Date:        Thu, 22 Nov 2001 11:23:23 -0600 (CST)
    From:        Lista de NetBSD Users <list10@sepc.edu.mx>
    Message-ID:  <Pine.NEB.4.33.0111221037320.9991-100000@tarkus.csxxi.net.mx>

  | I have the following filter in my router and I dont know
  | which line modify in order to get gif tunnel works.

There are no lines in your access lists which specifically stop GIF
tunnelling - which is just IP in IP.

However, there's nothing which permits it either, you need something
like
	permit ipinip host a.b.c.d host d.e.f.g

You most probably only want to allow it for the specific hosts that
are doing the tunnel, otherwise IP in IP would allow all your other
filters to be bypassed.

You don't say if this is an input or an output access list, now whether
it is on your external or your internal interface(s) - assuming it is
an input access list on your external interface (which is most likely)
then a..b.c.d would be the remote end of the tunnel, and d.e.f.g would
be the local end.

If your IOS is old enough that it doesn't know "ipinip" then you would
need to allow all ip between the two hosts.   Similarly if cisco's idea
of ipinip doesn't include IPv6 in IP which is how you're using the
tunnel.  In that case, just change "ipinip" to "ip", and be aware that
anything not specifically denied by an earlier rule in the access list
will be allowed from that host (ipinip is almost that, but a bit harder
for the source to create, so the difference isn't great).

You could also try
	permit 41 host a.b.c.d ...

I think "41" is IPv6 in IP (there will be others here who know what
IP protocol number is actually used if this is incorrect...)

kre