• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Configuring Juniper NetScreen

Started by kevinstevens, August 27, 2008, 01:40:26 PM

Previous topic - Next topic

kevinstevens

I'm struggling a bit with my Juniper NetScreen (ScreenOS, not JunOS), because there doesn't seem to be an option to set up an UN-encrypted tunnel for 6-over-4...

KeS

Goofball

#1
Quote from: kevinstevens on August 27, 2008, 01:40:26 PM
I'm struggling a bit with my Juniper NetScreen (ScreenOS, not JunOS), because there doesn't seem to be an option to set up an UN-encrypted tunnel for 6-over-4...

KeS

I'm having the same issue here with an SSG5 running ScreenOS v6.1.0r3 (also tested r2) when using HE as the tunnel broker. I've tried everything I can think of to make the tunnel work with no success.

A "heartbeat" tunnel set up with SixXS using the same configuration in ScreenOS as the HE tunnel doesn't have the same issue. It comes right up and starts passing traffic as soon as the first heartbeat goes out from the software client.

NOTE: I have not tried a static tunnel or even set up a routed subnet with SixXS due to their ISK "currency" limits...

Relevant config from working SixXS tunnel:
! Turn on IPV6 (reboot required)
set envar ipv6=yes

! Set Up Untrusted Ethernet Interface with our side of IPv6 in v4 tunnel IPv6 address
set interface "ethernet0/0" ipv6 mode "host"
set interface "ethernet0/0" ipv6 ip 2001:1938:XXXX:XXXX::2/64
set interface "ethernet0/0" ipv6 enable

! Set Up Tunnel Interface (Interface tunnel.2 is used in my setup because of existing VPN tunnel on interface tunnel.1)
set interface tunnel.2 ip unnumbered interface ethernet0/0
set interface "tunnel.2" zone "Untrust"
set interface "tunnel.2" ipv6 mode "host"
set interface "tunnel.2" ipv6 enable
set interface tunnel.2 tunnel encap ip6in4 manual
set interface tunnel.2 tunnel local-if ethernet0/0 dst-ip 209.197.5.66
set interface tunnel.2 mtu 1480

! Set default route for IPv6 traffic
set route ::/0 interface tunnel.2 gateway :: preference 20

! Set route to SixXS PoP IPv6 ip to use tunnel interface due to /64
! being configured on ethernet0/0 instead of unnumbered and non-addressable tunnel.2 interface
set route 2001:1938:XXXX:XXXX::1/128 interface tunnel.2 gateway :: preference 20

Everything with this setup comes up and I can ping IPv6 hosts from the SSG5 as expected.

Note - I tried to use the basic setup from http://bart.motd.be/configuring-ipv6-tunnel-netscreen-ssg-firewall for both HE and SixXS (HE never worked with this as well) - This caused the SSG5 to lock up and restart about every 5 minutes. I am guessing it is because of the way the tunnel interface was set up as a numbered interface with no IPv4 address. Something in v6.1.0r3 does NOT like it. The current config I listed above seems to be stable so far.

Goofball

Side note: I am willing to clear out confidential and private portions of my config and set up remote access to my SSG5 for HE personnel who might want to test.

kevinstevens

#3
Interesting.  Let me play with your config a little - I'm on r3 as well.  I have a spare interface and access to a Juniper rep   8).

Thanks for the response!

KeS

comptech

#4
I hate to bring up a good and dead topic but...
I used Goofball's config example to setup my tunnel to HE when the other example I found here didn't work.
I have a Netscreen NS204 running 5.4.0r17.0 and it works great.

My config for those interested:

set interface "ethernet1" ipv6 mode "host"
set interface "ethernet1" ipv6 ip 2001:X:X:X::2/64
set interface "ethernet1" ipv6 enable
unset interface ethernet1 ipv6 nd nud
set interface ethernet1 ipv6 nd dad-count 0
set interface "tunnel.1" zone "Untrust"
set interface tunnel.1 ip unnumbered interface ethernet1
set interface "tunnel.1" ipv6 mode "host"
set interface "tunnel.1" ipv6 enable
set interface tunnel.1 tunnel encap ip6in4 manual
set interface tunnel.1 tunnel local-if ethernet1 dst-ip 209.X.X.X
set interface tunnel.1 mtu 1480
set interface tunnel.1 ipv6 nd nud
set route ::/0 interface tunnel.1 gateway :: preference 20
set route 2001:X:X:X::1/128 interface tunnel.1 gateway :: preference 20

nsm

My thanks go to mr. comptech
Config below is based on the configuration from mr. comptech and NetScreen IPv6 Reference Guide.pdf


# Trust (LAN) interface
# set interface ethernet1 zone trust
# set interface ethernet1 ip 192.168.x.x/24
set interface "ethernet1" ipv6 mode router
set interface "ethernet1" ipv6 enable
set interface "ethernet1" ipv6 ip 2eee::1/64
set interface "ethernet1" ipv6 ra link-mtu
set interface "ethernet1" ipv6 ra link-address
set interface "ethernet1" ipv6 ra transmit

# Untrust (Internet) inteface
# set interface "ethernet3" zone untrust
# set interface "ethernet3" ip 1.1.1.1/24
set interface "ethernet3" ipv6 mode "host"
set interface "ethernet3" ipv6 ip 2001:x:x:x::2/64
set interface "ethernet3" ipv6 enable
unset interface "ethernet3" ipv6 nd nud

# ipv6 tunnel interface
set interface "tunnel.1" zone "Untrust"
set interface "tunnel.1" ip unnumbered interface ethernet3
set interface "tunnel.1" ipv6 mode "host"
set interface "tunnel.1" ipv6 enable
set interface "tunnel.1" tunnel encap ip6in4 manual
set interface "tunnel.1" tunnel local-if ethernet3 dst-ip 216.66.x.x
set interface "tunnel.1" mtu 1480
set interface "tunnel.1" ipv6 nd nud

# routing
set route ::/0 interface "tunnel.1" gateway :: preference 20
set route 2001:x:x:x::1/128 interface "tunnel.1" gateway :: preference 20

# policies
set address "Trust" "ipv6 Home LAN" 2eee::/64
set policy name "ipv6 access" from "Trust" to "Untrust"  "ipv6 Home LAN" "Any-IPv6" "ANY" nat src permit log


That's just v0.01, but it works and looks safe.
Spent quite a bit of time troubleshooting why Windows 7 didn't pickup IPv6 address when it was specified as set interface "ethernet1" ipv6 ip 2002:c0a8:fe::1/64. Still don't know why, so just don't use that address for the local IPv6 segment

Sincerely,
Sergey