Page 1 of 1

Tunneling IPv6 over a IPv4 network.

Posted: 17 Sep 2018, 10:17
by Anton
This How-to applies to:
  • Clavister Next Generation Firewall 12.x+
Table of contents:
  • Objectives with this article.
    Topology.
    Configuring the routes.
    Configuring the IPsec tunnel.
Objectives with this article:
To configure a IPsec tunnel that uses a IPv4 Network and encapsulates IPv6 traffic in a scenario where one site has dual-stack (IPv4/IPv6) provided by the Internet Service Provider and the other site is only provided with IPv4 from the ISP.

Topology:
Tunneling_IPv6_over_IPv4.png
Tunneling_IPv6_over_IPv4.png (180.57 KiB) Viewed 1087 times
PC1(IPv6) <--> FW1(192.168.122.10) <- IPsec -> (192.168.97.20)FW2 <--> (IPv6) PC2

Configuring the routes:
To start with the routing tables on both sites looks like this (I have not included the IPv6 routes on the WAN interface in FW1s routing table since they do not matter in this case)

Routing table FW1:

Code: Select all

LAN dead:beef::/64
WAN 192.168.122.0/24
WAN all-nets 192.168.122.1
Routing table FW2:

Code: Select all

LAN 192.168.1.0/24
WAN 192.168.97.0/24
WAN all-nets 192.168.97.1
Since cOS Core is not capable of NAT64 we must configure an internal IPv6 Network on FW2 that PC2 can use to communicate with PC1. This network can be whatever since it’s not routed out on the internet but only internally between the two sites.


The routing table on FW2 will now look like this:

Code: Select all

LAN 192.168.1.0/24
LAN beef:babe::/64
WAN 192.168.97.0/24
WAN all-nets 192.168.97.1
Configuring the IPsec tunnel:

The IPsec tunnel will be configured as normal in IPv4 scenario the only difference is that we use IPv6 Networks as local and remote network. We will still use IPv4 IPs as remote endpoints on both sides of the tunnel.

In this scenario we will use the Simplified IPsec object to configure the tunnel since we do not have to fiddle with any specific settings. To add a “LAN to LAN VPN (Simplified)” go to Network -> Interfaces and VPN -> IPsec and click add:
IPsec1_add_1.png
IPsec1_add_1.png (49.68 KiB) Viewed 1332 times
IPsec2_add_2.png
IPsec2_add_2.png (81.69 KiB) Viewed 1332 times
1. Enter a name for the tunnel
2. FW2s public IPv4 address
3. The Local IPv6 network of FW1
4. The local IPv6 network of FW2
5. Add route statically can be left as enabled.
6. In this scenario we will use Pre-shared Key as Authentication Method.
7. Chose a valid PSK object.

Do the same on FW2 but use FW1s Public IPv4 address as remote endpoint , local IPv6 network of FW2 as local network and the local IPv6 network of FW1 as remote Network.

The routing tables should now look as following on the two sites.

Routing table FW1:

Code: Select all

LAN dead:beef::/64
Lan_to_Lan_IPv6 beef:babe::/64
WAN 192.168.122.0/24
WAN all-nets 192.168.122.1
Routing table FW2:

Code: Select all

LAN 192.168.1.0/24
LAN beef:babe::/64
Lan_to_Lan_IPv6 dead:beef::/64
WAN 192.168.97.0/24
WAN all-nets 192.168.97.1
Now we only need a IP Policy that allows traffic over the IPsec tunnel, here is how the Policy should look on the FW1 side:
IPsec3_policy_3.png
IPsec3_policy_3.png (7.06 KiB) Viewed 1332 times