ScreenOS
From SixXS Wiki
ScreenOS is the operating system used by the Juniper SSG and NetScreen range of firewall devices (NetScreen was purchased by Juniper in 2004).
ScreenOS supports IPv6, although it is only officially supported on a subset of devices. Any Juniper SSG running ScreenOS 6 or higher should work without any issues. IPv6 is also known to work with the NetScreen 5GT (Running ScreenOS 5 or 6) and a few other pre-ScreenOS 6 devices. To see if your device works with IPv6 simply type the following command into the cli and then reboot the device:
set envar ipv6=yes
If your device supports IPv6 you will be able to assign an IPv6 address to an interface (Please note that the web interface doesn't always show this and you may need to use the cli)
The first step in getting IPv6 to work through SixXS is to sign up for an account. Once your account has been approved you will then need to request a tunnel. Once you tunnel is active you can start setting up the NetScreen.
Setting Up an IPv6 Tunnel
The first step on the device is to setup a tunnel interface. This interface allows you to encapsulate IPv6 packets within IPv4 packets.
set interface "tunnel.1" zone "Untrust" set interface "tunnel.1" ip unnumbered interface <internal interface> set interface "tunnel.1" ipv6 mode "host" set interface "tunnel.1" ipv6 enable set interface "tunnel.1" tunnel encap ip6in4 manual set interface "tunnel.1" tunnel local-if <wan interface> dst-ip <SixXS IPv4 POP Address> set interface "tunnel.1" ipv6 ip <Your IPv6 Address>/64
So what are we doing here?
First we're assigning tunnel.1 (you may use a different tunnel number if 1 is in use) to the Untrust zone.
We're then setting the encapsulation to IPv6 in IPv4 and then we're telling the NetScreen where to send these IPv6 packets.
The last command is to setup the IPv6 address SixXS assigned you.
Now we need to setup a route so the NetScreen knows where to route IPv6 packets.
set route ::/0 interface tunnel.1 gateway <SixXS IPv6 Address>
One this has been done you should be able to ping the SixXS IPv6 gateway address from the firewall.
Please note this will not give IPv6 access to devices on the network behind the firewall. For this you will need to request a subnet from SixXS
Known Issues
For some reason ScreenOS doesn't allow you to enable ICMP/ping on a tunnel interface. This may cause issues as SixXS may disable your account if they believe your tunnel is down. I have sent them an email about this issue and will update this entry when there is more information.
I have also opened a support case with Juniper in the hopes that they will add this "feature" to ScreenOS.
Update 17/07/2009 - Juniper Support recommend trying a loopback interface. I have since try this but still no luck, although it could simply be a configuration problem. Again I'll update this when I have more info. Update 22/07/2009 - Juniper Support has confirmed this bug and it is currently with JTAC, not sure how long it will take to fix.
