|
Static Tunnel with Juniper SSG5
![[at]](/s/countries/at.gif) Shadow Hawkins on Saturday, 02 May 2009 21:50:53
Hi,
I am running a Juniper SSG5 (5.4.0r1.0 (Firewall+VPN)) trying to set up a static SixXS tunnel.
I did what is described in http://bart.motd.be/configuring-ipv6-tunnel-netscreen-ssg-firewall up to the point where the tunnel-interface is configured since I haven't got an own IPv6 range behind yet - just try to get the tunnel itself working before confusing the rest of my environment ;-)
Now I am facing the situation, that SixXS IPv6 Distributed Traceroute Utility tells me from various routers, that my IPv6 tunnel-interface is reachable while others on this planet (i.e. http://www.switch.ch/network/tools/ipv6lookingglass/ or http://noc.v6.telekom.at/lg/) as well as the tunnel statistics on SixXS themselfes state the tunnel to be down (100% packet loss).
I can see the icmp6 packages in the policy-logs on the SSG5 - the ones from SixXS routers as well as the others from the non-working sources. For whatever reason I can see the imcoming packages while on the other hand being unable to see and outgoing packets (in neither case). Ping from the SSG5 to any external IPv6 address doesn't work either.
Does anyone have any clue where the problem might be coming from? Might the firmware on the SSG5 be the problem? Any help is very much appreciated.
Best Regards,
Andreas
PS: I reached that point only after I added a rule telling the SSG5 to allow packets from "untrusted" to "untrusted" "icmp6-any". Before that even the SixXS traceroute utility told me, that I am not reachable.
PPS: If you need any more details to help me - just let me know ;-)
Static Tunnel with Juniper SSG5 - Tunnel Interface Ping Problem
Shadow Hawkins on Tuesday, 12 May 2009 20:35:53
Hi,
Seems that 5.4.0r1.0 was simply too buggy to get things working.
However there is still a problem left:
I got a newer version in place (6.1.0r4.0) and established my tunnel. So far everything looks fine. I can ping from my SSG5 all IPv6 hosts I know on the internet.
But: I can't see any statistics on the SixXS page which is probably due to the fact one can't ping my local tunnel interface.
If I do a "get interface tunnel.x" I can easily see that ping is disabled - so this is why one can't ping me even though I do have the required rules in place. However there is no "set interface tunnel.x manage"-Command out there - probably due to the fact this is a tunnel-interface. It doesn't seem to be a zone-feature but a interface-type one.
Does anyone have any clue how I can sort that out?
Any help is very much appreciated.
Many thanks in advance.
Best Regards,
Andreas
Static Tunnel with Juniper SSG5 - Tunnel Interface Ping Problem
![[us]](/s/countries/us.gif) Shadow Hawkins on Wednesday, 20 May 2009 07:49:02
I went through the same thing as you and finally ended up with the following config (I posted this in the comments on the http://bart.motd.be/configuring-ipv6-tunnel-netscreen-ssg-firewall site way back in August of last year:
! Turn on IPV6 (reboot required)
set envar ipv6=yes
! Set Up Untrusted Ethernet Interface with our side of IPv6 in v4 tunnel IPv6 address
set interface "ethernet0/0" ipv6 mode "host"
set interface "ethernet0/0" ipv6 ip 2001:1938:XXXX:XXXX::2/64
set interface "ethernet0/0" ipv6 enable
! Set Up Tunnel Interface (Interface tunnel.2 is used in my setup because of existing VPN tunnel on interface tunnel.1)
set interface tunnel.2 ip unnumbered interface ethernet0/0
set interface "tunnel.2" zone "Untrust"
set interface "tunnel.2" ipv6 mode "host"
set interface "tunnel.2" ipv6 enable
set interface tunnel.2 tunnel encap ip6in4 manual
set interface tunnel.2 tunnel local-if ethernet0/0 dst-ip 209.197.5.66
set interface tunnel.2 mtu 1480
! Set default route for IPv6 traffic
set route ::/0 interface tunnel.2 gateway :: preference 20
! Set route to SixXS PoP IPv6 ip to use tunnel interface due to /64
! being configured on ethernet0/0 instead of unnumbered and non-addressable tunnel.2 interface
set route 2001:1938:XXXX:XXXX::1/128 interface tunnel.2 gateway :: preference 20
ScreenOS doesn't like addresses configured on IPv6 6in4 tunnel interfaces. This config was working fine on ScreenOS 6.1.0r3 until I dismantled it sometime around January and replaced it with a DD-WRT router for port forwarding and NAT limitations on the SSG5/ScreenOS that I was unable to work around.
Static Tunnel with Juniper SSG5 - Tunnel Interface Ping Problem
Shadow Hawkins on Monday, 25 May 2009 18:55:51
Joseph,
Many thanks for your help on that one.
However I am not yet certain about the question whether or not your local ipv6 address 2001:1938:XXXX:XXXX::2/128 was pingable from the internet. Was that the case?
Because it seems this is the only thing I didn't manage to get working yet. And according to my SSG-documentation you can't make that work since ping is a management-feature of the SSG which isn't available on tunnel interfaces.
Best Regards,
Andreas
Static Tunnel with Juniper SSG5 - Tunnel Interface Ping Problem
Shadow Hawkins on Monday, 25 May 2009 19:17:46
Joseph,
Again many thanks - and sorry for the silly question...
A little bit later I got it, too.
You circumvented the issue of not being able to ping a tunnel interface by putting the ipv6 address to the local external interface and put a route to the SSG to get the packets still routed to the tunnel even though the tunnel is "above" the eth0/0 interface and packets normally shouldn't get there. ;-)
The trick is great - many thanks.
Best Regards,
Andreas
|
Posting is only allowed when you are