Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS]Creating a VPN Gateway with an IPv6 address

0

0

Article ID: KB21015 KB Last Updated: 17 Feb 2013Version: 2.0
Summary:
This arcticle explains how to configure the VPN between a firewall having IPv6 address and the subnet behind the firewall having IPv4 addressing scheme.
Symptoms:
The image below illustrates the network setup:


Cause:

Solution:
Configuration Steps:
  1. Configure an interface for communication with the protected Ipv4 network:

    • Bind the interface to the zone. (Typically trust).
    • Assign the interface an Ipv4 address an subnet mask.

  2. Configure the interface for communication over the Ipv6 WAN:

    • Bind the interface to the zone. (Typically untrust).

    • Configure the interface for Ipv6 host mode or route mode

    • Assign the interface an Ipv6 address and subnet mask.

    • Create a tunnel interface (unnumbered) in the zone and bit it to the Ipv6 interface.

    • Configure the tunnel interface for Ipv6 host mode.

  3. Set up the interfaces on the peer devices in the similar manner.

  4. Set up IpSec between the peer devices.

  5. On each device, create the address book entries that identify the Ipv6 host, subnet or network.

  6. Set up the routing entries that allow the host to access each other.

  7. Set up the security policies
  8. .

Commands on the firewall:

On SSG-5 :

set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "Untrust"

set interface "tunnel.2" zone "Untrust"


set interface ethernet0/0 ip 172.16.224.100/16
set interface ethernet0/0 nat
set interface ethernet0/1 ip 1.1.1.1/24
set interface "ethernet0/1" ipv6 mode "host"
set interface "ethernet0/1" ipv6 ip 88::1234/64
set interface "ethernet0/1" ipv6 enable
set interface ethernet0/1 route

set interface tunnel.2 ip unnumbered interface ethernet0/1
set interface "tunnel.2" ipv6 mode "host"
set interface "tunnel.2" ipv6 enable

set address "Trust" "Local_LAN_172_16_0_0" 172.16.0.0 255.255.0.0
set address "Untrust" "Remote_LAN_10_194_27_240" 10.194.27.240 255.255.255.248


set ike gateway "NS5GT_IPv6" address 88::7a61 Main outgoing-interface "ethernet0/1"
local-address "88::1234" preshare "JKLhWpzyNHsII+sP86C8Vr2E5Zn2E4TEUw==" proposal
"pre-g2-aes128-sha"


set vpn "NS5GT" gateway "NS5GT_IPv6" no-replay tunnel idletime 0 proposal
"g2-esp-aes128-sha"
set vpn "NS5GT" monitor source-interface ethernet0/0 destination-ip 10.194.27.242 optimized
rekey
set vpn "NS5GT" id 0x1 bind interface tunnel.2



set vpn "NS5GT" proxy-id local-ip 172.16.0.0/16 remote-ip 10.194.27.240/29 "ANY"
set policy id 1 name "Test101" from "Trust" to "Untrust" "Local_LAN_172_16_0_0"
"Remote_LAN_10_194_27_240" "ANY" permit log


set route 10.194.27.240/29 interface tunnel.2


On NS5GT:

set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
set interface "tunnel.1" zone "Untrust"


set interface trust ip 10.194.27.241/29
set interface trust nat
set interface untrust ip 1.1.1.1/24
set interface "untrust" ipv6 mode "host"
set interface "untrust" ipv6 ip 88::7a61/64
set interface "untrust" ipv6 enable
set interface untrust route


set interface tunnel.1 ip unnumbered interface untrust
set interface "tunnel.1" ipv6 mode "host"
set interface "tunnel.1" ipv6 enable


set address "Trust" "Local_IP4" 10.194.27.240 255.255.255.248
set address "Untrust" "Remote_IPv4" 172.16.0.0 255.255.0.0


set ike gateway "SSG5_IPv6" address 88::1234 Main outgoing-interface "untrust" local-address "88::7a61" preshare "NX8WUSxBNn+6H+sZDcCE4NeYFwnkoJyF9A==" proposal "pre-g2-aes128-sha"

set vpn "SSG5" gateway "SSG5_IPv6" no-replay tunnel idletime 0 sec-level standard
set vpn "SSG5" monitor source-interface trust destination-ip 172.16.205.34 optimized rekey
set vpn "SSG5" id 0x1 bind interface tunnel.1


set vpn "SSG5" proxy-id local-ip 10.194.27.240/29 remote-ip 172.16.0.0/16 "ANY"
set policy id 1 name "IPv4_in_IPv6" from "Trust" to "Untrust" "Local_IP4" "Remote_IPv4" "ANY" permit log
set policy id 1
set log session-init
exit
set policy id 2 name "IPv4_in_IPv6_2" from "Untrust" to "Trust" "Remote_IPv4" "Local_IP4" "ANY" permit log
set policy id 2
set log session-init


set route 172.16.0.0/16 interface tunnel.1

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search