HP VPN Firewall Appliances VPN Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

101

102

103

104

105

106

107

108

109

110

Configuring a DS-Lite tunnel

The following matrix shows the feature and hardware compatibility:

Hardware Com

atibilit

F1000-A-EI/F1000-S-EI Yes

F1000-E Yes

F5000 Yes

F5000-S/F5000-C No

VPN firewall modules Yes

20-Gbps VPN firewall modules Yes

The following section describes the DS-Lite tunnel configuration on the CPE and on the AFTR.

Configuration prerequisites

Configure IPv6 addresses for interfaces (such as the VLAN interface, Ethernet interface, and loopback

interface). One of the interfaces is used as the source interface of the tunnel.

Configuring the CPE of a tunnel

You can configure the CPE of a DS-Lite tunnel or IPv4 over IPv6 manual tunnel:

• If you configure a DS-Lite tunnel on the CPE, the CPE automatically obtains the IPv6 address of the

AFTR through DHCPv6 and uses the address as the destination address of the tunnel.

• If you configure an IPv4 over IPv6 manual tunnel on the CPE, you must manually specify the address

of the AFTR as the destination address of the tunnel.

This section describes how to configure a DS-Lite tunnel on the CPE. For information about how to

configure an IPv4 over IPv6 manual tunnel on the CPE, see "Configuring an IPv4 over IPv6 manual

tunnel."

Follow thes

e guidelines when you configure the CPE of a DS-Lite tunnel:

• Tunnel interfaces using the same encapsulation protocol must have different source and destination

addresses.

• To encapsulate and forward IPv4 packets whose destination address does not belong to the subnet

where the receiving tunnel interface resides, configure a static route or dynamic routing for

forwarding those packets through this tunnel interface. If you configure a static route to that

destination IPv4 address, specify this tunnel interface as the outbound interface, or the peer tunnel

interface address as the next hop. A similar configuration is required at the other tunnel end. If you

configure dynamic routing at both ends, enable the dynamic routing protocol on both tunnel

interfaces. For more configurations about static routes or other routing protocols, see Network

Management Configuration Guide.

• If you configure a DS-Lite tunnel on the CPE, you can specify the source interface but not source

address for the tunnel interface. The primary IP address of the source interface is the source address

of the tunnel. After you configure the source interface for the tunnel, the CPE automatically obtains