Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Configuration example: IPv6 traffic over IPv4 VPN tunnel between two Juniper firewalls



Article ID: KB12901 KB Last Updated: 03 Feb 2009Version: 1.0
How to encrypt IPv6 traffic in a IPv4 VPN tunnel between two Juniper firewalls

Basic requests for IPv6 traffic over IPv4 -- Policy-based VPN
  1. Topology:
  2.        Host1 ---ipv6----- Firewall1 ----ipv4----- Firewall2 ----ipv6---- Host2
       2000::1/64                         2001::1/64

  3. Hosts or network devices with IPv6 application have a route to send the IPv6 traffic to the gateway, which are Juniper firewalls
  4. Juniper firewall should have a route to forward the IPv6 packets to an interface in zone 'Untrust', and the interface in Untrust zone is assigned with IPv4 IP address
  5. The interface in zone ' Untrust ' should be enabled IPv6, but not assigned with IPv6 IP address.
  6. Pair of policies are created to between the IPv6 local and remote traffic, which should be encrypted in the VPN tunnel, also called ' interested traffic'.

Firewall1 config:

set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/6" zone "Trust"
set interface ethernet0/0 ip
set interface "ethernet0/0" ipv6 mode "router"
set interface "ethernet0/0" ipv6 enable
set interface ethernet0/0 route
set interface ethernet0/6 ip
set interface "ethernet0/6" ipv6 mode "router"
set interface "ethernet0/6" ipv6 ip 2000::1/64
set interface "ethernet0/6" ipv6 enable
set interface ethernet0/6 nat
set address "Trust" "site1" 2000::1/32
set address "Untrust" "site2" 2001::1/32
set ike gateway "vpn" address Main outgoing-interface "ethernet0/0" preshare "netscreen" sec-level standard
set vpn "vpn" gateway "vpn" no-replay tunnel idletime 0 sec-level standard
set vpn "vpn" monitor rekey
set policy id 5 from "Untrust" to "Trust" "site2" "site1" "ANY" tunnel vpn "vpn" id 0x2 pair-policy 4
set policy id 4 from "Trust" to "Untrust" "site1" "site2" "ANY" tunnel vpn "vpn" id 0x2 pair-policy 5
set route gateway
set route ::/0 interface ethernet0/0 gateway ::

Use the same config commands for Firewall2, replacing the IP addresses as applicable.

Another example is covered in the Concepts & Examples ScreenOS Reference Guide - Volume 14 - Dual Stack Architecture with IPv6.
Refer to the section titled, IPsec 6in4 Tunneling, for a step-by-step configuration example using a route-based VPN.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search