[j-nsp] family inet6 on st0.x

ashish verma ashish.scit at gmail.com
Wed Aug 7 18:47:11 EDT 2013


I think you would need to run GRE over ipsec for ipv6 support.
On Aug 6, 2013 3:06 AM, "Mike Williams" <mike.williams at comodo.com> wrote:

> Hey all,
>
> Am I being dense, or now that 'family inet6' can be configured on an st0.x
> interface, does it not actually work?
>
>
> I've configured the following on a pair of J6350 clusters;
>
> set interfaces st0 unit 634 description rmdcccjs-dwdcccjs
> set interfaces st0 unit 634 family inet mtu 1500
> set interfaces st0 unit 634 family inet address 10.xxx.xxx.135/31
> set interfaces st0 unit 634 family inet6 mtu 1500
> set interfaces st0 unit 634 family inet6 address 2a02::87/64
> set security ike gateway rmdcccjs-dwdcccjs ike-policy tunnel-pol
> set security ike gateway rmdcccjs-dwdcccjs address 178.xxx.xxx.251
> set security ike gateway rmdcccjs-dwdcccjs external-interface reth1.500
> set security ike gateway rmdcccjs-dwdcccjs version v2-only
> set security ipsec vpn rmdcccjs-dwdcccjs bind-interface st0.634
> set security ipsec vpn rmdcccjs-dwdcccjs ike gateway rmdcccjs-dwdcccjs
> set security ipsec vpn rmdcccjs-dwdcccjs ike proxy-identity local
> 10.xxx.xxx.135/31
> set security ipsec vpn rmdcccjs-dwdcccjs ike proxy-identity remote
> 10.xxx.xxx.134/31
> set security ipsec vpn rmdcccjs-dwdcccjs ike proxy-identity service any
> set security ipsec vpn rmdcccjs-dwdcccjs ike ipsec-policy tunnel-pol
> set security ipsec vpn rmdcccjs-dwdcccjs establish-tunnels immediately
> set security zones security-zone ipsec_vpn interfaces st0.634
> set routing-instances ipsec interface st0.634
> set routing-instances ipsec protocols ospf area 0.0.0.0 interface st0.634
> set routing-instances ipsec protocols ospf3 area 0.0.0.0 interface st0.634
>
>
> Where 10.xxx.xxx.134/31 and 2a02::87/64 are appropriately swapped/changed
> at the other end.
> The devices are entirely flow-mode (security forwarding-options family
> inet6 mode flow-based).
> One cluster is 12.1X45-D10, the other 12.1X44-D15.5.
> The MTU between the devices is at least 1800 bytes all the way through.
> reth1.500 is also in the ipsec_vpn zone, and all intra-zone traffic is
> permitted.
> I've even had host-inbound-traffic set to all all.
>
>
> IPv4 works fine, but IPv6 just, well, doesn't.
>
> Can't ping the link-local or global addresses across the tunnel, OSPF3
> hellos are being being sent but not received.
> 'monitor traffic interface st0.634' says OSPFv2 hellos are coming In and
> Out, and "unknown protocol (0x006c)" is going Out only.
>
>
> Pretty much the only documentation I can find is for IPSec over IPv6 (as
> in, v6 gateway addresses).
> Nowt about configuring IPv6 on the tunnel interface.
>
>
> I don't mind if anyone does prove I'm being dense!
>
> Thanks
>
> --
> Mike Williams
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


More information about the juniper-nsp mailing list