Text only | Text with Images

Hurricane Electric's IPv6 Tunnel Broker Forums

General IPv6 Topics => IPv6 on Routing Platforms => Topic started by: crobin on December 31, 2011, 02:30:53 AM

Title: 6in4 tunnel with ns25
Post by: crobin on December 31, 2011, 02:30:53 AM
Hi Folks,

Need some help getting this one working again, I had it working earlier, but now cannot reproduce.

ns25 on 5.4.0r19.0 in NAT/route mode

ethernet1 is the 'trust' interface -- lan switches
ethernet3 is the 'Untrust' interface -- cable modem

set interface "ethernet1" ipv6 mode "host"
set interface "ethernet1" ipv6 ip 2001:X:X:X::2/64
set interface "ethernet1" ipv6 enable
unset interface ethernet1 ipv6 nd nud
set interface ethernet1 ipv6 nd dad-count 0

set interface "tunnel.1" zone "Untrust"
set interface tunnel.1 ip unnumbered interface ethernet3
set interface "tunnel.1" ipv6 mode "host"
set interface "tunnel.1" ipv6 enable
set interface tunnel.1 tunnel encap ip6in4 manual
set interface tunnel.1 tunnel local-if ethernet3 dst-ip X.X.X.X
set interface tunnel.1 mtu 1480
unset interface tunnel.1 ipv6 nd nud
set interface tunnel.1 ipv6 nd dad-count 0

set policy id 13 from "Untrust" to "Trust"  "Any-IPv6" "Any-IPv6" "ANY" permit
set policy id 12 from "Trust" to "Untrust"  "Any-IPv6" "Any-IPv6" "ANY" permit traffic priority 0

set route ::/0 interface tunnel.1 gateway 2001:X:X:X::1

The 'automatic' ipv6 configuration for OSX used to work on the lan, now nothing.
Title: Re: 6in4 tunnel with ns25
Post by: cholzhauer on December 31, 2011, 06:12:32 AM
Removing the X's in your ip addresses will help us help you
Title: Re: 6in4 tunnel with ns25
Post by: crobin on December 31, 2011, 02:47:38 PM
set interface "ethernet1" ipv6 ip 2001:470:1f04:87::2/64

set interface tunnel.1 tunnel local-if ethernet3 dst-ip 72.52.104.74

set route ::/0 interface tunnel.1 gateway 2001:470:1f04:87::1


I vaguely remember the ipv6 address was on the LAN interface, so client can talk directly through the tunnel, but I can't remember what the unnumbered config was set to.

I also remember the Untrust interface, ethernet3, had an MTU of 1498, which had adverse affects on ipv4 traffic, it would stall, however the ipv6 tunnel was working.
Title: Re: 6in4 tunnel with ns25
Post by: maestroevolution on January 09, 2012, 12:24:15 PM
My ScreenOS is rusty, but IIRC, it's easier to use the /64 tunnel network on the tunnel, and the /64 assigned network on ethernet1.

Also, I don't think that 'set ipv6 mode host' is correct on the tunnel interface; Ithink that needs to be set on a routed port.

My old 5GT (5XT) is in a box somewhere and had a working config on it.  I can dig it out if needed.

Also IIRC, the IPv6 guide for ScreenOS was pretty good.  After setting a variable, rebooting, and a few cryptic commands, everything else was just like IPv4 in ScreenOS: address book entries, policies written from zone to zone, etc.

http://www.juniper.net/techpubs/software/screenos/screenos6.3.0/630_ce_Routing.pdf

http://www.juniper.net/techpubs/software/screenos/screenos6.3.0/630_ce_Dual_Stack_IPv6.pdf

Regards,

Joel
Text only | Text with Images