A 6to4 tunnel is a dynamic, multipoint IPv6-over-IPv4 tunneling mechanism used to connect multiple IPv6 sites over an IPv4 backbone. It operates using the 2002::/16 prefix but can also route global IPv6 prefixes. Although it is an older and deprecated technology, it provides valuable insights into the fundamentals of IPv6-over-IPv4 multipoint VPN tunneling. In this section, we will demonstrate a configuration example for a 6to4 tunnel.
Table of Contents
How 6to4 Tunnel works?
Before diving into the details of 6to4 tunnel configuration, let’s first understand how dynamic multipoint IPv6-over-IPv4 tunneling methods generally work.
In such methods, the IPv6 address of each site is derived from the IPv4 address of its gateway. When IPv6 traffic is sent from Site X to Site Y, the IPv4 address of Site Y’s gateway is extracted from the destination IPv6 address. The IPv6 traffic is then encapsulated and tunneled between the IPv4 address of Site X and the IPv4 address of Site Y.
In a 6to4 tunnel, the IPv6 address of each site starts with the 2002::/16 prefix. The next 32 bits of the IPv6 address represent the hexadecimal equivalent of the IPv4 address of the site’s gateway. This creates a fixed /48 prefix for each site, leaving the remaining 16 bits available for addressing subnets within that site.
For example, if the IPv4 address of the gateway at Site X is 10.0.1.2, the IPv6 address for the site would start with 2002:0A00:0102::/48. Here, 0A is the hexadecimal equivalent of 10, 00 represents 0, 01 represents 1, and 02 represents 2.
6to4 Tunnel Configuration Example
To better understand how a 6to4 IPv6-over-IPv4 tunnel works, I have prepared a topology with three sites.
In the first site, the IPv4 address of the gateway (which also serves as the tunnel endpoint) is 10.0.1.2. Therefore, the IPv6 prefix for this site is 2002:A00:102::/48. For simplicity, the next 16 bits are set to 0000, resulting in an IPv6 prefix of 2002:A00:102::/64 for the site.
The same process is applied for Site 2 and Site 3.
To configure the 6to4 tunnel, we create a tunnel interface with the following parameters:
Set the tunnel mode to
ipv6ip 6to4
.Specify the IPv4 address of the gateway as the tunnel source.
Omit the tunnel destination since this is a multipoint tunnel.
Assign an IPv6 address to the tunnel interface, which must belong to a subnet derived from the 6to4 address. In this example, for simplicity, I used the same address as the site IPv6 prefix with an unnumbered method.
Finally, we add a route to direct all traffic with destinations starting with 2002::/16 through the 6to4 tunnel.
!!! IOU1 interface Tunnel0 ipv6 unnumbered Loopback0 tunnel source 10.0.1.2 tunnel mode ipv6ip 6to4 ! ipv6 route 2002::/16 Tunnel0
!!! IOU2 interface Tunnel0 ipv6 unnumbered Loopback0 tunnel source 10.0.2.2 tunnel mode ipv6ip 6to4 ! ipv6 route 2002::/16 Tunnel0
!!! IOU3 interface Tunnel0 ipv6 unnumbered Loopback0 tunnel source 10.0.3.2 tunnel mode ipv6ip 6to4 ! ipv6 route 2002::/16 Tunnel0
When traffic is sent over the tunnel, the IPv4 address of the remote tunnel endpoint is automatically extracted from the destination IPv6 address. A tunnel is dynamically established between the two sites, and IPv6 traffic is encapsulated within IPv4 packets for transmission between the sites.
The operation of a 6to4 tunnel can be verified by performing a ping between IPv6 sites over the IPv4 backbone.
IOU1#ping 2002:0A00:0202::1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2002:A00:202::1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms
IOU1#ping 2002:0A00:0302::1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2002:A00:302::1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms
route IPv6 global address over 6to4 Tunnel
The main limitation of a 6to4 tunnel is that it requires sites to use the 2002::/16 prefix, while global IPv6 addresses typically fall under the 2001::/16 prefix.
With a simple workaround, it is possible to route real IPv6 global prefixes over a 6to4 tunnel by adding manual routes. However, this approach is not scalable in larger networks. You must manually configure a route that forwards traffic destined for global IPv6 prefixes to their corresponding 6to4 tunnel addresses.
In the previous example, I assigned a new IPv6 address from the globally unique IPv6 address range to each site. To enable communication using these global prefixes over the 6to4 tunnel, we need to configure routes for each site, corresponding to the number of other sites.
For each global destination prefix, the next-hop address must be the 6to4 address of the target site. For instance, to route traffic to the destination 2001:AA:3::/64 in Site 3, the next-hop address would be 2002:A00:302::, which is the 6to4 address of Site 3.
!!! IOU1 interface Loopback1 ipv6 address 2001:AA:1::1/64 ! ipv6 route 2001:AA:2::/64 2002:A00:202:: ipv6 route 2001:AA:3::/64 2002:A00:302::
interface Loopback1 ipv6 address 2001:AA:2::1/64 ! ipv6 route 2001:AA:1::/64 2002:A00:102:: ipv6 route 2001:AA:3::/64 2002:A00:302::
!!! IOU3 interface Loopback1 ipv6 address 2001:AA:3::1/64 ! ipv6 route 2001:AA:1::/64 2002:A00:102:: ipv6 route 2001:AA:2::/64 2002:A00:202::
To verify connectivity, we perform a ping between the global addresses of the sites. This ensures that the 6to4 tunnel can successfully facilitate communication between globally routable IPv6 addresses.
IOU1#ping 2001:AA:2::1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:AA:2::1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/6 ms
IOU1#ping 2001:AA:3::1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:AA:3::1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms