Connecting IPv6 Remote Office to Headquarters via IPv6 over IPv4 -- Encapsulation, NOT Encryption
This posting has two purposes.
- ASK HOW TO ENCRYPT IPv6 traffic, OR HOW TO ROUTE 6over4 traffic via the existing IPV4 VPN Tunnel?
- Supplement the IPv6 over IPv4 tunnel documentation. This posting includes the routing and rule changes. For example, using the IP of the other end of the tunnel in the route statement. The posting also makes clear that the 6over4 tunnel is plain text. (I hope that this posting helps others. I spent quite a bit of time to understand the 6over4 tunnel.)
The goal is to connect multiple dual-state (IPv4 and IPv6) offices to Headquarters via SonicWalls and IPv4 VPN Connections. The example below shows a working 6over4 tunnel, without encryption.
How do I pass IPv6 traffic via an encrypted connection?
The text, below, describes the full technique to connect one remote office to HQ. It includes the steps for a manual IPv6 over IPv4 tunnel. The company uses Hub and Spoke, so all internet traffic routes via the HQ Sonicwall. The office uses a TZ300. HQ uses a NSA3650.
- Establish a standard IPv4 VPN between the office and HQ. Route all traffic to the HQ SonicWall.
- Configure IPv6 addressing and DHCP in the office SonicWall.
- Establish a Manual IPv6 over IPv4 tunnel in each of the two SonicWalls.
- Add routing statements to each SonicWall. The routing gateway is the IPv6 address of the tunnel at the remote SonicWall. For example, the HQ is ::1, Office is ::2. The route statement in the Office SonicWall uses ::1 as the relay.
- Update Rules in each SonicWall to allow IPv6 traffic.
- NOTE: Traffic over the manual tunnel is in the WAN space, not the VPN space.
- The tunnel is up.
- IPv4 to IPv4 traffic rides the encrypted VPN tunnel
- IPv6 to IPv6 traffic rides an encapsulated tunnel between the SonicWalls. HOWEVER, the traffic is encapsulated, not encrypted.
- MTU Size -- Set the MTU size of the IPv6 Office networks to 1280. This is done in the IPv4 interface. The small MTU is necessary to allow the encapsulated packet, including the added IPv4 headers, to be less than 1500 bytes.
Establish normal IPv4 to IPv4 VPN tunnel between the SonicWalls.
Use fixed external IPs on the SonicWalls. Define two vlans for the office for user and VOIP subnets.
Establish Manual IPv6 over IPv4 tunnel
- The following image shows the manual tunnel in the remote office SonicWall. Notice the tunnel is a /126. The corresponding address in HQ SonicWall is aaaa:bbbb:cccc:2020::1. The Remote IPv4 address is the public IP of the HQ firewall. The Remote IPv6 Network is "::/0". So, all IPv6 traffic will route via the tunnel.
- The HQ Manual tunnel. The IPv6 address is aaaa.bbbb.cccc.2020::1/126. The IPv4 address is the public interface of the Office SonicWall. Also, the IPv6 value is a single network or and address group. Since the Office has user and VOIP LANs, the HQ entry is a Address Group.
- The 6over4 tunnel can be tested by pinging the tunnel IPv6 address defined in the other SonicWall. (System Diagnostics page).
Add Routing Statements to SonicWalls so Traffic Routes Via Tunnel
- The following route statement drives all IPv6 traffic via the 6over4 tunnel to the HQ SonicWall. The destination entry is "::/0", the default route, so all traffic routes to HQ.
- The HQ routing statement is similar, but the Destination specifies the address group that contains the Office subnets, LAN and VOIP.
Update Rules in Each SonicWall to Pass Traffic -- Note From/To WAN Zone
- In the Office SonicWall, allow LAN traffic to the 6over4 manual tunnel. There is 's no filtering by service or destination. The Manual 6over4 tunnel will carry traffic to IPv6 in HQ and to the Internet via HQ's SonicWall.
- In the HQ SonicWall, allow traffic from the remote office to the internal network. The NOGv6 entry is the address group of the Office IPv6 subnets. The "HQ /48" network is the IPv6 /48 that is assigned to the company. Notice that the From Zone is WAN.
Traffic is Encapsulated, Not Encrypted
Snoop the X1 traffic between the two SonicWalls, or span port the WAN interface of the Office SonicWall. In a test environment, I accessed the web page of an HP printer via the IPv6 address. One snooped packed included text for font-_family:Aria. So the traffic is plain text. I also spanned port in the switch and confirmed the plain text traffic with wireshark.
How Do I Pass the 6over4 tunnel over the existing IPv4 VPN Tunnel?
If the encapsulated 6over4 traffic ran through the existing IPv4 VPN tunnel, remote office connectivity would be done!