[j-nsp] family inet6 on st0.x

Mike Williams mike.williams at comodo.com
Mon Aug 5 13:00:15 EDT 2013 

Hey all,

Am I being dense, or now that 'family inet6' can be configured on an st0.x interface, does it not actually work?


I've configured the following on a pair of J6350 clusters;

set interfaces st0 unit 634 description rmdcccjs-dwdcccjs
set interfaces st0 unit 634 family inet mtu 1500
set interfaces st0 unit 634 family inet address 10.xxx.xxx.135/31
set interfaces st0 unit 634 family inet6 mtu 1500
set interfaces st0 unit 634 family inet6 address 2a02::87/64
set security ike gateway rmdcccjs-dwdcccjs ike-policy tunnel-pol
set security ike gateway rmdcccjs-dwdcccjs address 178.xxx.xxx.251
set security ike gateway rmdcccjs-dwdcccjs external-interface reth1.500
set security ike gateway rmdcccjs-dwdcccjs version v2-only
set security ipsec vpn rmdcccjs-dwdcccjs bind-interface st0.634
set security ipsec vpn rmdcccjs-dwdcccjs ike gateway rmdcccjs-dwdcccjs
set security ipsec vpn rmdcccjs-dwdcccjs ike proxy-identity local 10.xxx.xxx.135/31
set security ipsec vpn rmdcccjs-dwdcccjs ike proxy-identity remote 10.xxx.xxx.134/31
set security ipsec vpn rmdcccjs-dwdcccjs ike proxy-identity service any
set security ipsec vpn rmdcccjs-dwdcccjs ike ipsec-policy tunnel-pol
set security ipsec vpn rmdcccjs-dwdcccjs establish-tunnels immediately
set security zones security-zone ipsec_vpn interfaces st0.634
set routing-instances ipsec interface st0.634
set routing-instances ipsec protocols ospf area 0.0.0.0 interface st0.634
set routing-instances ipsec protocols ospf3 area 0.0.0.0 interface st0.634


Where 10.xxx.xxx.134/31 and 2a02::87/64 are appropriately swapped/changed at the other end.
The devices are entirely flow-mode (security forwarding-options family inet6 mode flow-based).
One cluster is 12.1X45-D10, the other 12.1X44-D15.5.
The MTU between the devices is at least 1800 bytes all the way through.
reth1.500 is also in the ipsec_vpn zone, and all intra-zone traffic is permitted.
I've even had host-inbound-traffic set to all all.


IPv4 works fine, but IPv6 just, well, doesn't.

Can't ping the link-local or global addresses across the tunnel, OSPF3 hellos are being being sent but not received.
'monitor traffic interface st0.634' says OSPFv2 hellos are coming In and Out, and "unknown protocol (0x006c)" is going Out only.


Pretty much the only documentation I can find is for IPSec over IPv6 (as in, v6 gateway addresses).
Nowt about configuring IPv6 on the tunnel interface.


I don't mind if anyone does prove I'm being dense!

Thanks

-- 
Mike Williams

More information about the juniper-nsp mailing list