[j-nsp] Juniper -> FreeBSD IPv6 tunnel

[Paul Connally]

Pekka Savola wrote:
> On Fri, 1 Apr 2005, Paul Connally wrote:
> 
>> show configuration interfaces ip-2/1/0
>> unit 0 {
>>     tunnel {
>>         source <Juniper IPv4>;
>>         destination <FreeBSD IPv4;
>>     }
>>     family inet6 {
>>         address <IPv6::1>/64;
> 
> 
> You may be hitting AFAIK an undocumented (though we opened a case 
> requesting documentation) "implementation feature" of tunneling, if you 
> use IP filtering at the underlying interfaces.

I figured it out; there IS a firewall at the edge of our network a few 
hops past the FreeBSD box (before you reach the Juniper, which is 
another AS).

I had to permit protocol 41 (IPv6, oddly enough) inbound on the firewall 
before it'd work.  It's quite interesting, as you see the outbound 
traffic go thru the firewall and hit the Juniper, but the return inbound 
doesn't come back in without the permit.

Even though our firewall is 'supposed' to be stateful, the initiating 
outbound flow won't let protocol 41 back in.