SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 40
Registered: ‎01-14-2009
0

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

I haven't looked through the entire config, but your tcp-mss is 1380 while you set the ip-0/0/0 interface's mtu to 1320.  I am not manually setting the ipip interface MTU it will automatically set a lower mtu to allow for the encapsulation overhead.  I'm also not using tcp-mss, but instead using path-mtu-discovery on the ip-0/0/0 interface.  Try this and let me know your success.  If you still have a problem I'll look into your config further.

Contributor
Posts: 19
Registered: ‎12-03-2009

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

Check the release notes. For as long as I can remember, IPv6 has not been supported on routed VLAN interfaces (RVIs) on SRX100, 210, 240 and 650. This is mentioned on page 81 of the Junos 12.1 release notes.

 

If you want IPv6 routing on your SME SRX, you'll have to stop using it as a switch ;-)

Visitor
Posts: 3
Registered: ‎06-08-2012
0

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

Hi Guys, Thanx for the replies! It was a misconfiguration in my security policy. I didn't allow as source ipv6, only my ipv4 subnet. But the strange thing is that it works with switching enabled Smiley Happy
Recognized Expert
Recognized Expert
Posts: 407
Registered: ‎02-10-2008
0

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

I'm responding to this in case someone else is trying to get this to work.

 

I've verified on a J-Series running 12.1R4.7 that IPv6 flow mode, along with NAT66, is working with a 6in4 tunnel.  In order to get things working, I had to configure the filter that sets protocol 41 traffic to/from the tunnel server into packet-mode.  If this is not done, then all tunneled traffic bypasses security policies and is treated as packet-mode based.

Trusted Contributor
Posts: 79
Registered: ‎12-16-2011
0

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

[ Edited ]

Here's my working configuration based off of the feedback here.  Thanks everyone!

 

version 12.1X44.4;
interfaces {
    fe-0/0/0 {
        /* to Internet */
        unit 0 {
            family inet {
                filter {
                    input fix-6in4;
                }
                dhcp;
            }
        }
    }
    ip-0/0/0 {
        /* to Hurricane Electric 6-in-4 */
        unit 0 {
            tunnel {
                /* HE Client IPv4 address */
	       source 128.8.164.80;
	       /* HE Server IPv4 Address */
                destination 209.51.161.58;
            }
            family inet6 {
                /* HE Client IPv6 Address */
	       address 2001:470:1c70:4d3b::2/64;
            }
        }
    }
    vlan {
	/* to Trust VLAN */
        unit 3 {
            family inet {
                /* My LAN IPv4 address */
	       address 192.168.1.1/24;
            }
            family inet6 {
                /* HE Routed /64 (with added ::1) */
	       address 2001:470:1c71:4d3b::1/64;
            }
        }
    }
}
routing-options {
    rib inet6.0 {
        static {
            /* HE Server IPv6 Address */
	   route ::/0 next-hop 2001:470:1c70:4d3b::1;
        }
    }
}
protocols {
    router-advertisement {
        interface vlan.3 {
            /* HE Routed /64 (without added ::1) */
	   prefix 2001:470:1c71:4d3b::/64;
        }
    }
}
security {
    forwarding-options {
        family {
            inet6 {
                mode flow-based;
            }
        }
    }
    zones {
        security-zone trust {
            interfaces {
                vlan.3 {
                    host-inbound-traffic {
                        system-services {
                            ssh;
                            dhcp;
                            ping;
                        }
                    }
                }
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                fe-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            ping;
                        }
                    }
                }
                ip-0/0/0.0;
            }
        }
    }
}
firewall {
    filter fix-6in4 {
        term t1 {
            from {
                source-address {
                    /* HE Server IPv4 Address */
		    209.51.161.58/32;
                }
                protocol 41;
            }
            then packet-mode;
        }
        term t2 {
            from {
                destination-address {
                    /* HE Server IPv4 Address */
		    209.51.161.58/32;
                }
                protocol 41;
            }
            then packet-mode;
        }
        term t99 {
            then accept;
        }
    }
}
vlans {
    trust {
        vlan-id 3;
        l3-interface vlan.3;
    }
}