dev eth1
Now to setup the tunnel, we need to make sure we have the right module installed.
A simple modprobe will get you going.
#modprobe ip6_tunnel
Incase the above command results in error then check if it is statically compiled. If it is, then your output for "ifconfig -a" must be as shown in
figure 2.

Now, its time to create the tunnel. We assume that eth0 of this router is connected to private network B and eth1 is connected to "IPv6 network". So we create a tunnel associated with eth1.
#ip -6 tunnel add mytun mode ip6ip6 remote 2001:470:1f00:ffff::190 local 2001:470:1f00:ffff::189 dev eth1
Bring up the link of the interface
#ip link set dev mytun up
Assign an address to our virtual tunnel device.
#ip -6 addr add 6001:470:1f00:ffff::190 dev mytun
The most important step is to redirect all the traffic to our tunnel.
#ip -6 route add 3001::/4 dev mytun
Since we are using a normal linux system as router we have to enable forwarding.
#echo “1” > /proc/sys/net/ipv6/conf/all/forwarding

5) Make sure the Firewalls are appropriately configured on the routers and hosts to allow tunneling. If you are in doubt, disable firewall and try.
6)Now you can ping6 across Node A and Node B via the tunnel.

-Steps to create a ipv4-ipv6 tunnel:
These types of tunnels are typically used in scenarios where we have two private ipv4 network and we wish to access then as same LAN network over an ipv6 internet. Although ipv6 has not yet established its self as the preferred protocol for the internet, its only matter of time. As of now we can find use in offices that have a mixture of ipv6 and ipv4 networks. If two ipv4 networks needed to be combined via an ipv6 backbone we can use this type of tunneling.

1) Configure Host A of Private Network A :
The configurations:
eth0: ipv4 address : 172.16.15.2
The node "Host A" must be having an ipv4 address.
Add the ip address to the interface if it is not configured already.
#ip addr add 172.16.15.2 dev eth0
Add default route showing the gateway as "Router A".

#ip route add default via 172.16.15.1 dev eth0

2) Configure Host A of Private Network B :
The configurations:
eth0: ipv4 address : 192.168.1.2
The node "Host B" must be having an ipv4 address.
Add the ip address to the interface if it is not configured already.
#ip addr add 192.168.1.2 dev eth0
Add default route showing the gateway as "Router A".

#ip route add default via 192.168.1.1 dev eth0

3) Configure Router A : (I Assume that your router is a linux box with 2 interfaces)
The configurations:
eth0 : ipv4:172.16.15.1
eth1 : ipv6: 2001:470:1f00:ffff::189
mytun : ipv6 : 4001:470:1f00:ffff::189

The router "Router A" must be having two physical interfaces with a ipv6 address and a ipv4 as shown above .
Add the ip address to the interface eth0 if it is not configured already.
#ip addr add 172.16.15.1 dev eth0
Add the ip address to the interface eth1 if it is not configured already.
#ip -6 addr add 2001:470:1f00:ffff::189 dev eth1
Add the route for interface eth1.
#ip -6 route add 2001::/4 dev eth1
Now to setup the tunnel, we need to make sure we have the right module installed.
A simple modprobe will get you going.
#modprobe ip6_tunnel
Incase the above command results in error then check if it is statically compiled. If it is, then
your output for "ifconfig -a" must be as shown in figure 2.

Now, its time to create the tunnel. We assume that eth0 of this router is connected to private network B and eth1 is connected to "IPv6 network". So we create a tunnel associated with eth1.
#ip -6 tunnel add mytun mode ipip6 remote 2001:470:1f00:ffff::190 local 2001:470:1f00:ffff::189 dev eth1
Bring up the link of the interface
#ip link set dev mytun up
Assign an address to our virtual tunnel device.
#ip -6 addr add 4001:470:1f00:ffff::189 dev mytun
The most important step is to redirect all the traffic to our tunnel.
#ip route add 192.168.1.0/24 dev mytun
Since we are using a normal linux system as router we have to enable forwarding.
#echo “1” > /proc/sys/net/ipv6/conf/all/forwarding
#echo "1" > /proc/sys/net/ipv4/ip_forward

4) Configure Router B : (I Assume that your router is a linux box with 2 interfaces)
The configurations:
eth0 : ipv4:192.168.1.1
eth1 : ipv6: 2001:470:1f00:ffff::190
mytun : ipv6 : 4001:470:1f00:ffff::190

The router "Router B" must be having two physical interfaces with a ipv6 address and a ipv4 as shown above .
Add the ip address to the interface eth0 if it is not configured already.
#ip addr add 192.168.1.1 dev eth0
Add the ip address to the interface eth1 if it is not configured already.
#ip -6 addr add 2001:470:1f00:ffff::190 dev eth1
Add the route for interface eth1.
#ip -6 route add 2001::/4 dev eth1
Now to setup the tunnel, we need to make sure we have the right module installed.
A simple modprobe will get you going.
#modprobe ip6_tunnel
Incase the above command results in error then check if it is statically compiled. If it is, then your output for "ifconfig -a" must be as shown in
figure 2.

Now, its time to create the tunnel. We assume that eth0 of this router is connected to private network B and eth1 is connected to "IPv6 network". So we create a tunnel associated with eth1.
#ip -6 tunnel add mytun mode ipip6 remote 2001:470:1f00:ffff::189 local 2001:470:1f00:ffff::190 dev eth1
Bring up the link of the interface
#ip link set dev mytun up
Assign an address to our virtual tunnel device.
#ip -6 addr add 4001:470:1f00:ffff::190 dev mytun
The most important step is to redirect all the traffic to our tunnel.
#ip route add 172.16.15.0/24 dev mytun
Since we are using a normal linux system as router we have to enable forwarding.
#echo “1” > /proc/sys/net/ipv6/conf/all/forwarding
#echo "1" > /proc/sys/net/ipv4/ip_forward

5) Make sure the Firewalls are appropriately configured on the routers and hosts to allow tunneling. If you are in doubt, disable firewall and try.
6)Now you can ping6 across Node A and Node B via the tunnel.

With these two methods we can successfully connect ipv4 networks to ipv6.

1 comment:

iTi said...

I read your post carefully, but although I use a linux 2.6.22.1 kernel the modes ip6ip6 and ipip6 are not recognize by the 'ip' command (I also tested these comands on a Linux 2.6.24). The only recognize modes are 'ipip, sit and gre'.
I have the iproute2 package and the options concerning IPv6 tunnels are compiled in the kernel.
Do you have a suggestion for me ?