fir3net
PPS-Firenetbanner-780.5x190-30-03-17

Netscreen IPv6 Tunnel Guide

Below shows you the steps on how to configure a tunnel that will encapsulate your IPv6 traffic within an IPv4 tunnel.

Please Note : Below uses the Zone Work which is the equivalent to Trust and contains eth1. Ethernet3 is the untrust interface.

Enable IPv6

Add the following command and then reboot your device,

set envar ipv6=yes

Build your Tunnel Interface 

This builds your tunnel interface and binds it to your Untrust Zone,

set interface "tunnel.6" zone "Untrust"
set interface tunnel.6 ip unnumbered interface eth3
set interface "tunnel.6" ipv6 mode "host"
set interface "tunnel.6" ipv6 enable
set interface tunnel.6 tunnel encap ip6in4 manual
set interface tunnel.6 tunnel local-if ethernet3 dst-ip [Tunnel Broker IPv4 address]
set interface tunnel.6 mtu 1420
set interface tunnel.6 ipv6 nd nud
set interface tunnel.6 ipv6 nd dad-count 0

Configure your Inside Interface

This configures IPv6 on your inside (or Trust interface). Due to the fact im using a weird and wonderful port mode on this Netscreen. My Trust Zone is called Work.

set interface eth1 ipv6 mode "router"
set interface eth1 ipv6 ip 2001:xxx:xxx:xxx::1/64
set interface eth1 ipv6 enable
set interface eth1 ipv6 ra transmit
set interface eth1 ipv6 nd nud
unset interface eth1 ipv6 ra link-address

Add your Default Route

To add your default route :

set route ::/0 interface tunnel.6 gateway :: preference 20

Add a Policy

set policy id 14 from "Work" to "Untrust"  "Any-IPv6" "Any-IPv6" "ANY" permit log
set policy id 15 from "Untrust" to "Work"  "Any-IPv6" "Any-IPv6" "ANY" deny log

To Remove the Tunnel Interface

Below removes the Tunnel interface :

unset interface "tunnel.6" ipv6 enable
unset interface "tunnel.6" ipv6 mode
unset interface tunnel.6 tunnel
unset interface tunnel.6 mtu
unset interface tunnel.6 ip
unset interface "tunnel.6" zone
unset interface "tunnel.6"

Test

Use the following command to test connectivity :

ping [IPv6 address] from eth1

Tags: IPv6, Netscreen

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001