F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices VPN Configuration Guide-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

401

402

403

404

405

406

407

408

409

410

393

address of the packet. If not, the AFT translates the source IPv6 address into an IPv4 address based

on the 6to4 AFT policy.

3. Translates the destination IP address. The AFT extracts the embedded IPv4 address from the

destination IPv6 address based on the length of the DNS64 prefix and uses the IPv4 address as the

translated destination IPv4 address.

4. Forwards the packet and records the mapping. The AFT performs protocol translation such as

changing the IPv6 header to the IPv4 header, forwards the packet, and records the IPv4-IPv6

mappings.

5. Translates and forwards the response packet. Upon receiving a response from the IPv4 host, the

AFT replaces the IPv4 addresses in the packet header with IPv6 addresses based on the recorded

address mappings and forwards the packet to the IPv6 host.

To view the address mappings, use the display session table command. For more information about this

command, see Security Configuration Guide.

587BCommunication initiated by an IPv4 host

1017HFigure 301 shows the AFT process when communication is initiated by an IPv4 host.

Figure 301 Communication initiated by an IPv4 host

AFT operates as follows:

1. Determines whether address translation is needed. If the destination IPv4 address of the packet

matches the configured AFT policy for 4to6 destination address translation, address translation is

needed.

2. Translates the source IP address. If the packet matches the AFT policy for 4to6 source address

translation, the AFT adds the DNS64 prefix referenced by the policy to the address to translate it

into an IPv6 address. If not, the AFT adds the first configured DNS64 prefix to the address to

translate it into an IPv6 address.

3. Translates the destination address. If the destination IPv4 address of the packet matches the AFT

policy for 4to6 destination address translation, the AFT adds the IVI prefix referenced by the 4to6

AFT policy to the IPv4 destination address to translate it into an IPv6 address.

IPv6

host IPv4 host

AFT

Dst : 2000:0: 101: 101::

Src : 3000:0:FF02:

202

200

IPv6 addr: 3000:0:FF02:202:200::

Embedded IPv4 addr: 2.2.2.2

IPv4 addr: 1.1.1.1

Translated IPv6 addr: 2000:0:101:101::

DNS64 prefix: 2000::/32

IVI prefix: 3000::/32

Dst : 1.1.1.1

Src : 2.2.2.2

Dst: 2.2.2.2

Src: 1.1.1.1 1

Dst : 3000:0: FF02: 202: 200::

Src : 2000: 0: 101: 101::

Translates addresses based

on v4tov6 AFT policy

Translates addresses based

on the recorded mappings