Netscreen IPv6 Tunnel Guide

Below shows you the steps on how to configure a tunnel that will encapsulate your IPv6 traffic within an IPv4 tunnel.

Please Note : Below uses the Zone Work which is the equivalent to Trust and contains eth1. Ethernet3 is the untrust interface.

Enable IPv6

Add the following command and then reboot your device,

set envar ipv6=yes

Build your Tunnel Interface 

This builds your tunnel interface and binds it to your Untrust Zone,

set interface "tunnel.6" zone "Untrust"
set interface tunnel.6 ip unnumbered interface eth3 
set interface "tunnel.6" ipv6 mode "host"
set interface "tunnel.6" ipv6 enable
set interface tunnel.6 tunnel encap ip6in4 manual
set interface tunnel.6 tunnel local-if ethernet3 dst-ip [Tunnel Broker IPv4 address]
set interface tunnel.6 mtu 1420
set interface tunnel.6 ipv6 nd nud
set interface tunnel.6 ipv6 nd dad-count 0

Configure your Inside Interface

This configures IPv6 on your inside (or Trust interface). Due to the fact im using a weird and wonderful port mode on this Netscreen. My Trust Zone is called Work.

set interface eth1 ipv6 mode "router"
set interface eth1 ipv6 ip 2001:xxx:xxx:xxx::1/64
set interface eth1 ipv6 enable
set interface eth1 ipv6 ra transmit
set interface eth1 ipv6 nd nud
unset interface eth1 ipv6 ra link-address

Add your Default Route

To add your default route :

set route ::/0 interface tunnel.6 gateway :: preference 20

Add a Policy

set policy id 14 from "Work" to "Untrust"  "Any-IPv6" "Any-IPv6" "ANY" permit log
set policy id 15 from "Untrust" to "Work"  "Any-IPv6" "Any-IPv6" "ANY" deny log

To Remove the Tunnel Interface

Below removes the Tunnel interface :

unset interface "tunnel.6" ipv6 enable
unset interface "tunnel.6" ipv6 mode
unset interface tunnel.6 tunnel 
unset interface tunnel.6 mtu 
unset interface tunnel.6 ip
unset interface "tunnel.6" zone 
unset interface "tunnel.6"

Test

Use the following command to test connectivity :

ping [IPv6 address] from eth1

• Author
• Recent Posts

Rick Donato

Rick Donato is a Network Automation Architect/Evangelist and the founder of Packet Coders.

Latest posts by Rick Donato (see all)

• How to Configure a BIND Server on Ubuntu - March 15, 2018
• What is a BGP Confederation? - March 6, 2018
• Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial