• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Build a ipsec tunnel between 2 ipv6 locations @netscreen ???

Started by laubi, November 16, 2010, 08:19:40 AM

Previous topic - Next topic

laubi

Hello,

i confused .... ??? ...

and sorry for my bad english

Here my Setup

NS-Home = netscreen 5gt @home withe tunnel to he.net
NS-RZ = netscreen 5gt @datacenter with native ipv6

my client <- ipv4+ipv6 -> NS-Home    <-internet->   NS-RZ    < - ipv4+ipv6 -> my server

what i like it, is a vpn connection between the netscreen (over ipv6 adresses)

Here are my current configs:

@home
tunnel to he.net:
-> works fine
set interface "tunnel.6" zone "Untrust"
set interface "tunnel.6" ipv6 mode "host"
set interface "tunnel.6" ipv6 ip 2001:470:****:****::2/64
set interface "tunnel.6" ipv6 enable
set interface tunnel.6 tunnel encap ip6in4 manual
set interface tunnel.6 tunnel local-if untrust dst-ip 216.66.80.30
unset interface tunnel.6 ipv6 nd nud
set interface tunnel.6 ipv6 nd dad-count 0
set route ::/0 interface tunnel.6 gateway ::
set interface "untrust" ipv6 ip 2001:470:****:****::1/64

i can ping the ipv6 at my rz netscreen with "ping 2001:xxx:xxx:xxxx:xxx:x from untrust"
i can ping the ipv6 at my home netscreen with "ping 2001:xxx:xxx:xxxx:xxx:x from untrust" (on rz-netscreen)


Now i build my tunnel between the netscreens:


set interface tunnel.9 zone "Work"
set interface tunnel.9 ip unnumbered interface ethernet1
set interface tunnel.9 ipv6 mode "host"
set interface tunnel.9 ipv6 nd nud
set interface tunnel.9 ipv6 nd dad-count 0
set interface tunnel.9 ipv6 enable

set flow reverse-route tunnel always

set vpn "VPN_v6" gateway "GW_v6" replay tunnel idletime 0 sec-level standard
set vpn "VPN_v6" bind interface tunnel.9

set ike gateway "GW_v6" address 2001:470:****:****::1 Main outgoing-interface "ethernet3" local-address 2001:***:*:*::*** preshare "******************" sec-level standard
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection


like same at the other netscreen ...

when i route an ipv4 network in this tunnel, i can see thas the works ....


>>> IKE 2001:xxx:3:5::11b Phase 2 msg ID 90616eb7: Completed negotiations with SPI 08faee63, tunnel ID 3, and lifetime 3600 seconds/0 KB.


on both devices after ping the other device lokal ipv4 i can see with

get sa stat

00000003< 2001:xxx:3:5:..       0           0       0            0
00000003> 2001:xxx:3:5:..       0           0       0          256

i can see thats  the  Total Bytes at Second Line goes higher, with any ping, only on the source device and only the second line ...

and the debug output says:

>>  tunnel route to 2001:xxx:3:5::xxx out ifp: untrust route id 37
>>  encapsulation fail
>>  encryption  tunnel 1 l2 is not ready.
>>  **** pak processing end.

Pls. can i build a ipsec tunnel over the 6in4 tunnel or, is this a generell problem ?

Other Tunnel between the ofizial ipv4 ip´s works fine, i wish close this ipv4 tunnel.

Thanks

Laubi

jimb

Hrm.  I wasn't even aware the ScreenOS supported IPSEC ESP over IPv6.  Although IPSEC was designed for IPv6 and adapted to IPv4 from what I understand.

One thing I don't see are routes through the IPSEC tunnel interfaces.  Do you have routes in place route the traffic from the respective networks through the tunnel interfaces?

If you can't get IPSEC over IPv6 to work natively, you could as you suggested implement a 6in4 tunnel over IPv4 IPSEC.  I'd presume you'd use two separate tunnel interfaces, one for the IPv4 IPSEC traffic, and the other for the 6in4 which will travel through the first.  I haven't tried that in ScreenOS though.

What version of ScreenOS BTW?

EDIT: Now that I think about it, it'd be better do do the 6in4 tunnel to work anyway, rather than do IPv6 IPSEC via an IPv4 6in4 tunnel to HE.

laubi

Hi and thanks for your answer:

Quote from: jimb on November 17, 2010, 06:19:48 PM
What version of ScreenOS BTW?
Both Devices
   Hardware:              Netscreen 5GT
   Firmware Version:  6.2.0r8.0 (Firewall+VPN)

Quote from: jimb on November 17, 2010, 06:19:48 PM
One thing I don't see are routes through the IPSEC tunnel interfaces.  Do you have routes in place route the traffic from the respective networks through the tunnel interfaces?

sorry, was not included in my post, yes i have set a route ob both Devices:

netscreen-home:

set interface "loopback.1" zone "Trust"
set interface loopback.1 ip 172.19.20.1/24
set interface loopback.1 route
set interface loopback.1 ip manageable
set route 172.19.19.0/24 interface tunnel.9

netscreen-RZ:

set interface "loopback.1" zone "Work"
set interface loopback.1 ip 172.19.19.1/24
set interface loopback.1 route
set interface loopback.1 ip manageable
set route 172.19.20.0/24 interface tunnel.9


example ping from RZ to Home:

  nordtor-> get sa stat | i 2001:
  00000005< 2001:470:1f0b..       0           0       0            0
  00000005> 2001:470:1f0b..       0           0       0         1280
  nordtor-> ping 172.19.20.1 from loopback.1
  Type escape sequence to abort
 
  Sending 5, 100-byte ICMP Echos to 172.19.20.1, timeout is 1 seconds from loopback.1
  .....
  Success Rate is 0 percent (0/5)
  nordtor-> get sa stat | i 2001:           
  00000005< 2001:470:1f0b..       0           0       0            0
  00000005> 2001:470:1f0b..       0           0       0         1920
  nordtor->


example ping from home to RZ:

  suedtor-> get sa stat | i 2001:
  00000003< 2001:780:3:5:..       0           0       0            0
  00000003> 2001:780:3:5:..       0           0       0         1408
  suedtor-> ping 172.19.19.1 from loopback.1
  Type escape sequence to abort

  Sending 5, 100-byte ICMP Echos to 172.19.19.1, timeout is 1 seconds from loopback.1
  .....
  Success Rate is 0 percent (0/5)
  suedtor-> get sa stat | i 2001:           
  00000003< 2001:780:3:5:..       0           0       0            0
  00000003> 2001:780:3:5:..       0           0       0         2048
  suedtor->


then i move the routing to my working old ipv4 tunnel:

nordtor-> unset route 172.19.20.0/24
total routes deleted = 1
nordtor-> set route 172.19.20.0/24 interface tunnel.1

suedtor-> unset route 172.19.19.0/24
total routes deleted = 1
suedtor-> set route 172.19.19.0/24 interface tunnel.1


ping works fine:

suedtor-> ping 172.19.19.1 from loopback.1
Type escape sequence to abort

Sending 5, 100-byte ICMP Echos to 172.19.19.1, timeout is 1 seconds from loopback.1
!!!!!
Success Rate is 100 percent (5/5), round-trip time min/avg/max=19/21/29 ms
suedtor->


nordtor-> ping 172.19.20.1 from loopback.1           
Type escape sequence to abort

Sending 5, 100-byte ICMP Echos to 172.19.20.1, timeout is 1 seconds from loopback.1
!!!!!
Success Rate is 100 percent (5/5), round-trip time min/avg/max=19/20/23 ms
nordtor->


only whats i see is, thats i have of both devices only outgoing packages, no incoming packages:

incoming: SPI 8b354b3c, flag 00004000, tunnel info 40000005, pipeline
  life 3600 sec, 3128 remain, 0 kb, 0 bytes remain
  anti-replay on, last 0x0, window 0x0, idle timeout value <0>, idled 472 seconds
  next pak sequence number: 0x0
  bytes/paks:0/0; sw bytes/paks:0/0
outgoing: SPI 08faee9a, flag 00000000, tunnel info 40000005, pipeline
  life 3600 sec, 3128 remain, 0 kb, 0 bytes remain
  anti-replay on, last 0x0, window 0x0, idle timeout value <0>, idled 381 seconds
  next pak sequence number: 0x5
  bytes/paks:1920/15; sw bytes/paks:1920/15
nordtor->   


thanks for any help.


jimb

Yes but those are IPv4 routes.  IIRC, w/ a netscreen VPN using a tunnel interface, you set up the GW host object, declare teh tunnel, then route traffic through the tunnel interfaces.  If you want IPv6 traffic to transit that tunnel, you need to route IPv6 networks through them.

Unless I'm mistaken and you're using an IPv6 IPSEC ESP tunnel to carry IPv4 traffic??

Anyway, as I said earlier, it'd probably be better to use 6in4 through IPSEC anyway if what you're trying to do is connect home and work IPv6 nets.