All you should need to make it work on the 1812 is the following for either RA or DHCPv6:

DHCPv6 autoconf + DNS
=====================

(global configuration)
ipv6 unicast-routing
ipv6 dhcp pool v6pool
 address prefix 2001:470:.....::/64  (can take this from the routed /64 or /48 that HE gives you)
 dns-server 2001:470:20::2    (HE v6 DNS server)
ipv6 route ::/0 Tunnel0

(inside interface configuration)
interface X
 ipv6 address 2001:470:......::1/64  (address from same subnet as in dhcp pool above)
 ipv6 enable
 ipv6 nd ra suppress
 ipv6 dhcp server v6pool


RA, no DNS
============

(global configuration)
ipv6 unicast-routing
ipv6 route ::/0 Tunnel0

(inside interface configuration)
interface X
 ipv6 address 2001:470:......::1/64  (can take this from the routed /64 or /48 that HE gives you)
 ipv6 enable

Hrm.  Well it shouldn't be generating those log entries then.

I was saying that I didn't include the permit echo requests when I originally posted this thread and it sounded like lobotiger used that ACL. So lobotiger still may not have a permit for echo requests. So those log entries may be valid.

Yes, I originally had left out a permit for echo requests and added it after I had posted the original ACL above.

No, it doesn't appear that any types of wildcard masks are available. Only prefix/length.

These are the only options available for doing a permit in an ipv6 ACL:

router(config-ipv6-acl)#permit ipv6 ?
  X:X:X:X::X/<0-128>  IPv6 source prefix x:x::y/<z>
  any                 Any source prefix
  host                A single source host

I am seeing some denies in the logs for icmpv6 though.  You think these are normal?

I guess it depends what type of icmpv6 it is that is being denied. Can you post an example?

Also in your named.conf try referencing your zone as:

zone "f.0.1.0.7.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa" { type master; file "/etc/namedb/master/ipv6-reverse.db"; };

Try changing your $ORIGIN line to:

$ORIGIN f.0.1.0.7.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa.

And adjust your PTR entries to include the trailing zeroes.

ie.

1.0.0.0.0.0.0.0.0.0.0.0.0.0.0  PTR     ipv6.whipcream.net.

Try taking out /commenting out the first line:
  $ORIGIN f.0.1.0.7.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa.

Try replacing your SOA line with:
@   IN SOA f.0.1.0.7.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa. ns1.whipcream.net. admin.whipcream.net. (

Did you verify that the reverse zone loaded correctly? Could be a hint as to what is wrong in the log if it didn't load correctly.

I just compiled the stable version of ISC dhcp 4.1.1. It looks like the dhcpd daemon handles both v4 and v6 dhcp but needs to be given a command line switch: [-4|-6] for which version to use. Appears to default to v4 and didn't like the dhcpv6 config until the -6 option was given. So it looks like you would have to run separate instances of the dhcpd daemon for v4 and v6.

Some of the newer versions of IOS support stateful inspection filtering, and can also do it with IPv6. I'm running a Cisco 881 (IP advanced services) and IOS 12.4(24)T2. Just thought I would share this, as I thought it was important to secure my inside network and this device happened to do the job. To clarify, I am terminating a v6 tunnel on this device, and it is directly connected to my ISP with a v4 DHCP address on the outside.

First we deny traffic INBOUND on the tunnel interface but allow some normal icmp traffic first:

Code:

ipv6 access-list INBOUND
 permit icmp any any nd-na
 permit icmp any any nd-ns
 permit icmp any any echo-reply
 permit icmp any any hop-limit
 permit icmp any any time-exceeded
 deny ipv6 any any

To apply it to the tunnel0 interface we just do this:

Code:

interface Tunnel0
ipv6 traffic-filter INBOUND in

Now we define the types of traffic we want to create stateful inspections for:

Code:

ipv6 inspect name ipv6-out icmp
ipv6 inspect name ipv6-out tcp
ipv6 inspect name ipv6-out udp
ipv6 inspect name ipv6-out ftp

And we apply it to the inside interface where the traffic will be heading out towards the tunnel:

Code:

interface Vlan1
ipv6 inspect ipv6-out in

Now only my permitted icmp v6 traffic from the first ACL is permitted in, and return traffic through the tunnel that was inspected on the way out.

To verify the stateful sessions, you can do the following:
show ipv6 inspect sessions