Michael Dale - 2007 » 2

Search Posts Categories

Bluetrait
        Bluetrait
            Coding
            Geek
            General
            Coding
                PHP
                Bluetrait
                WordPress
                    Plugins
                PHP
                Bluetrait (Program)
            Geek
                Juniper
                Cisco
                IBM N2200 8363
                PCs
                Spam
                IPv6
                Apple
                NetScreen
                Internet
            General
                Uni

Click here if you are looking for Bluetrait, the weblog software.

Login

IPv6 tunnel through IPv4 with a Netscreen

Posted by Michael Dale on Thu, 15 Feb 2007 9:49 PM

I finally got an IPv6 tunnel going on my Netscreen SSG 5. So I thought I'd post the relevant configuration details here.

I'm currently running ScreenOS 5.4.0r3a0; there seems to be some WebUI bugs with IPv6 so it is best to do it via the command line.

Update: I just got a response back from JTAC. IPv6 is only supported on the ISG2000. So I'm unsure when/if it the WebUI bugs will be fixed.

Update2: IPv6 is now supported on the SSG 5 under screenos 6, the WEBUI bug has been fixed.

Background info:

Trust interface 10.0.0.254/22 - bgroup0
Untrust interface - bgroup2
IPv6 broker (broker.aarnet.net.au) - 202.158.196.131
IPv6 subnet - 2001:388:c021::1/64

The first step is to enable IPv6 on your Netscreen.

Type the following then save your config and restart the device:

set envar ipv6=yes

Now let's setup the trust interface:

set interface "bgroup0" ipv6 mode "router"
set interface "bgroup0" ipv6 ip 2001:388:c021::1/64
set interface "bgroup0" ipv6 enable
unset interface bgroup0 ipv6 ra link-address
set interface bgroup0 ipv6 ra transmit
set interface bgroup0 ipv6 nd nud

So we've setup my trust interface with the IPv6 subnet and autoconfiguration should be working.

Now let's setup a tunnel interface for the traffic to run through:

set interface "tunnel.1" zone "Untrust"
set interface tunnel.1 ip unnumbered interface bgroup2
set interface "tunnel.1" ipv6 mode "host"
set interface "tunnel.1" ipv6 enable
set interface tunnel.1 tunnel encap ip6in4 manual
set interface tunnel.1 tunnel local-if bgroup2 dst-ip 202.158.196.131

Now we'll setup a static route for IPv6 traffic to go through:

set route ::/0 interface tunnel.1 gateway :: preference 20

And finally we need to setup a policy to allow traffic out:

set policy id 77 from "Trust" to "Untrust" "Any-IPv6" "Any-IPv6" "ANY" permit log
set policy id 77

You may want to setup some policies to allow traffic in too.

That should be all you need to do.

Permalink Comments 0

IPv6, NetScreen