[j-nsp] Juniper -> FreeBSD IPv6 tunnel
Pekka Savola
pekkas at netcore.fi
Sat Apr 2 01:18:11 EST 2005
On Fri, 1 Apr 2005, Paul Connally wrote:
> show configuration interfaces ip-2/1/0
> unit 0 {
> tunnel {
> source <Juniper IPv4>;
> destination <FreeBSD IPv4;
> }
> family inet6 {
> address <IPv6::1>/64;
You may be hitting AFAIK an undocumented (though we opened a case
requesting documentation) "implementation feature" of tunneling, if
you use IP filtering at the underlying interfaces.
You must allow the particular encapsulation, with <Juniper IPv4>
source address to be used as a source address "from the outside".
For example, we're using uRPF, and have to have the following as the
first term of the RPF_FAIL filter.
term Allow_Juniper_IP_Encapsulation_Bug {
from {
source-address {
<v4 tunnel endpoint>/32;
}
protocol [ ipip gre ipv6 ];
}
then {
count IPIP-encapsulation;
accept;
}
}
[...]
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
More information about the juniper-nsp
mailing list