Hexago Gateway6 NAT Traversal Configuration Tutorial

Hexago, HexOS, TSP, and Migration Broker are trademarks of Hexago Inc. Copyright 2002-2006 Hexago Inc., all rights reserved.

Overview
This tutorial shows how to configure a Hexago Gateway6 to automatically offer IPv6 tunnels to hosts behind IPv4 network address and port translators !"Ts#$ In order to traverse the !"T more easily% IPv4 &'P encapsulation of the IPv6 packets is used$ This tutorial is part of a series and re(uires the Gateway6 to be already configured for standard IPv6 in IPv4 tunnel support$ )ee the document *Tunnel +onfiguration Tutorial* for details$

Network Setup
In this setup% interface fast ethernet , is configured in IPv4 and fast ethernet - with IPv6$ The dual.stack host is in an IPv4 only network behind a !"T box and re(uires IPv6 access right.side cloud#$

'efault IPv4 gateway 5ast6thernet , -,$6$6$-,-404 -,$6$6$6404 -70$-63$-$,404

!"T

'efault gateway 0,,-12c,13c2a1-11-,-464

IPv6 in UDP IPv

-,$6$6$,404

IPv6 !etwork 5ast6thernet 0,,-12c,13c2a1-116464

'ual.stack host

Configuration Objects
The re(uired configuration ob/ects are similar to standard IPv6 in IPv4 tunnels$ The ma/or difference is that the T)P listener must be configured to accept &'P connections and the tunnel server must be able to create IPv6 in &'P IPv4 tunnels$

ipv6 pool

aaa model

tunnel server

tsp

http

tunnel broker
Address Pools
In order to support &'P tunnels% a different pool of addresses is define$ The new pool uses the second leftmost bit of the prefix in order to keep the flexibility for future prefix assignments$

Configuration State!ent

Description

ipv6 local pool V6UDPV4-ENDPOINTS 2001:5c0:8c5a:4000::/64 128

Define pool V6UDPV4-ENDPOINTS as a pool of /128 addresses to be taken from the range 2001:5c0:8c5a:4000::/64.

"SP listener
" new T)P listener is defined that listens for &'P connections$ The important difference here is the *transport udp 8628* statement$ "n additional tunnel mode is supported% v6udpv for &'P encapsulation$ !ote that the standard IPv6 in IPv4 encapsulation is still supported by the listener$ If a client connects with &'P but is not behind a !"T% it will be automatically assigned an IPv6 in IPv4 tunnel in order to reduce the header overhead during transport$
Configuration State!ent Description

tsp TSP-UDP-EXAMPLE set aaa model AAA-EXAMPLE

Define a TSP listener TSP-UDP-EXAMPLE and enters the TSP configuration mode. Use the defined AAA-EXAMPLE AAA model for the user AAA policy of this TSP listener. The AAA model information is used by the TSP listener to announce its capabilities to the TSP clients. Define the IPv4 address of this TSP listener. The listener is started on this address. TSP clients must connect to this address to make their tunnel requests. The IPv4 address must be valid and configured on a physical interface of this Migration Broker. Define the transport for this TSP listener. The listener will listen on port 3653 (the port assigned to TSP by IANA) for TCP connections. Supported IPv6 in IPv4 tunnel encapsulation mode. Supported IPv6 in UDP IPv4 tunnel encapsulation mode. Exit the TSP configuration mode.

ip address 10.6.6.6

transport udp 3653 tunnel mode v6v4 tunnel mode v6udpv4 exit

"unnel Server configuration

" tunnel server is defined for &'P tunnels$ !ote that the range of interfaces is different than previous tunnel servers$ The mode and the endpoint pool also changed$
Configuration State!ent Description

tunnel server TS-V6UDPV4

Define a tunnel server TS-V6UDPV4 and enter the Tunnel Server configuration mode. Define the list of tunnel interfaces used on this tunnel server. Define the IPv4 address of this tunnel server, which will be the tunnel endpoint of tunnels on this tunnel server. The IPv4 address must be valid and configured on a physical interface of this Migration Broker. Use the defined V6UDPV4-ENDPOINTS pool for tunnel endpoints. Define the encapsulation mode of the tunnels as being over IPv4 UDP. Exit the Tunnel Server configuration mode.

interface range 1001 2000 ip address 10.6.6.6

ipv6 pool endpoints V6UDPV4-ENDPOINTS tunnel mode v6udpv4 exit

"unnel #roker Configuration

The statements below must be added to the tunnel broker configuration$ The new T)P listener and tunnel server are simply added to the tunnel broker$
Configuration State!ent Description

tunnel broker TB-EXAMPLE set tsp TSP-UDP-EXAMPLE set tunnel server TS-V6UDPV4 exit

Define a tunnel broker TB-EXAMPLE and enter the Tunnel Broker configuration mode. Receive requests from TSP listener TSP-TCP-EXAMPLE. Allocate the TS-V6UDPV4 tunnel server as a resource to create tunnels. Exit Tunnel Broker configuration mode.

$erif%ing t&e configuration

"gain% it is important to to verify if the configuration is correct and the status of the different element is up$
broker# show tsp Name Status IP address Transport Tunnel modes AAA model ---------------------------------------------------------------------------TSP-TCP-EXAMPLE up 1 !"!"!" t#p$%"&% '"'( AAA-EXAMPLE TSP-)*P-EXAMPLE up 1 !"!"!" udp$%"&% '"'( '"udp'( AAA-EXAMPLE Total number o+ tsp l,steners -! broker# broker# show tunnel ser'er Name Status Tunnel modes Tunnels IP Address -------------------------------------------------------TS-EXAMPLE up '"'( 1 1 !"!"!" TS-.")*P.( up '"udp'( 1 1 !"!"!"

Create a new user account

" local user account is created to test the new type of tunnel$
'nable Co!!and Description

db add user testv6udpv4 password hexago

Add a new user to the local database.

Client Connection
6stablish the tunnel from a dual.stack host% for example a P+ running 9indows :P )P0 or ;inux$

<n ;inux% in tspc$conf1

user,d/test'"udp'( passwd/he0a1o ser'er/1 !"!"!"

The log output of the client should be similar to this1

- "$ "$-2 1-3(43- tsp#3 TSP Cl,ent '(!1-5ETA( bu,ld Ma6 -4 - "-- 31%3- "$ "$-2 1-3(43- tsp#3 Establ,sh,n1 #onne#t,on to tunnel broker 1 !"!"!" us,n1 rel,able UDP! - "$ "$-2 1-3(43- tsp#3 Conne#t,on to 1 !"!"!" establ,shed! - "$ "$-2 1-3(43- tsp#3 Authent,#at,on su##ess! - "$ "$-2 1-3(43- tsp#3 7ot tunnel parameters +rom ser'er! Sett,n1 up lo#al tunnel! - "$ "$-2 1-3(43- tsp#3 E0e#ut,n1 #on+,1urat,on s#r,pt3 8C39Pro1ram :,les9he0a1o-tsp#l,ent9template9w,ndows!bat8! - "$ "$-2 1-3(43%& tsp#3 S#r,pt #ompleted su##ess+ull6! - "$ "$-2 1-3(43%& tsp#3 ;our IP'" address ,s - 13 &# 32#&a3( 3 3 3 3 &! - "$ "$-2 1-3(43%& tsp#3 The tunnel t6pe ,s v6udpv4!

The tunnel may be checked in the broker database1

broker# sh db dtunnel user test'"udp'( Inter+a#e3 dtunnelStatus3 up Mode3 v6udpv4 Ph6s,#al sour#e address3 1 !"!"!"3%"&% Ph6s,#al dest,nat,on address3 1 !"!"!&%31<"< Sour#e address3 - 13&# 32#&a3( 33($1-2 *est,nat,on address3 - 13&# 32#&a3( 33&$1-2 *NS host entr6 o+ tunnel endpo,nt3 unde+,ned *NS ser'er +or dele1at,on3 unde+,ned =wner3 test'"udp'( A##ount,n1 enabled>3 no ?eepal,'e ,nter'al @sA3 % ?eepal,'e ,dle t,meout @sA3 1& E0p,rat,on3 Bed Cul & 1&3--3- - " Total number o+ tunnels 1 1 tunnel parameters #he#ked broker#

!ote that the !"T is completely transparent% in the IPv6 world it completely disappeared1
C39*o#uments and Sett,n1s9De0a1oEtra#ert" -d Tra#,n1 route to - 13&# 32#&a31331 1 +rom - 13&# 32#&a3( 33& o'er a ma0,mum o+ % 1 - ms - ms - ms - ms - ms - ms 13&# 32#&a31331 1 hops3

13&# 32#&a3( 33( 13&# 32#&a31331 1

Tra#e #omplete!