So how do you use it? The IPv6 protocol is really smart and collaboration with IPv4 networks was designed in from the start. This brief article is all about how we get IPv6 over an IPv4 network using an IPv6 tunnel broker. We recommend the TE guys - so go ahead, signup for an account, get your /40 IPv6 allocation and come back when you are ready.
You have it now? Great here we go.
The Juniper SSG firewall has IPv6 support from like ScreenOS version 5.3 or so. The trouble is that it isn’t enabled and you can only ‘turn it on’ via the CLI. I’m doing this configuration using ScreenOS 6.2
> set envar ipv6=yes
Now we have to do a reboot...I know...shocking. Anyway reboot and when you get your box back we’ll go with the next bits.
Create a tunnel interface, bang it into the’ Untrust zone’.
set interface tunnel.1 zone Untrust
set interface tunnel.1 ipv6 mode host
So now we enable the tunnel interface with IPv6 and give it your end of the IPv6 network you’ve been allocated for the point-to-point tunnel (/64)
set interface tunnel.1 ipv6 ip
set interface tunnel.1 ipv6 enable
We set the encapsulation to a 6in4 or IPv6 encapsulated into IPv4 packets
set interface tunnel.1 tunnel encap ip6in4 manual
The tunnel is built and pointed at the other end (IPv4 now because we are going across the normal internet)
set interface tunnel.1 tunnel local-if untrust dst-ip
Turn off neighbor discovery - you don’t need it because you’re not running IPv6 with your ISP...probably
unset interface tunnel.1 ipv6 nd nud
set interface tunnel.1 ipv6 nd dad-count 0
Finally you need another defaultroute for your IPv6 traffic using your broker IPv6 address as the next hop
set route ::/0 interface tunnel.1 gateway
So thats all you need for the IPv6 tunnel but you want your LAN hosts to go across this right so we need to enable IPv6 on your LAN interface. The following configuration enables it into a bridge interface on my SSG but you can do the same config for any number of ports
set interface bgroup0 ipv6 mode router
set interface bgroup0 ipv6 ip
set interface bgroup0 ipv6 enable
unset interface bgroup0 ipv6 ra link-address
So we enable ra (Router Advertisements) for our LAN hosts to learn the IPv6 gateway
set interface bgroup0 ipv6 ra transmit
We really want to enable neighbor discovery now because we are runnign IPv6 on our LAN and our hosts will understand this (if they are dual stack of course...which most modern OS’s are).
set interface bgroup0 ipv6 nd nud
So thats it - if you hop into the GUI now and go to interfaces you should see the state of the tunnel.1 as ‘Active’ or ‘Ready’. If your LAN machine is IPv6 aware it should be able to learn an IPv6 address using EUI-64 and will learn the SSG as the gateway to the internet.
You’ll need so configure a policy in the SSG to allow outbound IPv6 from Trust to Untrust or it won’t let you out! Have a look at your policy and you’ll see two distinct entries for IPv4 and IPv6...all good stuff.
Now fire up a browser and go to test-ipv6.com to see if it’s all s-a-weet.
Good Luck, Happy IPv6 Day.
No comments:
Post a Comment