Juniper SRX IPv6 configuration not working
Shadow Hawkins on Thursday, 12 December 2013 13:26:44
I am trying to configure my Juniper SRX for the sixxs ipv6 tunnel. Previously it was working with aiccu, so i am sure the tunnel works, however i like to have it on my Juniper.
Here is how i configured it:
set interfaces ip-0/0/0 unit 0 family inet6 mtu 1280
set interfaces ip-0/0/0 unit 0 family inet6 address 2001:1af8:fe00:2cf::2/64
set interfaces vlan unit 0 family inet6 address 2001:1af8:fee9::1337/64
set routing-options rib inet6.0 static route 0::/0 next-hop 2001:1af8:fe00:2cf::1
set security forwarding-options family inet6 mode flow-based
set interfaces ip-0/0/0 unit 0 tunnel source [my source ip]
set interfaces ip-0/0/0 unit 0 tunnel destination 94.75.219.73
set interfaces ip-0/0/0 unit 0 family inet6 mtu 1280
set interfaces ip-0/0/0 unit 0 family inet6 address 2001:1af8:fe00:2cf::2/64
set security zones security-zone untrust interfaces ip-0/0/0.0 host-inbound-traffic system-services all
set security zones security-zone untrust interfaces ip-0/0/0.0 host-inbound-traffic protocols all
I checked and CAN ping my local interface:
me@srx> ping 2001:1af8:fe00:2cf::2
PING6(56=40+8+8 bytes) 2001:1af8:fe00:2cf::2 --> 2001:1af8:fe00:2cf::2
16 bytes from 2001:1af8:fe00:2cf::2, icmp_seq=0 hlim=64 time=3.524 ms
However can not ping the other side:
PING6(56=40+8+8 bytes) 2001:1af8:fe00:2cf::2 --> 2001:1af8:fe00:2cf::1
^C
--- 2001:1af8:fe00:2cf::1 ping6 statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
While i also do not see you as ipv6 neighbor:
me@srx> show ipv6 neighbors
IPv6 Address Linklayer Address State Exp Rtr Secure Interface
2001:1af8:fee9::101 00:0c:29:40:c2:80 stale 648 no no vlan.0
fe80::20c:29ff:fe40:c280 00:0c:29:40:c2:80 stale 798 no no vlan.0
I added some hosts on the inside and those work:
PING6(56=40+8+8 bytes) 2001:1af8:fee9::1337 --> 2001:1af8:fee9::101
16 bytes from 2001:1af8:fee9::101, icmp_seq=0 hlim=64 time=8.725 ms
16 bytes from 2001:1af8:fee9::101, icmp_seq=1 hlim=64 time=8.114 ms
^C
--- 2001:1af8:fee9::101 ping6 statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
I followed the procedure from your side for configuring the tunnel + i change the tunnel from aiccu to static on the sixxs dashboard/ssc.
Thanks in advance for any help.
Juniper SRX IPv6 configuration not working
Shadow Hawkins on Thursday, 12 December 2013 13:29:17
I got back a reply from sixxs support btw, but they are not really helpful. I am not blocking anything, i can ping on ipv4 my router without issues. Traffic is just not working towards my gateway. Since it was previously 'up' via aiccu, i was thinking ... ipv6 neighbors should already be expired. Right?
Thanks,
Sven
On 2013-12-12 04:25, Sven Versluis wrote:
Dear Sir/Madam, I am trying to configure my Juniper SRX for the sixxs ipv6 tunnel. Previously it was working with aiccu, so i am sure the tunnel works, however i like to have it on my Juniper.
From your Live PoP status in the webinterface:
ICMPv4 Errors Received : 35, last: 178.84.70.234 2013-12-09 21:55:34
(1386626134; 2 days 14:57:15 ago)
which shows that you are rejecting some kind of packets, likely the IPv6
tunneled packets.
You will have to look at the running configuration, not the commands
that you entered, to see what is wrong. Please use the forum for this as
there will be people there who will know the answer.
Juniper SRX IPv6 configuration not working
Jeroen Massar on Thursday, 12 December 2013 13:58:22 I got back a reply from sixxs support btw, but they are not really helpful.
We cannot be more helpful as we do not have any details on your host, it is your host.
Also there is no such thing as "SixXS support", we do not have time to help out with configuring your hosts.
We do sometimes peek at the forums though to give a guiding hand and we heavily recommend posting in the forums as there will be people here who actually play with Juniper SRXs and are able to give better guidance. Hence why we state to post to the forums. More people, more knowledge and thus likely a higher success rate.
I am not blocking anything, i can ping on ipv4 my router without issues.
A ping on IPv4 is a completely different type of traffic than proto-41 packets, which are influenced by a IPv4 and IPv6 firewall and of course also requires a properly configured tunnel.
Note also that next to a firewall there are a LOT of variables that can influence the working of the tunnel.
As you are not showing the firewall rules that are in place, how is anybody here to verify that you are not blocking anything?
Traffic is just not working towards my gateway.
Which indicates a 'broken tunnel', but that can mean anything.
As you are not showing any running configuration, how do you expect anybody to help you out.
Note that showing the commands you typed now does not show any of the other configuration out there.
Since it was previously 'up' via aiccu,
Where you where using an AYIYA tunnel, which is UDP based. Next to that that tunnel did not run of your Juniper; It is thus a completely different environment and everything changed.
i was thinking ... ipv6 neighbors should already be expired. Right?
Where exactly would "ipv6 neighbors" be involved in this?
Static tunnels are just that, static. There are thus no ipv6 neighbors.
Also, you claim the host is running "Juniper SRX" but are failing to mention which software release it is and what hardware/model it is, what kind of options you have etc.
Note that there are a variety of Juniper SRX releases which did not support protocol 41 packets at all, even though a series of older ones did.
You really need to provide details if you want anybody to help you out.
Juniper SRX IPv6 configuration not working
Shadow Hawkins on Thursday, 12 December 2013 14:36:51
Jeroen Massar wrote:
> I got back a reply from sixxs support btw, but they are not really helpful.
We cannot be more helpful as we do not have any details on your host, it is your host.
Also there is no such thing as "SixXS support", we do not have time to help out with configuring your hosts.
Since you are replying from sixxs 'support' team, it makes sense i think to call this 'sixxs support', doesn't it?
We do sometimes peek at the forums though to give a guiding hand and we heavily recommend posting in the forums as there will be people here who actually play with Juniper SRXs and are able to give better guidance. Hence why we state to post to the forums. More people, more knowledge and thus likely a higher success rate.
I think i do show these firewall rules actually:
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services tftp
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services all
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ip-0/0/0.0 host-inbound-traffic system-services all
set security zones security-zone untrust interfaces ip-0/0/0.0 host-inbound-traffic protocols all
Since traffic for the tunnel is meant for the SRX, it is inbound traffic. I allow all protocols/system-services as shown above
I am not blocking anything, i can ping on ipv4 my router without issues.
A ping on IPv4 is a completely different type of traffic than proto-41 packets, which are influenced by a IPv4 and IPv6 firewall and of course also requires a properly configured tunnel.
Note also that next to a firewall there are a LOT of variables that can influence the working of the tunnel.
As you are not showing the firewall rules that are in place, how is anybody here to verify that you are not blocking anything?
> Traffic is just not working towards my gateway.
Which indicates a 'broken tunnel', but that can mean anything.
As you are not showing any running configuration, how do you expect anybody to help you out.
Note that showing the commands you typed now does not show any of the other configuration out there.
I am running Junos 11.4R2.14 on the Juniper SRX. FYI the hardware, plus software options are equal between the types of models. It only differs between Juniper SRX, EX, MX, etc, series for example.
Thanks for your reply, i hope somebody can assist me.
Since it was previously 'up' via aiccu,
Where you where using an AYIYA tunnel, which is UDP based. Next to that that tunnel did not run of your Juniper; It is thus a completely different environment and everything changed.
i was thinking ... ipv6 neighbors should already be expired. Right?
Where exactly would "ipv6 neighbors" be involved in this?
Static tunnels are just that, static. There are thus no ipv6 neighbors.
Also, you claim the host is running "Juniper SRX" but are failing to mention which software release it is and what hardware/model it is, what kind of options you have etc.
Note that there are a variety of Juniper SRX releases which did not support protocol 41 packets at all, even though a series of older ones did.
You really need to provide details if you want anybody to help you out.
Juniper SRX IPv6 configuration not working
Jeroen Massar on Thursday, 12 December 2013 14:49:08 Since you are replying from sixxs 'support' team, it makes sense i think to call this 'sixxs support', doesn't it?
Please read our contact and about pages. There is no such thing.
I think i do show these firewall rules actually:
You paste that now, not in the original post above; but again these are settings you add to your already set settings. That is not your running configuration.
Also take a look at our FAQ and in addition: http://www.cipherghost.com/60/
FYI the hardware, plus software options are equal between the types of models.
They are not the same, they are quite different. And the software level can make huge differences in what they support and how they process packets.
Posting is only allowed when you are logged in. |