Yes, I know I know, the Juniper ScreenOS devices are Out-of-Everything (OoE), but I am still using them for a couple of labs. They simply work as a router and VPN gateway as well as a port-based firewall. Perfect for labs.
For some reasons I had another lab without native IPv6 Internet. Hence I used the IPv6 Tunnel Broker one more time. Quite easy with the SSGs, since HE offers a sample config. But even through the GUI it’s just a few steps:
I am using a SSG 140 with ScreenOS 6.3.0r27.0. Prerequisite is a static IPv4 address on the Internet facing “untrust” interface.
The “Example Configuration” from Hurricane Electric is already almost complete. You simple have to replace the “untrust” keyword for your layer 3 untrust interface:
Step-by-Step through the GUI
Anyway, doing it by hand through the GUI involves these steps:
- Creating a new tunnel interface within the “Untrust” zone.
- Enabling IPv6 type “host” on that tunnel interface, IPv6 address as the “Client IPv6 Address” from the HE tunnel information.
- Disable NUD, the Neighbor Unreachability Detection.
- Enable and configure the 6in4 tunnel aka “IPv6 in IPv4 Tunneling Encapsulation Settings”.
- Add a (permanent) default route.
- Add IPv6 subnets to your internal interfaces with “Allow RA Transmission” and so on as always.
- Add security policies as always.
GUI Screenshots:
CLI Commands
CLI commands incl. user subnet config. I am using ethernet0/8 as my untrust interface and bgroup0/0 as my trust interface:
set interface "tunnel.1" zone "Untrust" set interface "bgroup0/0" ipv6 mode "router" set interface "bgroup0/0" ipv6 ip 2001:470:6d:a1::1/64 set interface "bgroup0/0" ipv6 enable set interface "tunnel.1" ipv6 mode "host" set interface "tunnel.1" ipv6 ip 2001:470:6c:a1::2/64 set interface "tunnel.1" ipv6 enable set interface tunnel.1 tunnel encap ip6in4 manual set interface tunnel.1 tunnel local-if ethernet0/8 dst-ip 216.66.86.114 set interface bgroup0/0 ipv6 ra link-address set interface bgroup0/0 ipv6 ra transmit set interface bgroup0/0 ipv6 nd nud unset interface tunnel.1 ipv6 nd nud set interface tunnel.1 ipv6 nd dad-count 0 set route ::/0 interface tunnel.1 gateway 2001:470:6c:a1::1 permanent
Up and Running
Just a few IPv6 related CLI commands (link for some more):
ssg-> get interface tunnel.1
Interface tunnel.1:
description tunnel.1
number 20, if_info 16168, if_index 1, mode route
if_signature 0x4e53434e
sess token 4, flow flag 0x60 if flag 0xc00203 flag2 0x0
link ready, admin status up
ipv6 is enable/operable, host mode.
ipv6 operating mtu 1480, learned mtu 0
ipv6 Interface-ID: 00000000c118e30a
ipv6 fe80::c118:e30a/64, link local, PREFIX
ipv6 2001:470:6c:a1::2/64, global aggregatable, STATEFUL
ipv6 ff02::1:ff00:2, solicited-node scope
ipv6 ff02::1:ff18:e30a, solicited-node scope
vsys Root, zone Untrust, vr trust-vr
hwif tunnel flag 0xc00200 flag2 0x0 flag3 0x10000000, vsys Root
admin mtu 1480, operating mtu 1480, default mtu 1500
*ip 0.0.0.0/0
*manage ip 0.0.0.0
pmtu-v4 disabled, pmtu-v6 enabled(1480),
ping disabled, telnet disabled, SSH disabled, SNMP disabled
web disabled, ident-reset disabled, SSL disabled
OSPF disabled OSPFv3 disabled BGP disabled RIP disabled RIPng disabled
mtrace disabled
PIM: not configured IGMP not configured
MLD not configured
NHRP disabled
bandwidth: physical 0kbps, configured egress [gbw 0kbps mbw 0kbps]
configured ingress mbw 0kbps, current bw 0kbps
total allocated gbw 0kbps
tunnel: local ethernet0/8, remote 216.66.86.114
encap: IP6IN4_MANUAL (2)
keep-alive: off, interval 10(using default), threshold 3(using default)
status: last send 0, last recv 0
ssg->
ssg->
ssg-> get route v6
IPv6 Dest-Routes for <untrust-vr> (0 entries)
--------------------------------------------------------------------------------------
H: Host C: Connected S: Static A: Auto-Exported
I: Imported R: RIP/RIPng P: Permanent D: Auto-Discovered
N: NHRP
iB: IBGP eB: EBGP O: OSPF/OSPFv3 E1: OSPF external type 1
E2: OSPF/OSPFv3 external type 2 trailing B: backup route
IPv6 Dest-Routes for <trust-vr> (5 entries)
--------------------------------------------------------------------------------------
ID IP-Prefix Interface
Gateway P Pref Mtr Vsys
--------------------------------------------------------------------------------------
* 3 ::/0 tun.1
2001:470:6c:a1::1 SP 20 1 Root
* 1 2001:470:6c:a1::/64 tun.1
:: C 0 0 Root
* 5 2001:470:6d:a1::1/128 bgroup0/0
:: H 0 0 Root
* 4 2001:470:6d:a1::/64 bgroup0/0
:: C 0 0 Root
* 2 2001:470:6c:a1::2/128 tun.1
:: H 0 0 Root
ssg->
ssg->
ssg-> get ndp
usage: 3/2048 miss: 0 always-on-dest: disabled
states(S): N Undefined, X Deleted, I Incomplete, R Reachable, L Stale, D Delay,
P Probe, F Probe forever S Static, A Active, I Inactive, * persistent
--------------------------------------------------------------------------------
IPv6 Address Link-Layer Addr S Interface Age Pk
2001:470:6d:a1::dcfb:123 001395243404 R bgroup0/0 00h00m17s 0
fe80::d842:5672 0000d8425672 A*tunnel.1 00h00m01s 0
fe80::213:95ff:fe24:3404 001395243404 R bgroup0/0 00h00m23s 0
ssg->
ssg->
Happy IPv6-firewalling! ;D
Featured image “Rabštejn – Lightpaint” by david_drei is licensed under CC BY-NC-ND 2.0.