SRX Services Gateway
SRX Services Gateway

Re: SRX and IPv6

02.24.11   |  
‎02-24-2011 08:46 AM

I was just told by a jtac engineer that in junos 10.4 they have removed support for 6in4 tunnels to services like Hurricane Electric.  They don't plan on adding it back until 11.4.  My tunnel work on 10.3R2 and broke when I moved to 10.4R2.  That is why I opened the case.

I thought juniper was supposed to be a IPv6 leader. hmmmm.

SRX Services Gateway

Re: SRX and IPv6

02.25.11   |  
‎02-25-2011 05:52 AM

6in4 tunnels are not likely to be used for enterprise connectivity,

 

How about this for a limitation: I have a client who uses SRX5800 and is getting ready to turn on IPv6 for their web server segment (and that segment only). The SRX cannot offer IDP on the IPv6 traffic. So now it's time to bake off other vendors to see what their IDP/IPS devices can offer for IPv6.

 

SRX Services Gateway

Re: SRX and IPv6

02.25.11   |  
‎02-25-2011 08:03 AM

Hi. 

 

The 6in4 support in branch SRX was originally inherited from core Junos and was supported in packet-mode. We discovered that there was a possibility that it could be used to circumvent the security policies on the device (no I won't disclose any more details) so we had to address that.

 

We are flow-enabling all existing IPv6 features along with adding new ones, but it takes time. 


--mxk
SRX Services Gateway

Re: SRX and IPv6

02.25.11   |  
‎02-25-2011 08:07 AM

A more accurate characterization would be "does not yet offer IDP for IPv6 traffic". Talk to your sales rep, it may be available sooner than you think...


--mxk
SRX Services Gateway

Re: SRX and IPv6

02.25.11   |  
‎02-25-2011 09:08 AM

Interesting, thank you. I'm mulling this over with our channel SEs right now.

 

We found this document: 

http://www.juniper.net/techpubs/software/junos-security/junos-security10.4/junos-srx-jseries-support...

 

which shows IPv6 IDP to be supported today on SRX100/210/240, and unsupported on every other platform at present.

 

SRX Services Gateway

Re: SRX and IPv6

02.28.11   |  
‎02-28-2011 09:22 AM

Without revealing the *dirty* details, I was wondering if the security bypass for 6IN4 tunnels was attributed to whether the ip-0/0/0 and underlying IPv4 interface were in the same zone?  I'm currently running mine in separate zones (on 10.3R1.9) and therefore just curious if this configruation is also susceptible to the same security bypass?

SRX Services Gateway

Re: SRX and IPv6

03.02.11   |  
‎03-02-2011 01:14 PM

I haven't had a close look at the tunnel setup yet, but wouldn't it be possible to get a working setup by terminating the tunnel in a packet-vr and then sending it to a second vr for flow based processing? There is an appnote describing how to do this for MPLS traffic, but tunneled v6 is probably similar. Just a thought

SRX Services Gateway

Re: SRX and IPv6

06.09.11   |  
‎06-09-2011 04:33 AM

Anybody knows when ISIS will support IPv6 on the SRX?

SRX Services Gateway

Re: SRX and IPv6

06.22.11   |  
‎06-22-2011 01:15 PM

nbarsotti,

 

Thanks for posting this.  It explains why my SixxS tunnel stoped working when JTAC advised me to move off 11.x (due to it causing spontaneous reboots on my SRX210) , moving back to 10.4R4.

 

So now I get to play the game of "which is more important to me, stability or IPv6?"   Smiley Mad

SRX Services Gateway

Re: SRX and IPv6

[ Edited ]
01.25.12   |  
‎01-25-2012 09:23 PM

Does SRX650 requires license for IPv6?

No needed, right?

Thanks!

Michael
JNCIA-JUNOS, JNCIS-ENT/SEC, JNCIP-ENT
(CCNA, ACMP, ACFE, CISE)
"http://www.thechampioncommunity.com/"
CONNECT EVERYTHING. EMPOWER EVERYONE.
Share & Learn. Knowledge is Power.

"If there's a will, there's a way!"
Highlighted
SRX Services Gateway

Re: SRX and IPv6

01.27.12   |  
‎01-27-2012 11:49 PM

Nope, no license needed.

 

My home network is IPv6 only, and not a license in sight.

 

It was interesting to read through this old thread, though.

 

Joel

SRX Services Gateway

Re: SRX and IPv6

[ Edited ]
02.15.12   |  
‎02-15-2012 01:32 AM

Hi all,

Can someone share some links or kb links to implementing IPv6 on SRX or EX Switches?

 

Here's a link we found:

http://www.juniper.net/techpubs/software/junos-security/junos-security10.4/junos-srx-jseries-support...

Thanks!

Michael
JNCIA-JUNOS, JNCIS-ENT/SEC, JNCIP-ENT
(CCNA, ACMP, ACFE, CISE)
"http://www.thechampioncommunity.com/"
CONNECT EVERYTHING. EMPOWER EVERYONE.
Share & Learn. Knowledge is Power.

"If there's a will, there's a way!"
SRX Services Gateway

Re: SRX and IPv6

04.20.12   |  
‎04-20-2012 01:31 PM
Does anyone have a preferred JunOS version for low end SRXs these days? Currently running 10.4 on an SRX100. Specifically one that perhaps doesnt require the firewall workaround to put (e.g.) a HE.net tunnel into packet mode for IPv6. Thanks, Tom
SRX Services Gateway

Re: SRX and IPv6

08.27.12   |  
‎08-27-2012 11:17 PM
What is a HE.net tunnel?
Thanks!

Michael
JNCIA-JUNOS, JNCIS-ENT/SEC, JNCIP-ENT
(CCNA, ACMP, ACFE, CISE)
"http://www.thechampioncommunity.com/"
CONNECT EVERYTHING. EMPOWER EVERYONE.
Share & Learn. Knowledge is Power.

"If there's a will, there's a way!"
SRX Services Gateway

Re: SRX and IPv6

[ Edited ]
08.28.12   |  
‎08-28-2012 01:27 AM

hi,

 

HE = Hurricane Electric

 

HE TUnnel = http://tunnelbroker.net/

 

European People might have better connectivity to sixxs, though:  http://www.sixxs.net/

 

-R

--
JNIS-ENT + SEC
Juniper Learning Academy Master
Innovative Champion
Juniper Elite Partner
SRX Services Gateway

Re: SRX and IPv6

09.30.12   |  
‎09-30-2012 12:51 PM

FWIW I stuck 12.1R3.5 on my SRX 100, and there doesnt appear to be any need for the IPv6-in-IP tunnel hack-around any more.

 

Havent tested any earlier versions, but someone may like to comment on a previous version.

 

(On 12.1R2.9 I had issues with SNMP values getting "stuck".)

SRX Services Gateway

Re: SRX and IPv6

11.25.12   |  
‎11-25-2012 02:31 PM

I can confirm that on 12.1R4.7, the filter packet mode hack isn't needed anymore.

 

I believe my earlier problem was that I forgot to put the ip-0/0/0.0 interface in the untrust zone.  Not sure why it worked on earlier versions without it.