Hrm. I wasn't even aware the ScreenOS supported IPSEC ESP over IPv6. Although IPSEC was designed for IPv6 and adapted to IPv4 from what I understand.
One thing I don't see are routes through the IPSEC tunnel interfaces. Do you have routes in place route the traffic from the respective networks through the tunnel interfaces?
If you can't get IPSEC over IPv6 to work natively, you could as you suggested implement a 6in4 tunnel over IPv4 IPSEC. I'd presume you'd use two separate tunnel interfaces, one for the IPv4 IPSEC traffic, and the other for the 6in4 which will travel through the first. I haven't tried that in ScreenOS though.
What version of ScreenOS BTW?
EDIT: Now that I think about it, it'd be better do do the 6in4 tunnel to work anyway, rather than do IPv6 IPSEC via an IPv4 6in4 tunnel to HE.
Hi and thanks for your answer:
Quote from: jimb on November 17, 2010, 06:19:48 PM
What version of ScreenOS BTW?
Both Devices
Hardware: Netscreen 5GT
Firmware Version: 6.2.0r8.0 (Firewall+VPN)
Quote from: jimb on November 17, 2010, 06:19:48 PM
One thing I don't see are routes through the IPSEC tunnel interfaces. Do you have routes in place route the traffic from the respective networks through the tunnel interfaces?
sorry, was not included in my post, yes i have set a route ob both Devices:
netscreen-home:
set interface "loopback.1" zone "Trust"
set interface loopback.1 ip 172.19.20.1/24
set interface loopback.1 route
set interface loopback.1 ip manageable
set route 172.19.19.0/24 interface tunnel.9
netscreen-RZ:
set interface "loopback.1" zone "Work"
set interface loopback.1 ip 172.19.19.1/24
set interface loopback.1 route
set interface loopback.1 ip manageable
set route 172.19.20.0/24 interface tunnel.9
example ping from RZ to Home:
nordtor-> get sa stat | i 2001:
00000005< 2001:470:1f0b.. 0 0 0 0
00000005> 2001:470:1f0b.. 0 0 0 1280
nordtor-> ping 172.19.20.1 from loopback.1
Type escape sequence to abort
Sending 5, 100-byte ICMP Echos to 172.19.20.1, timeout is 1 seconds from loopback.1
.....
Success Rate is 0 percent (0/5)
nordtor-> get sa stat | i 2001:
00000005< 2001:470:1f0b.. 0 0 0 0
00000005> 2001:470:1f0b.. 0 0 0 1920
nordtor->
example ping from home to RZ:
suedtor-> get sa stat | i 2001:
00000003< 2001:780:3:5:.. 0 0 0 0
00000003> 2001:780:3:5:.. 0 0 0 1408
suedtor-> ping 172.19.19.1 from loopback.1
Type escape sequence to abort
Sending 5, 100-byte ICMP Echos to 172.19.19.1, timeout is 1 seconds from loopback.1
.....
Success Rate is 0 percent (0/5)
suedtor-> get sa stat | i 2001:
00000003< 2001:780:3:5:.. 0 0 0 0
00000003> 2001:780:3:5:.. 0 0 0 2048
suedtor->
then i move the routing to my working old ipv4 tunnel:
nordtor-> unset route 172.19.20.0/24
total routes deleted = 1
nordtor-> set route 172.19.20.0/24 interface tunnel.1
suedtor-> unset route 172.19.19.0/24
total routes deleted = 1
suedtor-> set route 172.19.19.0/24 interface tunnel.1
ping works fine:
suedtor-> ping 172.19.19.1 from loopback.1
Type escape sequence to abort
Sending 5, 100-byte ICMP Echos to 172.19.19.1, timeout is 1 seconds from loopback.1
!!!!!
Success Rate is 100 percent (5/5), round-trip time min/avg/max=19/21/29 ms
suedtor->
nordtor-> ping 172.19.20.1 from loopback.1
Type escape sequence to abort
Sending 5, 100-byte ICMP Echos to 172.19.20.1, timeout is 1 seconds from loopback.1
!!!!!
Success Rate is 100 percent (5/5), round-trip time min/avg/max=19/20/23 ms
nordtor->
only whats i see is, thats i have of both devices only outgoing packages, no incoming packages:
incoming: SPI 8b354b3c, flag 00004000, tunnel info 40000005, pipeline
life 3600 sec, 3128 remain, 0 kb, 0 bytes remain
anti-replay on, last 0x0, window 0x0, idle timeout value <0>, idled 472 seconds
next pak sequence number: 0x0
bytes/paks:0/0; sw bytes/paks:0/0
outgoing: SPI 08faee9a, flag 00000000, tunnel info 40000005, pipeline
life 3600 sec, 3128 remain, 0 kb, 0 bytes remain
anti-replay on, last 0x0, window 0x0, idle timeout value <0>, idled 381 seconds
next pak sequence number: 0x5
bytes/paks:1920/15; sw bytes/paks:1920/15
nordtor->
thanks for any help.
Yes but those are IPv4 routes. IIRC, w/ a netscreen VPN using a tunnel interface, you set up the GW host object, declare teh tunnel, then route traffic through the tunnel interfaces. If you want IPv6 traffic to transit that tunnel, you need to route IPv6 networks through them.
Unless I'm mistaken and you're using an IPv6 IPSEC ESP tunnel to carry IPv4 traffic??
Anyway, as I said earlier, it'd probably be better to use 6in4 through IPSEC anyway if what you're trying to do is connect home and work IPv6 nets.