Is there any particular reason you're not going to use IPv6 all the way through?

NAT64, while supported on the JunOS line of hardware (currently not ScreenOS that I know of), is very highly NOT recommended by anyone actually involved in developing and building out IPv6.

Technically speaking what you're asking for will work, however your internal networks, if designed properly, will also be dual stacked architecture.

That I know of there's not a really good design on how VPN networks are supposed to operate with IPv6 all the way through, my assumption is either you'll use routes that will advertise specific routes for each network over the VPN, and firewall accordingly.

It will be very interesting to see how that works in the end, as I haven't done it.

You will need ScreenOS 6.3 for OSPFv3, which has IPv6 support.

After re-reading much of the Juniper IPv6 documentation for ScreenOS and wrapping my head around it, it appears you can do this, though if you're looking at a transition mechanism I'd probably look into just migrating everything to dual stack.

If you check the ScreenOS Reference Guide under the IPv6 section you will find that you can do the following modes for VPN tunnels: 6in6, 6in4, 4in6.

This is described in Part 14, Chapter 69.

Hi A-KO,

I do think you did miss his question, he actually does not ask for NAT64!

He doe want to do:

Trusted Networks IPv4 which do get routed into the IPSEC Tunnel

The IPSEC Gateway IPs are Ipv6.

To your question Koopobol: YES it does work!

regards

NULL

Thanks for your answers A-KO but NULL is right : I do not want to do NAT64 (or other transition mechanisms), I just want to make an IPsec VPN with both peers connected with IPv6 (networks stay in IPv4 and pass through this tunnel).

NULL, can you tell me more about this ? (implementation of the tunnel - maybe I need to use GRE ?- , which Juniper's devices can make this etc.)

Thanks,

Armand

Hi Koopobol,

first over all you need to enable IPv6 on the device: LINK - Juniper.net IPv6

Configuration:

configure on your Untrust Zone (Service Provider Facing) the IPv6 which the SP did provide for you.

Put a default route for IPv6 traffic to the Gateway IP of the SP Device.

Create the internal Segmentation by Zones and Logical Interfaces (IPv4 Networks)

Create a Tunnel Interface with it's own Zone (For better management / segmentation)

Create Policy's (Various directions if needed)

Create IPSEC Phase 1 Gateways 

Create IPSEC Phase 2 Settings

Don't forget to enable "VPN Monitor" so the link remains continuously UP, even if there is no real traffic between the two sites.

Do IPv4 routing into the tunnels (for these networks which are on the other side)

now you should be fine :-)

Also if you have any problems with VPN you should be fine with the following Documentation Link - Juniper.net

regards

NULL