02-24-2011 08:46 AM
I was just told by a jtac engineer that in junos 10.4 they have removed support for 6in4 tunnels to services like Hurricane Electric. They don't plan on adding it back until 11.4. My tunnel work on 10.3R2 and broke when I moved to 10.4R2. That is why I opened the case.
I thought juniper was supposed to be a IPv6 leader. hmmmm.
02-25-2011 05:52 AM
6in4 tunnels are not likely to be used for enterprise connectivity,
How about this for a limitation: I have a client who uses SRX5800 and is getting ready to turn on IPv6 for their web server segment (and that segment only). The SRX cannot offer IDP on the IPv6 traffic. So now it's time to bake off other vendors to see what their IDP/IPS devices can offer for IPv6.
02-25-2011 08:03 AM
The 6in4 support in branch SRX was originally inherited from core Junos and was supported in packet-mode. We discovered that there was a possibility that it could be used to circumvent the security policies on the device (no I won't disclose any more details) so we had to address that.
We are flow-enabling all existing IPv6 features along with adding new ones, but it takes time.
02-25-2011 09:08 AM
Interesting, thank you. I'm mulling this over with our channel SEs right now.
We found this document:
which shows IPv6 IDP to be supported today on SRX100/210/240, and unsupported on every other platform at present.
02-28-2011 09:22 AM
Without revealing the *dirty* details, I was wondering if the security bypass for 6IN4 tunnels was attributed to whether the ip-0/0/0 and underlying IPv4 interface were in the same zone? I'm currently running mine in separate zones (on 10.3R1.9) and therefore just curious if this configruation is also susceptible to the same security bypass?
03-02-2011 01:14 PM
I haven't had a close look at the tunnel setup yet, but wouldn't it be possible to get a working setup by terminating the tunnel in a packet-vr and then sending it to a second vr for flow based processing? There is an appnote describing how to do this for MPLS traffic, but tunneled v6 is probably similar. Just a thought
06-22-2011 01:15 PM
Thanks for posting this. It explains why my SixxS tunnel stoped working when JTAC advised me to move off 11.x (due to it causing spontaneous reboots on my SRX210) , moving back to 10.4R4.
So now I get to play the game of "which is more important to me, stability or IPv6?"
01-25-2012 09:23 PM - edited 01-25-2012 11:32 PM
Does SRX650 requires license for IPv6?
No needed, right?
02-15-2012 01:32 AM - edited 04-10-2012 12:22 AM
Can someone share some links or kb links to implementing IPv6 on SRX or EX Switches?
Here's a link we found:
04-20-2012 01:31 PM
08-27-2012 11:17 PM
08-28-2012 01:27 AM - edited 08-28-2012 01:27 AM
09-30-2012 12:51 PM
FWIW I stuck 12.1R3.5 on my SRX 100, and there doesnt appear to be any need for the IPv6-in-IP tunnel hack-around any more.
Havent tested any earlier versions, but someone may like to comment on a previous version.
(On 12.1R2.9 I had issues with SNMP values getting "stuck".)
11-25-2012 02:31 PM
I can confirm that on 12.1R4.7, the filter packet mode hack isn't needed anymore.
I believe my earlier problem was that I forgot to put the ip-0/0/0.0 interface in the untrust zone. Not sure why it worked on earlier versions without it.