SRX Services Gateway
Reply
Contributor
pressureman
Posts: 19
Registered: ‎12-03-2009
0

IP in IP tunnel dynamic source address?

[ Edited ]

I'm running a Hurricane Electric IPv6 tunnel from a SRX 100, which is getting it's public (and dynamic) IPv4 address on a PPPoE interface. This address needs to be the source address for the IP in IP tunnel to Hurricane Electric.

 

I tried using a tunnel source address of 0.0.0.0 (in blind hope), but the tunnel doesn't come up. I have to copy and paste the IPv4 address from interface pp0.0 into the ip-0/0/0.0 tunnel source address. On IOS, tunnel interfaces can use "source interfaces", rather than "source addresses" to get around this problem. Is there an equivalent on Junos?

IP tunnel stanza:

 

 

    ip-0/0/0 {
unit 0 {
tunnel {
source 93.220.x.x;
destination 216.66.80.30;
}
family inet6 {
address 2001:470:xxxx:xxxx::2/64;
}
}
}

 

Other than having to manually update the tunnel source address whenever the PPPoE IPv4 address changes, the setup is working perfectly. I even have the SRX sending IPv6 router advertisements on the trusted LAN for the /64 that H.E. routes to my tunnel.

Distinguished Expert
dfex
Posts: 768
Registered: ‎04-17-2008
0

Re: IP in IP tunnel dynamic source address?

Hi pressureman,

 

Unfortunately not - I had the same issue and ended up getting my provider to issue me a static IP.

 

It might be possible to source it from a loopback address, but I think that HE need to know your IP address at all times anyway.  So even if you could source it from the pp0 interface, every time your IP changed, you'd have to update HE tunnel broker.

 

They have a section in their FAQ regarding connecting from dynamic IPs, and some sort of automated script page that updates their connection details for you.

 

The FAQ fourth from the bottom:

 

http://ipv6.he.net/certification/faq.php

 

The script page

 

http://ipv4.tunnelbroker.net/ipv4_end.php

 

Good luck!

Ben Dale
JNCIP-ENT, JNCIS-SP, JNCIE-SEC #63
Juniper Ambassador
Follow me @labelswitcher
Super Contributor
colemtb
Posts: 313
Registered: ‎09-30-2009
0

Re: IP in IP tunnel dynamic source address?

What dfex said, scripts.  We have a neat script that allows you to monitor upstream traffic with RPM Probe on a DHCP obtained IP as the “source-address” opposed to knowing the static, hence giving you layer three upstream awareness of two dynamically obtained IP addresses. 

 

This script was designed based on the limited capabilities of the one that accompanies the CX111, it’s pretty neat in that it will monitor for DHCP and PPPOE events kicking of an XML scrape to get the new IP address of the interface to change RPM configs for source address, monitor upstream IPs form this MAIN dynamically obtained IP / Interface, and in the event of a failure due to RPM Probe timeouts, rebuild stuff like IKE external-interface, I.E the backup, reload some ipsec-key-management to clear ike and ipsec and rebuild on the backup interface, and commit / other stuff.  :smileywink:

 

dfex = good stuff on posts!

Contributor
pressureman
Posts: 19
Registered: ‎12-03-2009
0

Re: IP in IP tunnel dynamic source address?

Thank you both for your suggestions. At the moment we have a Linux box on the internal LAN which is hitting the HE page to update the public IPv4 address registered with them.

 

I haven't used Junos scripting before, but it sounds like a good idea. Certainly if I can have the script react to pppoe up/down events, and modify the tunnel source address accordingly, this would be a nice self-contained solution.

 

Even if Junos were able to support a tunnel source interface (as opposed to a tunnel source address), HE still need to be notified of our dynamic IPv4 address

Contributor
pressureman
Posts: 19
Registered: ‎12-03-2009

Re: IP in IP tunnel dynamic source address?

After a crash course in Junos scripting, I have come up with the following. Any feedback greatly appreciated (bear in mind I have been writing Junos scripts for less than 24 hours now ;-)

 

vdsl-up.slax

 

version 1.0;
ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
import "../import/junos.xsl";
 
match / {
    var $ppp_iface = "pp0.0";
    var $tunnel_iface = "ip-0/0/0";

    var $rpc = {
        <get-interface-information> {
            <terse>;
            <interface-name> $ppp_iface;
        }
    }
    var $interfaces = jcs:invoke($rpc);

    /* Extract PPPoE logical interface local address */
    var $ppp_ip = $interfaces/logical-interface[name = $ppp_iface]/address-family[address-family-name = "inet"]/interface-address/ifa-local;

    /* Reconfigure tunnel source address */
    var $load_config = <load-configuration action = "merge" format = "xml"> {
        <configuration> {
            <interfaces> {
               <interface> {
                   <name> $tunnel_iface;
                   <unit> {
                       <name> "0";
                       <tunnel> {
                           <source> $ppp_ip;
                       }
                   }
               }
            }
        }
    }

    var $config = jcs:invoke($load_config);
    var $commit = jcs:invoke("commit-configuration");
}

 

 

config

 

event-options {
    policy vdsl-up {
        events snmp_trap_link_up;
        attributes-match {
            snmp_trap_link_up.interface-name matches pp0.0;
        }
        then {
            event-script vdsl-up.slax;
        }
    }
    event-script {
        file vdsl-up.slax;
    }
}

 

 

Distinguished Expert
dfex
Posts: 768
Registered: ‎04-17-2008
0

Re: IP in IP tunnel dynamic source address?

[ Edited ]

AWESOME work!  Funnily enough, I was just about to sit down and write one myself, but it looks like you've already nailed it.

 

Well done :smileyhappy:

 

But just to make it REALLY slick, chuck in something like:

 

 

rpm {
    probe dfex {
        test TUNNELBROKER-UPDATE {
            probe-type http-get;
            target url "http://ipv4.tunnelbroker.net/ipv4_end.php?ipv4b=AUTO&pass=HDHDBSKH63637&user_id=BLAH&tunnel_id=12345";
            test-interval 86400;
        }
    }
}

 

Maybe adjust the interval down to match your lease time, but that should let you get rid of the Linux box and do it all in JUNOS.  I know HE says to use https, but from my brief testing, it doesn't look like RPM supports it, while HE seems to accept http no problem at all.

 

Ben Dale
JNCIP-ENT, JNCIS-SP, JNCIE-SEC #63
Juniper Ambassador
Follow me @labelswitcher
Contributor
pressureman
Posts: 19
Registered: ‎12-03-2009
0

Re: IP in IP tunnel dynamic source address?

Cool, thanks for the positive feedback! Hopefully others can also gain some use from this script, or at least use it as a basis for something more specific to their needs.

 

I was wondering if we could migrate our Linux cron job script that hits the HE URL to a Junos script, and you've just confirmed it for me. Thanks for the tip!

 

I just have a little bit of troubleshooting to do on my vdsl-up.slax script now. It works (as in, it reconfigured the tunnel and commits the config change) if I manually run it as an op script, but when triggered by the event, it doesn't seem to be configuring the tunnel source with the new pp0.0 IP address. I suspect there is a bit of lag between the link_up snmp trap, and the actual new IP address being available to the get-interface-information RPC. I will try adding a short delay at the start of the script.

 

It's a nuisance having to do all this, but a) our ISP doesn't offer static IPs on "consumer" internet connections, and b) they're not l33t enough to offer ip6 natively over ppp.

 

Now I just need to steal that dyndns script I saw over in the Junos forum ;-)

Visitor
marc.alonso
Posts: 3
Registered: ‎08-26-2013
0

Re: IP in IP tunnel dynamic source address?

Hi,

 

Thnaks for provide this RPM trick.

Also do you have a solution for lauch this RPM when the PPPoE come up until wait the tiemout of the RPM timer ? 

 

Regard.

 

Visitor
marc.alonso
Posts: 3
Registered: ‎08-26-2013
0

Re: IP in IP tunnel dynamic source address?

hi,Thanks for your work, but seem not working on my SRX-100 (Junos 12.1X45-D10) 

 

the EVENT for lauch the script when pp0.0 is UP work fine ; but i have put a syslog message ith $ppp_ip but this value is always empty.

 

have you an idea about the problem ?

 

I don't find any information for update this TUNNEL and update the site for automatic working (i do it on CISCO IOS without problem ...)

 

So, thanks in advance for your help

Regard.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.