IPV6 tunnel through virtual routing instances on SRX

DSSJMS · July 05, 2013, 05:05:44 PM

HE tunnel with virtual-router on SRX not working any help please

Configuration that works related to IPV6 and tunnel

Real interface and ip tunnel none virtual route

interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 70.88.135.217/28;
}
}
}
ip-0/0/0 {
unit 0 {
tunnel {
source 70.88.135.217;
destination 216.66.22.2;
}
family inet6 {
address 2001:470:7:9e7::2/64;
}
}
}

routing-optoins with out virtual route

routing-options {
rib inet6.0 {
static {
route ::/0 next-hop 2001:470:7:9e7::1;
}
}
static {
route 0.0.0.0/0 next-hop 70.88.135.222;
}
}

Security zones with out virtual route

security-zone IPV6-untrust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/0.0;
ip-0/0/0.0;
}
}

results of ping to ipv4

root@gatekeeper# run ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=42 time=29.841 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=42 time=34.638 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=42 time=45.059 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=42 time=29.123 ms
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 29.123/34.665/45.059/6.364 ms

results of ping to ipv6 address

root@gatekeeper# run ping ipv6.google.com
PING6(56=40+8+8 bytes) 2001:470:7:9e7::2 --> 2607:f8b0:4004:802::1011
16 bytes from 2607:f8b0:4004:802::1011, icmp_seq=0 hlim=59 time=65.543 ms
16 bytes from 2607:f8b0:4004:802::1011, icmp_seq=1 hlim=59 time=66.740 ms
16 bytes from 2607:f8b0:4004:802::1011, icmp_seq=2 hlim=59 time=32.758 ms
16 bytes from 2607:f8b0:4004:802::1011, icmp_seq=3 hlim=59 time=30.691 ms
16 bytes from 2607:f8b0:4004:802::1011, icmp_seq=4 hlim=59 time=24.021 ms
^C
--- ipv6.l.google.com ping6 statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/std-dev = 24.021/43.951/66.740/18.351 ms

Route used in current setup

root@gatekeeper# run show route

inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 00:15:04
> to 70.88.135.222 via ge-0/0/0.0
70.88.135.208/28 *[Direct/0] 00:15:04
> via ge-0/0/0.0
70.88.135.217/32 *[Local/0] 00:15:04
Local via ge-0/0/0.0

inet6.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

::/0 *[Static/5] 00:10:01
> to 2001:470:7:9e7::1 via ip-0/0/0.0
2001:470:7:9e7::/64*[Direct/0] 00:10:02
> via ip-0/0/0.0
2001:470:7:9e7::2/128
*[Local/0] 00:10:02
Local via ip-0/0/0.0
fe80::/64 *[Direct/0] 00:10:02
> via ip-0/0/0.0
fe80::56e0:3200:64:ee00/128
*[Local/0] 00:10:02
Local via ip-0/0/0.0

root@gatekeeper# show
instance-type virtual-router;
interface ge-0/0/0.0;
interface ip-0/0/0.0;
routing-options {
rib IPV6.inet6.0 {
static {
route ::/0 next-hop 2001:470:7:9e7::1;
}
}
static {
route 0.0.0.0/0 next-hop 70.88.135.222;
}
}

[edit routing-instances IPV6]

I can ping a ipv4 address

root@gatekeeper# run ping routing-instance IPV6 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=42 time=38.846 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=42 time=28.538 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=42 time=30.479 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 28.538/32.621/38.846/4.472 ms

but when I ping an IPV6 address I get this

root@gatekeeper# run ping routing-instance IPV6 2607:f8b0:4004:802::1011
PING6(56=40+8+8 bytes) 2001:470:7:9e7::2 --> 2607:f8b0:4004:802::1011
ping: sendmsg: No route to host
ping6: wrote 2607:f8b0:4004:802::1011 16 chars, ret=-1
ping: sendmsg: No route to host
ping6: wrote 2607:f8b0:4004:802::1011 16 chars, ret=-1
ping: sendmsg: No route to host
ping6: wrote 2607:f8b0:4004:802::1011 16 chars, ret=-1
ping: sendmsg: No route to host
ping6: wrote 2607:f8b0:4004:802::1011 16 chars, ret=-1
^C
--- 2607:f8b0:4004:802::1011 ping6 statistics ---
4 packets transmitted, 0 packets received, 100% packet loss

copy of routing table

IPV6.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 00:34:38
> to 70.88.135.222 via ge-0/0/0.0
70.88.135.208/28 *[Direct/0] 00:35:34
> via ge-0/0/0.0
70.88.135.217/32 *[Local/0] 00:35:34
Local via ge-0/0/0.0

IPV6.inet6.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

2001:470:7:9e7::2/128
*[Local/0] 00:35:34
Reject
fe80::56e0:3200:64:ee00/128
*[Local/0] 00:35:34
Reject

Now I do see one problem IPV6.inet6.0 shows reject

show interface terse results

root@gatekeeper# run show interfaces terse
Interface Admin Link Proto Local Remote
ge-0/0/0 up up
ge-0/0/0.0 up up inet 70.88.135.217/28
gr-0/0/0 up up
ip-0/0/0 up up
ip-0/0/0.0 up down inet6 2001:470:7:9e7::2/64
fe80::56e0:3200:64:ee00/64

kasperd · July 06, 2013, 12:14:33 AM

I am not familiar with that config format, but what I did notice is that the IP address of the tunnel server (216.66.22.2) is nowhere to be found in the new configuration. Obviously it needs to be somewhere. Did you perhaps leave out some relevant part of the configuration?

DSSJMS · July 06, 2013, 08:21:18 AM

When creating a virtual router interfaces that are already setup are used so in the first setup I used ge-0/0/0.0 as my real external interface with the IPV4 address the tunnel knows about and interface ip-0/0/0.0 as the tunnel. That works with no problems now when I take those interfaces and move them over to the virtual router and add the rib route. I can now ping any ipv4 address with the virtual router I also made sure I could ping the IPV4 address for an external site and that worked. But the tunnel does not work at all under a virtual route.

instance-type virtual-router;
interface ge-0/0/0.0;
interface ip-0/0/0.0;
routing-options {
rib IPV6.inet6.0 {
static {
route ::/0 next-hop 2001:470:7:9e7::1;
}
}
static {
route 0.0.0.0/0 next-hop 70.88.135.222;
}
}

News:

IPV6 tunnel through virtual routing instances on SRX

DSSJMS

kasperd

DSSJMS