A device addresses packets that pass between a host in an IPv6 island network and another IPv6 host over an IPv4 WAN backbone in the following manner:
1. Host A generates an IPv6 service request packet and addresses it to Host B. The packet goes from Zone A to Zone B.
2. Device A encapsulates the outgoing IPv6 packet inside an IPv4 packet and sends it out the tunnel interface into Zone B.
4. Device B generates a reply packet, encapsulates it, and forwards it to Device A.
5. Device A receives the encapsulated reply packet through the tunnel interface. Device A decapsulates the packet and forwards it to Host A.
In most cases, the necessary setup tasks are as follows:
1. Configure an interface for communication with the protected island IPv6 network.
• Bind the interface to a zone (typically the Trust zone).
• Configure the interface for IPv6, host mode.
• Assign the interface a global unicast prefix. (For information about global unicast addresses, see“Address Types” on page 4.)
2. Configure an interface for communication over the IPv4 WAN.
• Bind the interface to a zone (typically the Untrust zone).
• Assign the interface an IPv4 address and subnet mask.
• Create a tunnel interface (unnumbered) in the zone and bind it to the IPv4 interface.
3. Follow steps 1 and 2 to set up interfaces on the peer device.
4. Set up IPsec between the peer devices. For more information about IPsec, seeVirtual Private Networks.
5. On each device, create address book entries that identify the IPv6 host, subnet, or network.
6. Set up routing entries that allow the hosts to access each other.
7. Set up security policies.
In the following example, you create an IPsec tunnel between IPv4 endpoints. IPv6 devices behind Device A transmit service requests to hosts behind Device B. Device A use IPsec to encapsulate the service request packets inside IPv4 packets. Device B receives and decapsulates the packets. SeeFigure 36 on page 115.
The devices perform Phase 1 of the AutoKey IKE tunnel negotiation as follows:
• RSA authentication
• Diffie-Hellman Group 2
• AES128 encryption algorithm
• SHA hashing algorithm
The devices perform Phase 2 of the tunnel negotiation uses the Standard proposal.
• Diffie-Hellman Group 2
• ESP (Encapsulating Security Payload) tunneling
• 3DES encryption algorithm
WebUI (Device A)
Interfaces
Network > Interfaces > Edit (for ethernet2) Network > Interfaces > Edit (for ethernet2) > IPv6 Network > Interfaces > Edit (for ethernet3) Tunnels
Network > Interfaces > New (Tunnel IF) IKE
VPNs > Autokey Advanced > Gateway > New VPN
VPNs > Autokey IKE > New Routers
Network > Routing > Routing Table > New (trust-vr) Addresses
Policy > Policy Elements > Addresses > List (Trust) > New Policy > Policy Elements > Addresses > List (Untrust) > New Policy
Policies > (From: Trust, To: Untrust) > New
CLI (Device A)
1. Interfaces
set interface ethernet2 zone trust set interface ethernet2 ip 10.1.1.1/24 set interface ethernet2 ipv6 mode host set interface ethernet2 ipv6 enable set interface ethernet2 ipv6 ip 27a6::1/64 set interface ethernet3 zone untrust set interface ethernet3 ip 1.1.1.1/24
2. Tunnel
set interface tunnel.1 zone untrust
set interface tunnel.1 ip unnumbered interface ethernet3 set interface tunnel.1 ipv6 mode host
set interface tunnel.1 ipv6 enable
set ike gateway IPSec_Servers ip 2.2.2.1 main outgoing-interface ethernet3 proposal rsa-g2-aes128-sha
4. VPN
set vpn Tunnel_Servers gateway IPSec_Servers no-replay tunnel sec-level standard set vpn Tunnel_Servers bind interface tunnel.1
5. Routes
set vrouter trust-vr route 0.0.0.0/0 interface ethernet3 set vrouter trust-vr route ::/0 interface tunnel.1
6. Addresses
set address trust L_Clients 27a6::210:ea1:71ff:fe36/64 set address untrust R_Servers 32f1::250:af:34ff:fe34/64
7. Policy
set policy from trust to untrust L_Clients R_Servers any permit
WebUI (Device B)
Interfaces
Network > Interfaces > Edit (for ethernet2) Network > Interfaces > Edit (for ethernet2) > IPv6 Network > Interfaces > Edit (for ethernet3) Tunnels
Network > Interfaces > New (Tunnel IF) IKE
VPNs > Autokey Advanced > Gateway > New VPN
VPNs > Autokey IKE > New Routers
Network > Routing > Routing Table > New (trust-vr) Network > Routing > Route Table > New (untrust-vr) Addresses
Policy > Policy Elements > Addresses > List (Trust) > New Policy > Policy Elements > Addresses > List (Untrust) > New Policy
CLI (Device B)
1. Interfaces
set interface ethernet2 zone trust set interface ethernet2 ip 10.2.2.1/24 set interface ethernet2 ipv6 mode host set interface ethernet2 ipv6 enable set interface ethernet2 ipv6 ip 310a::1/64 set interface ethernet3 zone untrust set interface ethernet3 ip 2.2.2.1/24
2. Tunnel
set interface tunnel.1 zone untrust
set interface tunnel.1 ip unnumbered interface ethernet3 set interface tunnel.1 ipv6 mode host
set interface tunnel.1 ipv6 enable
3. IKE
set ike gateway IPSec_Clients ip 1.1.1.1 main outgoing-interface ethernet3 proposal rsa-g2-aes128-sha
4. VPN
set vpn Tunnel_Clients id 1 gateway IPSec_Clients no-replay tunnel sec-level standard set vpn Tunnel_Clients id 2 bind interface tunnel.1
5. Routes
set vrouter trust-vr route 0.0.0.0/0 interface ethernet3 set vrouter trust-vr route ::/0 interface tunnel.1
6. Addresses
set address trust L_Server 310a::33c:3efb:34ff:fe55/128 set address untrust R_Clients 27a6::210:ea1:71ff:fe36/64
7. Policy
set policy from untrust to trust R_Clients L_Server any tunnel vpn Tunnel_Clients