SRX Services Gateway
SRX Services Gateway

HE IPv6 tunnel with flow-based IPv6 in 10.4?

‎12-23-2010 01:28 PM

Hi all,

 

I upgraded an SRX210 in our lab to 10.4R1 and was hoping to play around with the IPv6 flow-based features by using a Hurricane Electric IPv6 tunnel...but having some issues.  

 

If the box is in IPv6 Packet-mode, its working:

 

admin@SRX> show configuration security forwarding-options 
family {
    inet6 {
        mode packet-based;
    }
}


admin@SRX> ping ipv6.google.com 
PING6(56=40+8+8 bytes) 2001:470:XXX:YYY::2 --> 2001:4860:8007::67
16 bytes from 2001:4860:8007::67, icmp_seq=0 hlim=57 time=76.974 ms
16 bytes from 2001:4860:8007::67, icmp_seq=1 hlim=57 time=72.972 ms
16 bytes from 2001:4860:8007::67, icmp_seq=2 hlim=57 time=158.653 ms
16 bytes from 2001:4860:8007::67, icmp_seq=3 hlim=57 time=66.660 ms

 

 

 

However, if the box is in flow-based it doesn't seem to work (can't even ping the other end of the HE tunnel, let alone say ipv6.google.com)

 

This is the configuration of my HE tunnel, from their own instructions:

 

ip-0/0/0 {
    unit 0 {
        description "IPv6 tunnel to Hurricane Electric";
        tunnel {
            source A.B.C.D;
            destination 216.66.22.2;
        }
        family inet6 {
            address 2001:470:XXX:YYY::2/64;
        }
    }
}

 

 

 

Anyone have any ideas?  I will post my flow-based config later today, but I have a default-permit policy for traffic from trust to untrust, that allows 'any' traffic for v4 and v6.  I assigned my ip-0/0/0 interface to the untrust zone.

 

Thanks,

 

Will

44 REPLIES 44
SRX Services Gateway

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

‎12-23-2010 01:47 PM

ok here is my flow-based config:

 

 

admin@SRX> show configuration security forwarding-options 
family {
    inet6 {
        mode flow-based;
    }
}


admin@SRX> show configuration security zones security-zone untrust 
    ip-0/0/0.0 {
        host-inbound-traffic {
            system-services {
                ping;
            }
        }                               
    }
}

admin@SRX> ...rity policies from-zone trust to-zone untrust           
policy default-permit {
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        permit;

 

 

 

Also I am trying to ping from the SRX, as I don't currently have an IPv6 host behind it to test with.

 

 

Will

 

SRX Services Gateway

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

‎12-23-2010 08:46 PM

Hi,

 

The IPv6 tunnel to HE.net has not working since upgrade to 10.4r1.  But it worked before in 10.3r2, you may try to downgrade to 10.3r2. 

 

PS  It is set to flow mode.

 

 

SRX Services Gateway

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

‎12-25-2010 11:16 PM

I am also seeing the same issue after upgrading to 10.4R1 using HE Tunnel & forwarding-options family inet6 mode flow-based.  I ran icmp & http tests from multiple inside IPv6 hosts as well from the juniper srx, doesn't work.
When I changed the mode to packet-based, icmp/http works with no problems.

SRX Services Gateway

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

‎12-27-2010 02:48 PM

H'mm didn't play with it yet, but I thought I read it's flow based in 10.4. That might mean you need to add IP6 policies in the permit rules. Have to take a look in the documentation about that!

best regards,

Screenie.
Juniper Ambassador, Instructor,JNCIP
If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
SRX Services Gateway

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

‎12-27-2010 04:24 PM

if i'm not mistaken, now the keyword 'any' represents any IPv4 or IPv6 traffic, which is what my current outbound policy is using.

 

the problem is I can't ping the HE tunnel endpoint from the SRX . . . I thought it may be because of neighbor solicitations or something being blocked, but i modified my config security zone config (see below), but still no luck Smiley Sad

 

 

admin@SRX> show configuration security zones security-zone untrust 
interfaces {
    ip-0/0/0.0 {
        host-inbound-traffic {
            system-services {
                all;
                telnet {
                    except;             
                }
                ssh {
                    except;
                }
            }
            protocols {
                all;
            }
(output truncated to only show new IP tunnel interface)

 

 

SRX Services Gateway

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

‎12-27-2010 06:13 PM

I did a rollback from 10.4 to 10.3R1.9 and everything started working again.

I am using IPv6 Flow-based no issues in 10.3R1.9 & have several rules for IPv6 webservers behind my Juniper SRX.

I am also unable to ping the HE Tunnel from the Juniper SRX & from internal hosts.

I did some trace captures and did not see anything being dropped & saw flows being created for inbound & outbound IPv6 traffic. I know on earlier version like 10.0 IPv6 Flow-based would not work & you had to use packet-based, maybe it's broke again in 10.4?

 

SRX Services Gateway

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

‎01-13-2011 09:56 AM

just setup HE tunnel and did some testing.  just fyi in case somebody struggles with these releases:

 

Flow mode works on 10.3R2.11

 

Flow mode is broken, but packet mode works on 10.4R19, 10.2R3.10

SRX Services Gateway

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

[ Edited ]
‎01-13-2011 10:04 AM

Yes I agree & saw the same with my testing, 10.4 breaks FLOW based with IPv6, packet based works no problem.\

I am staying on 10.3R19 so I can use flow based for my IPv6 Rules.

 

Guess someone needs to put in a JTAC case see if they will fix it in the next 10.4 release.

 

 

 

SRX Services Gateway

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

‎01-21-2011 06:54 AM

Hi,

 

Same problem for me, after upgrading no IPv6 tunnel any more:

 

working version: 10.3 non working: 10.4  :-(

 

did anybody find the solution?

 

Brian

SRX Services Gateway

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

‎02-16-2011 01:46 PM

Just loaded 10.4R2.7 and v6 flow mode on my HE tunnel is now broken (works when mode is packet-based).  I'll open a jtac case in the next few days to get some movement on this...until then, back to 10.3.

 

-Gerry

 

SRX Services Gateway

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

‎02-18-2011 03:46 PM

If the JTAC case is publicly accessible, can you please post a link to it here? I'm surprised that Juniper let two releases slip out the door with this regression.

SRX Services Gateway

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

‎02-19-2011 01:11 PM

Did you notice during boot up, this message is always there?

 

Loading configuration ...
Network security daemon: warning: You have enabled/disabled inet6 flow.
Network security daemon: You must reboot the system for your change to take effect.
Network security daemon: If you have deployed a cluster, be sure to reboot all nodes.
mgd: commit complete

 

It used only show up very first time after you enabled ipv6 flow mode.  Now this message shows up every time I reboot the unit..

 

R

SRX Services Gateway

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

[ Edited ]
‎02-23-2011 12:45 PM

Juniper removed the feature!  I have the same problem when moving from 10.3R2 to 10.4R2 I lost my HE.net tunnel.  I opened a case with JTAC and this is the response I got:

 

Hi,

I consulted my seniors and found that the IPv6 tunnel support has been removed from the version 10.4.The reason being that, this kind of traffic bypassed the security flow as it could not be inhibited with IPv4 security policy.It is scheduled to be fixed in 11.4 time frame.

 

 

I can't believe it!  Wait until 11.4 for a feature we had for years?

SRX Services Gateway

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

‎02-24-2011 12:54 PM

I just some additional information from a Juniper Systems Engineer.  I informed him of the problem we are all having with 6in4 tunnels and this is the email response I got back:

 

 

I got some additional info on the 6in4 issue.   It sounds like it was never an officially supported feature in flow mode (only in packet mode), and apparently it was a bug fix that broke the feature inadvertently rather than a deliberate choice to take it out of 10.4.  Since it wasn’t considered a supported feature it wasn’t documented in the release notes when it broke.  I realize that’s a somewhat lame answer, so I apologize for that.

 

On a positive note, one of the guys I talked to has come up with a workaround.  It’s not JTAC supported, but might be worth a try.

 

The fix is to apply a firewall filter to treat the outer packet (IPv4 protocol 41) as stateless, which corrects/refines the behavior of the bug fix to not treat traffic destined to the SRX itself as stateful.  The IPv6 traffic itself remains stateful, of course.

 

The firewall filter applied to the egress interface (wherever the tunnel traffic is going to/from) is all that's needed.  Everything else is the same.

 

 

joel@chilis220> show interfaces terse ge-0/0/7

Interface               Admin Link Proto    Local                 Remote

ge-0/0/7                up    up 

ge-0/0/7.0              up    up   inet     67.1.0.9/20

 

joel@chilis220>

 

 

joel@chilis220> show configuration interfaces ge-0/0/7 mac 00:08:55:01:a6:ea; unit 0 {

    description Comcast;

    family inet {

        filter {

            input fix-v6v4-tunnel;

        }

        dhcp {

            update-server;

        }

    }

}

joel@chilis220> show configuration firewall family inet filter fix-v6v4-tunnel term one {

    from {

        destination-address {

            67.1.0.9/32;

        }

        protocol 41;

    }

    then packet-mode;

}

term one.five {

    from {

        source-address {

            67.1.0.9/32;

        }

        protocol 41;

    }

    then packet-mode;

}

term two {

    then accept;

}

 

 

 

This workaround fixed my Hurrican Electric tunnel!

SRX Services Gateway

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

‎02-25-2011 07:16 AM

So is the above workaround for ipv6 in flow mode? If I understand correctly, no such workaround is needed if ipv6 is running in packet mode - which, depending on the required throughput, may be an acceptable option for some.

SRX Services Gateway

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

‎03-16-2011 06:49 AM

For anyone else following this saga, I just upgraded my SRX 100 to 10.3R3, from 10.3R2.

 

The HE IPv6 tunnel was working fine in flow-based mode under 10.3R2, and of course stopped working in 10.3R3. I tried simply deactivating the "security forwarding-options family inet6 mode flow-based" config option, as a reminder to myself to re-activate it at some point in the future. However the tunnel still failed to come up. I had to explicitly set the mode to packet-based, after which the HE tunnel worked again (on 10.3R3). Maybe IPv6 packets are dropped if the forwarding mode is not specified...?

 

I suspect this same info will apply to the 10.4 images.

SRX Services Gateway

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

[ Edited ]
‎03-16-2011 09:23 AM

A further followup, for anyone still confused (me perhaps?)

 

A word of warning - setting ipv6 forwarding mode to packet-based will expose your ipv6 hosts to incoming traffic if you do not specifically configure packet filters for them (*packet filters* - not zone based firewall policies). This will be unacceptable to a lot of people.

 

Borrowing suggestions from nbarsotti's earlier post, I set ipv6 back to flow-based, and added the workaround packet filters for protocol 41. However, since my internet-facing interface gets a dynamic IP (pppoe), I chose to allow protocol 41 to/from the HE tunnel endpoint, rather than my interface IP address.

 

Some snippets from my config:

 

 

interfaces {
    pp0 {
        unit 0 {
            family inet {
                mtu 1492;
                filter {
                    input fix-6in4;
                }
                negotiate-address;
            }
        }
    }
}
security {
    forwarding-options {
        family {
            inet6 {
                mode flow-based;
            }
        }
    }
}
firewall {
    family inet {
        filter fix-6in4 {
            term t1 {
                from {
                    source-address {
                        216.66.80.30/32;
                    }
                    protocol 41;
                }
                then packet-mode;
            }
            term t2 {
                from {
                    destination-address {
                        216.66.80.30/32;
                    }
                    protocol 41;
                }
                then packet-mode;
            }
            term t99 {
                then accept;
            }
        }
    }
}

 

 

Using the above config (on 10.3r3), my HE tunnel worked fine, and ipv6 traffic crossing from untrust to trust zone was blocked as it should be. I verified that the flow-based firewall was working by creating a policy that allowed pings from outside to my ipv6 hosts in the trust zone. Disabling the policy again blocked traffic, so that definitely seemed to be working correctly. Yay!

 

Incidentally, I also then tried an upgrade to 10.4r2, but had major problems connecting to websites. Simple text-only pages loaded ok, but anything that had multiple graphics on it resulted in hung connections. No idea what's going on there, and I've run out of time (and patience) for now, so rolled back to 10.3r3.

 

10.4r1 might have worked (I didn't try it), but I think the 10.4 series in general is a bit shaky still. I'm happy just to have my HE tunnel working *properly*, without exploiting the side-effects of some bug in an earlier Junos release.

 

The protocol 41 packet filter workaround is described in detail here http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-admin-guid...

SRX Services Gateway

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

‎04-11-2011 08:28 AM

Firstly, I'd like to say that your solution for 10.3r3+ is brilliant.

 

Secondly, I had heard that 6in4 tunneling would be officially supported in 11.1. Now that it's out, has anybody tried it?

SRX Services Gateway

Re: HE IPv6 tunnel with flow-based IPv6 in 10.4?

‎04-12-2011 08:19 PM

Yes, I have tried it and it did not work using 11.1R1.10.

 

I had to implement the fix stated above.  Thanks and Kudos given!!!