IPv6 tunnelling
IPv6 Tunnelling is the act of tunnelling IPv6 packets from an IPv6 network through an IPv4 network to another IPv6 network. Unlike NAT, once the packet reaches its final destination, the true originating address of the sender will still be readable. The IPv6 packets are encapsulated within packets with IPv4 headers, which carry their IPv6 payload through the IPv4 network.
The key to IPv6 tunnelling is the ability of the two devices to be dual stack compatible in order to work with both IPv4 and IPv6 at the same time. In the process, the entry node of the tunnel portion of the path will create an encapsulating IPv4 header and transmit the encapsulated packet. The exit node at the end of the tunnel receives the encapsulated packet, removes the IPv4 header, updates the IPv6 header, and processes the packet.
There are two types of tunnels in IPv6:
Automatic tunnels: Automatic tunnels are configured by using IPv4 address information embedded in an IPv6 address – the IPv6 address of the destination host includes information about which IPv4 address the packet should be tunnelled to.
Configured tunnels: Configured tunnels must be configured manually. These tunnels are used when using IPv6 addresses that do not have any embedded IPv4 information. The IPv6 and IPv4 addresses of the endpoints of the tunnel must be specified.
Tunnel configuration
There are a few ways in which the tunnelling can be performed depending on which segment of the path between the endpoints of the session the encapsulation takes place.
Host to Host: Dual Stack capable hosts that are interconnected by an IPv4 infrastructure can tunnel IPv6 packets between themselves. In this case, the tunnel spans the entire path taken by the IPv6 packets.
Network Device to Host: Dual Stack capable network devices can tunnel IPv6 packets to their final destination IPv6 or IPv4 host. This tunnel spans only the last segment of the path taken by the IPv6 packets.
The node that does the encapsulation needs to maintain soft state information about each tunnel in order to process the IPv6 packets.
Use the following command to tunnel IPv6 traffic over an IPv4 network. The IPv6 interface is configured under config system interface
. The command to do the reverse is config system ipv6-tunnel
. These commands are not available in Transparent mode.
config system sit-tunnel
edit <tunnel name>
set destination <tunnel _address>
set interface <name>
set ip6 <address_ipv6>
set source <address_ipv4>
end
Variable | Description | Default |
---|---|---|
edit <tunnel_name>
|
Enter a name for the IPv6 tunnel. | No default. |
destination <tunnel_address>
|
The destination IPv4 address for this tunnel. | 0.0.0.0 |
interface <name>
|
The interface used to send and receive traffic for this tunnel. | No default. |
ip6 <address_ipv6>
|
The IPv6 address for this tunnel. | No default. |
source <address_ipv4>
|
The source IPv4 address for this tunnel. | 0.0.0.0 |
Tunnelling IPv6 through IPsec VPN
A variation on tunnelling IPv6 through IPv4 is to use an IPsec VPN tunnel between two FortiGate devices. FortiOS supports IPv6 over IPsec. In this sort of scenario, two networks using IPv6 behind FortiGate units are separated by the Internet, which uses IPv4. An IPsec VPN tunnel is created between the FortiGate units and a tunnel is created over the IPv4-based Internet, but the traffic in the tunnel is IPv6. This has the additional advantage of securing the traffic.
For configuration information, see IPv6 IPsec VPN.