Log in or register
Purchase

Submitted by anders on Fri, 11 Jun 2010 10:57

If not, it's time to get started with tunneled IPv6. At least until you get native IPv6 from your internet provider. There are a lot of free IPv6 tunnel broker providers, but HE is one of the most mature and widely used. Before you start; some fun facts! The tunnel below work both ways, and is totally unfiltered. Further, the tunnel is very fast, usually saturating ADSL internet connections. In other words; deploy your website over IPv6 today! If you are also using our stunning SPG/VSP mail appliance, start receiving e-mail over IPv6 as well. Anyway, let's get started. If you have any problems, just make a comment or e-mail us at support@halon.se :) Cheers!

  1. Update your SX firewall to the smoking fresh 1.4.0.10

  2. Create a policy (Firewalling > Policies > New Policy) that allows ping on your WAN interface: ICMP (any → any)
    ↔ ether1

  3. Go to http://tunnelbroker.net/register.php and fill in all fields carefully, press "Register", and sign in using the password e-mailed to you
  4. Once logged in, go to http://tunnelbroker.net/ipv6_normal.php (Create Regular Tunnel), type your firewall's external IP address, and select the closest tunnel endpoint location, and press "Submit"
  5. A green text saying "OK..." should be shown, otherwise check for any errors
  6. Go to http://tunnelbroker.net/main.php (Mail Page) and click on your tunnel to bring up your network details
  7. In your firewall, create a manual key tunnel (Virtual Private Network > Manual IPSec > New Tunnel) and type the "Server IPv4 address" as "Remote Gateway", the "Client IPv4 address" as "Local Gateway", "Server IPv6 address" as "Remote Network" BUT change "/64" to "/128", "Client IPv6 address" as "Local Network" BUT again change "/64" to "/128"
  8. Still in the firewall, type any name on the tunnel, go to the "Security" tab and press "Generate" on both buttons (encryption will not be used), go to the "Advanced" tab, select "Unencrypted" as "Tunnel Mode", type "1000" and "1001" as SPI values (these are not used anyway) and finally press "Add Tunnel"
  9. Set an IPv6 gateway (Network > Basic Setup) to the "Server IPv6 address" BUT without "/64" (the prefix) and press "Save"
  10. Add the "Client IPv6 address" as "IPv6 Network" on a LAN interface (for example ether2, by clicking it in the interface list) this time including "/64", and press "Save"
  11. Enable router advertisements (Network > Routing > IPv6 Router Advertisement) on the LAN interface from the previous step

  12. Create something like the following policies: (Firewalling > Policies)

    1. IPv6 Broker, GRE (tun1:rep → any), → ether1 (IPv4)
    2. IPv6, any (any → any), tun1 → (IPv6)
    3. LAN, any (any → any), ↔ ether2 (IPv6)

Try "Ping IPv6" (Management > Tools) to ipv6.google.com. If it doesn't work, run "firewall log" from the CLI to find any policy problems. When it works, you are running IPv6 :) I'll see you out there.

Over and (chill) out

Submitted by erik on Fri, 11 Jun 2010 11:32.

IPv6 on your clients

Worth mentioning, on the step where you activated Router Advertisement (rtadvd), this is for your clients, so they will automatically obtain a IPv6 address in your /64 address space (similar to DHCP). Microsoft Vista and Windows 7 will probably automatically obtain an address while Windows XP requires you to install the IPv6 network stack.

Start -> Run -> "cmd" -> run "ipv6 install" and wait a minute, then try it out with "ping6 ipv6.google.com".

Linux clients (Network Manager) need to set their IPv6 settings to "Automatically" deep down the configuration.