Yönelticimde iki WAN bağlantı noktası olan bir HE.net IPv6 Tüneli yapılandırdım. İşin garibi, tüm istemcilerin IPv6 ana bilgisayarlarına Internet üzerinden ping yapabiliyor olmaları, ancak yönlendiricimin kimseye ping atamaması.
İşte yapılandırma:
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname gateway
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 xxxxxxxxxxxxxxxx
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
ipv6 unicast-routing
ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 172.16.10.1 172.16.10.10
ip dhcp excluded-address 172.16.10.200 172.16.10.254
ip dhcp excluded-address 172.16.20.1 172.16.20.10
ip dhcp excluded-address 172.16.20.200 172.16.20.254
!
ip dhcp pool A-Group
network 172.16.10.0 255.255.255.0
default-router 172.16.10.254
dns-server 172.16.10.254
!
ip dhcp pool B-Group
network 172.16.20.0 255.255.255.0
default-router 172.16.20.254
dns-server 172.16.20.254
!
!
ip domain name internal.xxxxxx.net
ip name-server 2001:4860:4860::8888
ip name-server 2001:470:20::2
ip name-server 8.8.8.8
ip ddns update method TunnelBroker
HTTP
add https://xxxx:xxxxxxxxx@ipv4.tunnelbroker.net/ipv4_end.phptid=xxxxxx
interval maximum 0 1 0 0
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint tunnelbroker
enrollment terminal pem
revocation-check none
!
!
crypto pki certificate chain tunnelbroker
certificate ca 01
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
quit
license udi pid CISCO2901/K9 sn FGL170311S6
!
!
object-group network PRIVATE-NET
host xxx.xxx.xxx.xxx
!
username xxxxxx password 0 xxxxxxxx
!
!
ip ssh time-out 60
ip ssh authentication-retries 5
!
!
!
!
interface Tunnel0
no ip address
ipv6 address 2001:470:xxxx:xxxx::2/64
ipv6 enable
tunnel source Dialer2
tunnel mode ipv6ip
tunnel destination 72.52.104.74
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 2
!
interface GigabitEthernet0/1
no ip address
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/1/0
mtu 1496
no ip address
ip nat inside
ip virtual-reassembly in
negotiation auto
!
interface GigabitEthernet0/1/0.10
encapsulation dot1Q 10
ip address 172.16.10.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ipv6 address 2001:xxx:xxx:10::1/64
ipv6 enable
!
interface GigabitEthernet0/1/0.20
encapsulation dot1Q 20
ip address 172.16.20.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ipv6 address 2001:xxx:xxx:20::1/64
ipv6 enable
!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp chap hostname xxxxxxxxxxx
ppp chap password 0 xxxxxxxxxxx
ppp pap sent-username xxxxxxxx password 0 xxxxxxx
ppp ipcp dns request
!
interface Dialer2
ip ddns update TunnelBroker
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 2
ppp chap hostname xxxxxx
ppp chap password 0 xxxxxxx
ppp pap sent-username xxxxxx password 0 xxxxxx
ppp ipcp dns request
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source route-map dia1-nat interface Dialer1 overload
ip nat inside source route-map dia2-nat interface Dialer2 overload
ip route 0.0.0.0 0.0.0.0 Dialer2
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 72.52.104.74 255.255.255.255 Dialer2
!
ip access-list extended PRIVATE-POOL
permit ip object-group PRIVATE-NET any
ip access-list extended WAN-POOL
permit ip any any
!
ipv6 route ::/0 Tunnel0
!
route-map dia2-nat permit 10
match ip address WAN-POOL
match interface Dialer2
!
route-map dia1-nat permit 10
match ip address PRIVATE-POOL
match interface Dialer1
!
!
!
!
!
control-plane
!
!
!
----omitted----
Müşteri tarafında:
xxxx$ ping6 google.com
PING6(56=40+8+8 bytes) 2001:470:8318:10:dc24:208e:6843:8932 --> 2404:6800:4008:c00::66
16 bytes from 2404:6800:4008:c00::66, icmp_seq=0 hlim=52 time=343.733 ms
16 bytes from 2404:6800:4008:c00::66, icmp_seq=1 hlim=52 time=343.917 ms
16 bytes from 2404:6800:4008:c00::66, icmp_seq=2 hlim=52 time=345.722 ms
^C
--- google.com ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 343.733/344.457/345.722/0.897 ms
Yönlendirici:
gateway#ping 2404:6800:4008:c00::66
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2404:6800:4008:C00::66, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
gateway#
İlgili değil, ancak tip 4 şifreniz olduğu için ... tools.cisco.com/security/center/content/CiscoSecurityResponse/…
—
cpt_fink