Subject: Re: Cisco IPv6 - NetBSD -- Problem found but not solved.
To: Robert Elz <kre@munnari.OZ.AU>
From: Lista de NetBSD Users <list10@sepc.edu.mx>
List: netbsd-users
Date: 11/23/2001 09:03:49
Thanks, Kre... your explanation is very clear and
rich of information to me... and the answer of my
first question is... as you told
access-list num permit 41 host x.x.x.x host y.y.y.y
The 41 is because my router doesnt know the mnemonic "ipv6"
rosario# ifconfig gif2 tunnel y.y.y.y x.x.x.x
rosario# ping6 -n ff02::1%gif2
PING6(56=40+8+8 bytes) fe80::250:daff:fe69:47fd%gif2 --> ff02::1%gif2
16 bytes from fe80::250:daff:fe69:47fd%lo0, icmp_seq=0 hlim=64 time=0.268
ms
16 bytes from fe80::83c1:6408%gif2, icmp_seq=0 hlim=64 time=601.378
ms(DUP!)
16 bytes from fe80::250:daff:fe69:47fd%lo0, icmp_seq=1 hlim=64 time=0.182
ms
16 bytes from fe80::83c1:6408%gif2, icmp_seq=1 hlim=64 time=706.812
ms(DUP!)
16 bytes from fe80::250:daff:fe69:47fd%lo0, icmp_seq=2 hlim=64 time=0.185
ms
16 bytes from fe80::83c1:6408%gif2, icmp_seq=2 hlim=64 time=478.057
ms(DUP!)
16 bytes from fe80::250:daff:fe69:47fd%lo0, icmp_seq=3 hlim=64 time=0.177
ms
^C
--- ff02::1%gif2 ping6 statistics ---
4 packets transmitted, 4 packets received, +3 duplicates, 0% packet loss
round-trip min/avg/max/std-dev = 0.177/255.294/706.812/300.844 ms
I can see both devices in the tunnel with the ping6 command... thanks
again... Now the answer for poptop and mppe seems to be protocol gre
but I must to do some testing before to take it as true.
Thanks again
Atentamente
Heron Gallegos
Centro Siglo XXI - Informatica Educativa
Saltillo, Coahuila, Mexico
On Fri, 23 Nov 2001, Robert Elz wrote:
> Date: Fri, 23 Nov 2001 17:19:11 +0700
> From: Robert Elz <kre@munnari.OZ.AU>
> To: Lista de NetBSD Users <list10@sepc.edu.mx>
> Cc: netbsd-users@netbsd.org
> Subject: Re: Cisco IPv6 - NetBSD -- Problem found but not solved.
>
> Date: Thu, 22 Nov 2001 11:23:23 -0600 (CST)
> From: Lista de NetBSD Users <list10@sepc.edu.mx>
> Message-ID: <Pine.NEB.4.33.0111221037320.9991-100000@tarkus.csxxi.net.mx>
>
> | I have the following filter in my router and I dont know
> | which line modify in order to get gif tunnel works.
>
> There are no lines in your access lists which specifically stop GIF
> tunnelling - which is just IP in IP.
>
> However, there's nothing which permits it either, you need something
> like
> permit ipinip host a.b.c.d host d.e.f.g
>
> You most probably only want to allow it for the specific hosts that
> are doing the tunnel, otherwise IP in IP would allow all your other
> filters to be bypassed.
>
> You don't say if this is an input or an output access list, now whether
> it is on your external or your internal interface(s) - assuming it is
> an input access list on your external interface (which is most likely)
> then a..b.c.d would be the remote end of the tunnel, and d.e.f.g would
> be the local end.
>
> If your IOS is old enough that it doesn't know "ipinip" then you would
> need to allow all ip between the two hosts. Similarly if cisco's idea
> of ipinip doesn't include IPv6 in IP which is how you're using the
> tunnel. In that case, just change "ipinip" to "ip", and be aware that
> anything not specifically denied by an earlier rule in the access list
> will be allowed from that host (ipinip is almost that, but a bit harder
> for the source to create, so the difference isn't great).
>
> You could also try
> permit 41 host a.b.c.d ...
>
> I think "41" is IPv6 in IP (there will be others here who know what
> IP protocol number is actually used if this is incorrect...)
>
> kre
>
>