2% of my Brain » Netscreen http://www.ten-berg.nl Mon, 11 Apr 2011 05:45:09 +0000 en hourly 1 http://wordpress.org/?v=3.3 Netscreen IPv6 Configuration http://www.ten-berg.nl/2007/04/24/netscreen-ipv6-tunnel-howto/ http://www.ten-berg.nl/2007/04/24/netscreen-ipv6-tunnel-howto/#comments Tue, 24 Apr 2007 12:00:20 +0000 Marcel http://www.ten-berg.nl/2007/04/24/netscreen-ipv6-tunnel-howto/ IPv6 is possible on a Netscreen device. JTAC only gives support on the bigger models ( I used an 5gt-wireless to setup a tunnel)

Be advised that the IPv6 part of the webinterface is buggy.

I build the tunnel between an Juniper M7i and a Netscreen 5gt-wireless
You only will find the config to configure your Netscreen device in this document.

First step to do is to enable ipv6 in the device. You have to do this on the commandline (serialconsole/telnet/ssh).

Config needs to be done on the command line of your netscreen device

set envar ipv6=yes

Save your config and reset the device.

Some Background info:

  • Trust interface 10.10.10.1 – Trust
  • Untrust interface – Untrust
  • IPv6 broker (choose any you like. SixXs is preffered) – 213.204.x.x
  • IPv6 subnet – 2001:960:2000::/48

First configure the Trust interface:

set interface "Trust" ipv6 mode "router"
set interface "Trust" ipv6 ip 2001:960:2000::2/48
set interface "Trust" ipv6 enable
unset interface Trust ipv6 ra link-address
set interface Trust ipv6 ra transmit
set interface Trust ipv6 nd nud
The trust interface is configured with the IPv6 subnet, also auto configuration of other devices behind the trust interface should be working.

Time to configure the tunnel:

set interface "tunnel.6" zone "Untrust"
set interface tunnel.6 ip unnumbered interface Untrust
set interface "tunnel.6" ipv6 mode "host"
set interface "tunnel.6" ipv6 enable
set interface tunnel.6 tunnel encap ip6in4 manual
set interface tunnel.6 tunnel local-if bgroup2 dst-ip 213.204.x.x

Next step is to setup a static route towards the far end side:

set route ::/0 interface tunnel.6 gateway :: preference 20

Now we need a policy to allow traffic in/out:

set policy id 77 from "Trust" to "Untrust" "Any-IPv6" "Any-IPv6" "ANY" permit log
set policy id 77
set policy id 78 from "Untrust" to "Trust"  "Any-IPv6" "Any-IPv6" "ANY" permit log
set policy id 78

Use these policy’s at your own risk. Your IPv6 network is now fully open. You need to configure strict policy’s to keep your network safe.

NOTE: Do not ask me questions how to configure your clients behind a netscreen. Google is your friend.
I’m not a tunnel-broker so stop bugging me with questions to get an IPv6 Tunnel !!!!

]]> http://www.ten-berg.nl/2007/04/24/netscreen-ipv6-tunnel-howto/feed/ 1