11-17-2011 07:02 AM
I was wondering if is there any Juniper equipment which supports IPsec VPN when both peers are connected together with IPv6 (Internal network stay in IPv4) ?
An explicative schema is attached to this post.
11-18-2011 04:39 AM
Is there any particular reason you're not going to use IPv6 all the way through?
NAT64, while supported on the JunOS line of hardware (currently not ScreenOS that I know of), is very highly NOT recommended by anyone actually involved in developing and building out IPv6.
Technically speaking what you're asking for will work, however your internal networks, if designed properly, will also be dual stacked architecture.
That I know of there's not a really good design on how VPN networks are supposed to operate with IPv6 all the way through, my assumption is either you'll use routes that will advertise specific routes for each network over the VPN, and firewall accordingly.
It will be very interesting to see how that works in the end, as I haven't done it.
You will need ScreenOS 6.3 for OSPFv3, which has IPv6 support.
11-23-2011 05:56 AM
After re-reading much of the Juniper IPv6 documentation for ScreenOS and wrapping my head around it, it appears you can do this, though if you're looking at a transition mechanism I'd probably look into just migrating everything to dual stack.
If you check the ScreenOS Reference Guide under the IPv6 section you will find that you can do the following modes for VPN tunnels: 6in6, 6in4, 4in6.
This is described in Part 14, Chapter 69.
11-23-2011 12:26 PM - edited 11-23-2011 12:28 PM
I do think you did miss his question, he actually does not ask for NAT64!
He doe want to do:
Trusted Networks IPv4 which do get routed into the IPSEC Tunnel
The IPSEC Gateway IPs are Ipv6.
To your question Koopobol: YES it does work!
11-24-2011 12:36 AM
Thanks for your answers A-KO but NULL is right : I do not want to do NAT64 (or other transition mechanisms), I just want to make an IPsec VPN with both peers connected with IPv6 (networks stay in IPv4 and pass through this tunnel).
NULL, can you tell me more about this ? (implementation of the tunnel - maybe I need to use GRE ?- , which Juniper's devices can make this etc.)
11-24-2011 01:43 PM
first over all you need to enable IPv6 on the device: LINK - Juniper.net IPv6
configure on your Untrust Zone (Service Provider Facing) the IPv6 which the SP did provide for you.
Put a default route for IPv6 traffic to the Gateway IP of the SP Device.
Create the internal Segmentation by Zones and Logical Interfaces (IPv4 Networks)
Create a Tunnel Interface with it's own Zone (For better management / segmentation)
Create Policy's (Various directions if needed)
Create IPSEC Phase 1 Gateways
Create IPSEC Phase 2 Settings
Don't forget to enable "VPN Monitor" so the link remains continuously UP, even if there is no real traffic between the two sites.
Do IPv4 routing into the tunnels (for these networks which are on the other side)
now you should be fine :-)
Also if you have any problems with VPN you should be fine with the following Documentation Link - Juniper.net