SRX Services Gateway
Reply
Regular Visitor
jason@xax.li
Posts: 8
Registered: ‎02-09-2011
0

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

the workaround doesn't seem to work for me. although, i'm still kind of learning my way around junos. could i see someones config with this workaround implemented? 

 

jason@liv> show system software                
Information for junos:

Comment:
JUNOS Software Release [10.3R3.7]

 

Trusted Contributor
BuckWeet
Posts: 159
Registered: ‎08-29-2008
0

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

I just configured this at my home on a SRX210 with flow mode using 11.1R2.3 and have no issues with initial connectivity. One thing that I am running into is that the default tcp timeouts for ipv6 are very very short, like 30 seconds or so. This is causing connectivity issues as all of the host applications still think the session is up.

 

Anyone seen this? I'm not that familiar with IPv6, so I'm not sure if tcp timeout shoudl be lower than v4.. I would think not... 

Super Contributor
motd
Posts: 221
Registered: ‎12-16-2008
0

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

[ Edited ]

There is no reason for the timeouts of ipv6 to be shorter than ipv4. 30 seconds is extremely short for TCP. Could it be that there is some sort of assymetric routing going on? If the SRX only sees the client->server traffic but not server->client traffic, things like this could happen as the SRX will never see a completed 3-way handshake and will remove the session again (after some 20 seconds iirc).

 

Update: one other possibility is that a filter with "then packet-mode" is applied on all ingress traffic but not egress. This will cause the security module of the srx to only see one direction of the traffic flow which is just like assymmetric routing. Those packet-filters are no longer needed in 11.1R2 though - my tunnel works fine without it.

Trusted Contributor
BuckWeet
Posts: 159
Registered: ‎08-29-2008
0

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

I believe you nailed it actually.. Looking at the flows, there is no return traffic from the server.. The website brings up a page just fine however. Which is odd that it works.. I do not have any assymetric routing going on. Must be something goofy with a policy or something?

 

 

root@SRX210> show security flow session family inet6    

Session ID: 18151, Policy name: trust-to-untrust/4, Timeout: 16, Valid  In: 2001:xxxx:xxxx11:5068:1991:cd84:3f6f/59572 --> 2001:4860:b009::93/80;tcp, If: vlan.11, Pkts: 11, Bytes: 3191

Out: 2001:4860:b009::93/80 --> 2001:xxxx:xxxx11:5068:1991:cd84:3f6f/59572;tcp, If: ip-0/0/0.0, Pkts: 0, Bytes: 0


Session ID: 18152, Policy name: trust-to-untrust/4, Timeout: 16, Valid  In: 2001:xxxx:xxxx11:5068:1991:cd84:3f6f/59573 --> 2001:4860:b009::93/80;tcp, If: vlan.11, Pkts: 5, Bytes: 1881

Out: 2001:4860:b009::93/80 --> 2001:xxxx:xxxx11:5068:1991:cd84:3f6f/59573;tcp, If: ip-0/0/0.0, Pkts: 0, Bytes: 0

Total sessions: 4

Trusted Contributor
BuckWeet
Posts: 159
Registered: ‎08-29-2008
0

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

Another note: I can ping everything succesfully, ipv6 does infact work.. However something in the SRX is wonky as its not reporting and return traffic in the flows. I tried the workaround, made no difference.

 

I attached the config from my security policy.. its very very basic as I'm just trying to get things to work right now.

 

Super Contributor
motd
Posts: 221
Registered: ‎12-16-2008
0

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

Can you include the output of show configuration interfaces & show firewall? My guess would be that their is a firewall filter active

Trusted Contributor
BuckWeet
Posts: 159
Registered: ‎08-29-2008
0

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

i have no firewall filters enabled at this point in time. the only security mechnisms are under the security stanza..

 

i can get the config, will post it later. i'm pointing this to a bug.. as i mentioned, ipv6 works but it doesn't recognize the return traffic flow.

Regular Visitor
Feren
Posts: 8
Registered: ‎02-28-2008
0

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

Pressureman,
 
Thank you for posting your snippet.  I used this successfully on my 10.4R4 (SRX210) and got my SixxS tunnel working again (it broke after I followed JTAC's recommendation to downgrade from 11.x to address spontaneous chassis reboots).
 
Kudos given, I just wanted to thank you again for the workaround and the link explaining "how/why this workaround... works."  
 
Thanks again!
Visitor
jeffh
Posts: 5
Registered: ‎10-13-2010

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

Well, now I'm very happy!  With the recommendations on configuring the firewall filter, along with a couple of sample configurations from a Google search for 'SRX Hurricane Electric IPv6', I have a working configuration for he.net's tunnel broker on a SRX220 running Junos 11.4R1.6.

 

interfaces {
    ge-0/0/0 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members default;
                }
            }
        }
    }
    ip-0/0/0 {
        unit 0 {
            tunnel {
                source <MY EXTERNAL STATIC IP;
                destination <HE.NET TUNNEL BROKER SERVER IPv4 ADDRESS>;
            }
            family inet6 {
                address <MY HE.NET ASSIGNED IPv6 ADDRESS>;
            }
        }
    }

 

    ge-0/0/7 {
        unit 0 {
            family inet {
                filter {
                    input fix-6in4;
                }
                address <MY EXTERNAL STATIC IPv4 ADDRESS>;
            }
            family inet6 {
                address <MY HE.NET ASSIGNED IPv6 CLIENT ADDRESS>;
            }
        }
    }

    vlan {
        unit 0 {
            family inet {
                address <MY INTERNAL TRUST IPv4 ADDRESS>;
            }
            family inet6 {
                address <MY INTERNAL HE.NET ASSIGNED IPv6 ADDRESS>;
            }
        }
    }
}

 

routing-options {
    rib inet6.0 {
        static {
            route ::/0 next-hop <HE.NET IPv6 SERVER ADDRESS>;
        }
    }

 

protocols {
    router-advertisement {
        interface vlan.0 {
            prefix <MY INTERNAL HE.NET NETWORK ADDRESS /64>;
        }
    }
}

 

    forwarding-options {
        family {
            inet6 {
                mode packet-based;
            }
        }
    }

 

[edit security zone security zones untrust]

        security-zone untrust {
            screen untrust-screen;
            interfaces {               
                ge-0/0/7.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            ike;
                        }
                        protocols {
                            router-discovery;
                        }
                    }
                }
                ip-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                        }
                        protocols {
                            router-discovery;
                        }
                    }
                }
            }
        }  

 

 


firewall {
    filter fix-6in4 {
        term t1 {
            from {
                source-address {
                    216.66.22.2/32;
                }
                protocol 41;
            }
            then packet-mode;
        }
        term t2 {
            from {                     
                destination-address {
                    216.66.22.2/32;
                }
                protocol 41;
            }
            then packet-mode;
        }
        term t99 {
            then accept;
        }
    }
}

Regular Visitor
jason@xax.li
Posts: 8
Registered: ‎02-09-2011
0

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

[ Edited ]

is there a working flow-based config for 6in4 tunnels yet? packet-based in 10.3 worked fine, didn't attempt any flow workarounds for it. i've tried all workarounds mentioned here for 10.4 and a few others to no avail. 

 

10.4R9.2

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.