System Administration Guide: IP Services
Previous Next

Configuring Tunnels for IPv6 Support

IPv6 networks are often isolated entities within the larger IPv4 world. Nodes on your IPv6 network might need to communicate with nodes on isolated IPv6 networks, either within your enterprise or remotely. Typically, you configure a tunnel between IPv6 routers, although IPv6 hosts can also function as tunnel endpoints. For tunnel planning information, refer to Planning for Tunnels in the Network Topology.

You can set up automatically or manually configured tunnels for the IPv6 network. The Solaris IPv6 implementation supports the following types of tunnel encapsulation:

  • IPv6 over IPv4 tunnels

  • IPv6 over IPv6 tunnels

  • IPv4 over IPv6 tunnels

  • 6to4 tunnels

For conceptual descriptions of tunnels, see IPv6 Tunnels.

How to Manually Configure IPv6 Over IPv4 Tunnels

This procedure describes how to set up a tunnel from an IPv6 node to a remote IPv6 node over an IPv4 network.

  1. Log in to the local tunnel endpoint as Primary Administrator or as superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Create the /etc/hostname6.ip.tunn file.

    where n represents the tunnel number, beginning at zero for the first tunnel. Then, add entries by following these substeps:

    1. Add the tunnel source address and the tunnel destination address.
      tsrc IPv4-source-address tdst IPv4-destination-address up
    2. (Optional) Add a logical interface for the source IPv6 address and the destination IPv6 addresses.
      addif IPv6-source-address  IPv6-destination-address 

      Omit this substep if you want the address autoconfigured for this interface. You do not need to configure link-local addresses for your tunnel.

  3. Reboot the system.
  4. Repeat this task on the opposite endpoint of the tunnel.
Example 7-7 Entry in the /etc/hostname6.ip.tun File for a Manual, IPv6 Over IPv4 Tunnel

This sample /etc/hostname6.ip.tun file shows a tunnel for which global source addresses and global destination addresses are manually configured.

tsrc 192.168.8.20 tdst 192.168.7.19 up
addif 2001:db8:3c4d:8::fe12:528 2001:db8:3c4d:7:a00:20ff:fe12:1234

How to Manually Configure IPv6 Over IPv6 Tunnels

This procedure describes how to set up a tunnel from an IPv6 node to a remote IPv6 node over an IPv6 network.

  1. Log in to the local tunnel endpoint as Primary Administrator or as superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Create the /etc/hostname6.ip6.tun n file.

    Use the values 0, 1, 2, and so on, for n. Then, add entries by following these substeps.

    1. Add the tunnel source address and the tunnel destination address.
      tsrc IPv6-source-address tdst IPv6-destination-address
      IPv6-packet-source-address IPv6-packet-destination-address up
    2. (Optional) Add a logical interface for the source IPv6 address and destination IPv6 address.
      addif IPv6-source-address  IPv6-destination-address up

      Omit this step if you want the address autoconfigured for this interface. You do not need to configure link-local addresses for your tunnel.

  3. Reboot the system.
  4. Repeat this procedure at the opposite endpoint of the tunnel.
Example 7-8 Entry in the /etc/hostname6.ip6.tun File for an IPv6 Over IPv6 Tunnel

This example shows the entry for an IPv6 over IPv6 tunnel.

tsrc 2001:db8:3c4d:22:20ff:0:fe72:668c tdst 2001:db8:3c4d:103:a00:20ff:fe9b:a1c3
fe80::4 fe80::61 up

How to Configure IPv4 Over IPv6 Tunnels

This procedure explains how to configure a tunnel between two IPv4 hosts over an IPv6 network. You would use this procedure if your corporate network is heterogeneous, with IPv6 subnets that separate IPv4 subnets.

  1. Log in to the local IPv4 tunnel endpoint as Primary Administrator or as superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Create the /etc/hostname.ip6.tunn file.

    Use the values 0, 1, 2, and so on, for n. Then, add entries by following these steps:

    1. Add the tunnel source address and the tunnel destination address.
      tsrc IPv6-source-address tdst IPv6-destination-address
    2. (Optional) Add a logical interface for the source IPv6 address and destination IPv6 address.
      addif IPv6-source-address  IPv6-destination-address up
  3. Reboot the local host.
  4. Repeat this procedure at the opposite endpoint of the tunnel.
Example 7-9 Entry in the /etc/hostname6.ip6.tun for an IPv4 Over IPv6 Tunnel

This example shows the entry for an IPv4 over IPv6 tunnel.

tsrc 2001:db8:3c4d:114:a00:20ff:fe72:668c tdst 2001:db8:3c4d:103:a00:20ff:fe9b:a1c3
10.0.0.4 10.0.0.61 up

How to Configure a 6to4 Tunnel

If your IPv6 network needs to communicate with a remote IPv6 network, consider using automatic, 6to4 tunnels. The process of configuring a 6to4 tunnel includes configuring the boundary router as a 6to4 router. The 6to4 router functions as the endpoint of a 6to4 tunnel between your network and an endpoint router at a remote IPv6 network.

Before You Begin

Before you configure 6to4 routing on an IPv6 network, you must have done the following:

  • Configured IPv6 on all appropriate nodes at the prospective 6to4 site, as described in Modifying an IPv6 Interface Configuration for Hosts and Servers.

  • Selected at least one router with a connection to an IPv4 network to become the 6to4 router.

  • Configured a globally unique IPv4 address for the prospective 6to4 router's interface to the IPv4 network. The IPv4 address must be static.


    Note - Do not use a dynamically allocated IPv4 address, as described in Chapter 12, About Solaris DHCP (Overview). Global dynamically allocated addresses might change over time, which can adversely affect your IPv6 addressing plan.


  1. Log in to the prospective 6to4 router as Primary Administrator or as superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Configure a 6to4 pseudo-interface on the router by creating the /etc/hostname6.ip.6to4tun0 file.
    • If you plan to use the recommended convention of subnet ID=0 and host ID=1, use the short format for /etc/hostname6.ip.6to4tun0:

      tsrc IPv4-address up
    • If you plan to use other conventions for the subnet ID and host ID, use the long format for /etc/hostname6.ip.6to4tun0:

      tsrc IPv4-address 2002:IPv4-address:subnet-ID:interface-ID:/64 up

    The required parameters for /etc/hostname6.ip.6to4tun0 follow:

    tsrc

    Indicates that this interface is used as a tunnel source.

    IPv4-address

    Specifies, in dotted-decimal format, the IPv4 address that is configured on the physical interface to become the 6to4 pseudo-interface.

    The remaining parameters are optional. However, if you specify one optional parameter, you must specify all optional parameters.

    2002

    Specifies the 6to4 prefix.

    IPv4–address

    Specifies, in hexadecimal notation, the IPv4 address of the pseudo-interface.

    subnet-ID

    Specifies, in hexadecimal notation, a subnet ID other than 0.

    interface-ID

    Specifies an interface ID other than 1.

    /64

    Indicates that the 6to4 prefix has a length of 64 bits.

    up

    Configures the 6to4 interface as “up.”


    Note - Two IPv6 tunnels on your network cannot have the same source address and the same destination address. Packets are dropped as a result. This type of event can happen if a 6to4 router also performs tunneling through the atun command. For information about atun, refer to the tun(7M) man page.


  3. (Optional) Create additional 6to4 pseudo-interfaces on the router.

    Each prospective 6to4 pseudo-interface must have an already configured, globally unique IPv4 address.

  4. Reboot the 6to4 router.
  5. Verify the status of the interface.
    # ifconfig ip.6to4tun0 inet6
            

    If the interface is correctly configured, you receive output that is similar to the following:

    ip.6to4tun0: flags=2200041<UP,RUNNING,NONUD,IPv6>mtu 1480 index 11
            inet tunnel src 111.222.33.44 
            tunnel hop limit 60 
            inet6 2002:6fde:212c:10:/64 
  6. Edit the /etc/inet/ndpd.conf file to advertise 6to4 routing.

    For detailed information, refer to the ndpd.conf(4) man page.

    1. Specify the subnet to receive the advertisement in the first line.

      Create an if entry with the following format:

      if subnet-interface AdvSendAdvertisements 1

      For example, to advertise 6to4 routing to the subnet that is connected to interface hme0, replace subnet-interface with hme0.

      if hme0 AdvSendAdvertisements 1
    2. Add the 6to4 prefix as the second line of the advertisement.

      Create a prefix entry with following format:

      prefix 2002:IPv4-address:subnet-ID::/64 subnet-interface
  7. Reboot the router.

    Alternatively, you can issue a sighup to the /etc/inet/in.ndpd daemon to begin sending router advertisements. The IPv6 nodes on each subnet to receive the 6to4 prefix now autoconfigure with new 6to4-derived addresses.

  8. Add the new 6to4-derived addresses of the nodes to the name service that is used at the 6to4 site.

    For instructions, go to Configuring Name Service Support for IPv6.

Example 7-10 6to4 Router Configuration (Short Form)

The following is an example of the short form of /etc/hostname6.ip.6to4tun0:

# cat /etc/hostname6.ip.6to4tun0
tsrc 111.222.33.44 up
Example 7-11 6to4 Router Configuration (Long Form)

Here is an example of the long form of /etc/hostname6.ip.6to4tun0:

# cat /etc/hostname6.ip.6to4tun0
tsrc 111.222.33.44 2002:6fde:212c:20:1/64 up
Example 7-12 ifconfig Output Showing 6to4 Pseudo-Interface

The following sample shows output of the ifconfig command for a 6to4 pseudo-interface:

# ifconfig ip.6to4tun0 inet6
ip.6to4tun0: flags=2200041<UP,RUNNING,NONUD,IPv6> mtu 1480 index 11
        inet tunnel src 192.168.87.188
        tunnel hop limit 60 
        inet6 2002:c0a8:57bc::1/64 
Example 7-13 6to4 Advertisements in/etc/inet/ndpd.conf

The following sample /etc/inet/ndpd.conf file advertises 6to4 routing on two subnets:

if qfe0 AdvSendAdvertisements 1
prefix  2002:c0a8:57bc:10::/64 qfe0 

if qfe1 AdvSendAdvertisements 1
prefix  2002:c0a8:57bc:2::/64 qfe1
More Information
Configuring Multiple Routers at the 6to4 Site

For a multiple router site, the routers behind the 6to4 router might require further configuration to support 6to4. If your site uses RIP, you must configure on each non-6to4 router the static routes to the 6to4 router. If you use a commercial routing protocol, you do not need to create static routes to the 6to4 router.

How to Configure a 6to4 Tunnel to a 6to4 Relay Router


Caution - Because of major security issues, by default, 6to4 relay router support is disabled in the Solaris OS. See Security Issues When Tunneling to a 6to4 Relay Router.


Before You Begin

Before you enable a tunnel to a 6to4 relay router, you must have completed the following tasks:

  • Configured a 6to4 router at your site, as explained in How to Configure a 6to4 Tunnel

  • Reviewed the security issues that are involved in tunneling to a 6to4 relay router

  1. Log in to the 6to4 router as Primary Administrator or as superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Enable a tunnel to the 6to4 relay router by using either of the following formats:
    • Enable a tunnel to an anycast 6to4 relay router.

      # /usr/sbin/6to4relay -e

      The -e option sets up a tunnel between the 6to4 router and an anycast 6to4 relay router. Anycast 6to4 relay routers have the well-known IPv4 address 192.88.99.1. The anycast relay router that is physically nearest to your site becomes the endpoint for the 6to4 tunnel. This relay router then handles packet forwarding between your 6to4 site and a native IPv6 site.

      For detailed information about anycast 6to4 relay routers, refer to RFC 3068, "An Anycast Prefix for 6to4 Relay Routers".

    • Enable a tunnel to a specific 6to4 relay router.

      # /usr/sbin/6to4relay -e -a relay-router-address

      The -a option indicates that a specific router address is to follow. Replace relay-router-address with the IPv4 address of the specific 6to4 relay router with which you want to enable a tunnel.

    The tunnel to the 6to4 relay router remains active until you remove the 6to4 tunnel pseudo-interface.

  3. Delete the tunnel to the 6to4 relay router, when the tunnel is no longer needed:
    # /usr/sbin/6to4relay -d
  4. (Optional) Make the tunnel to the 6to4 relay router persistent across reboots.

    Your site might have a compelling reason to have the tunnel to the 6to4 relay router reinstated each time the 6to4 router reboots. To support this scenario, you must do the following:

    1. Edit the/etc/default/inetinit file.

      The line that you need to modify is at the end of the file.

    2. Change the “NO” value in the line ACCEPT6TO4RELAY=NO to “YES.”
    3. (Optional) Create a tunnel to a specific 6to4 relay router that persists across reboots.

      For the parameter RELAY6TO4ADDR, change the address 192.88.99.1 to the IPv4 address of the 6to4 relay router that you want to use.

Example 7-14 Getting Status Information About 6to4 Relay Router Support

You can use the /usr/bin/6to4relay command to find out whether support for 6to4 relay routers is enabled. The next example shows the output when support for 6to4 relay routers is disabled, as is the default in the Solaris OS:

# /usr/sbin/6to4relay
6to4relay: 6to4 Relay Router communication support is disabled.

When support for 6to4 relay routers is enabled, you receive the following output:

# /usr/sbin/6to4relay
6to4relay: 6to4 Relay Router communication support is enabled.
IPv4 destination address of Relay Router=192.88.99.1
Previous Next