Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] IPv4 and IPv6 tunnel encapsulation supported modes

0

0

Article ID: KB30535 KB Last Updated: 29 Sep 2015Version: 1.0
Summary:

This article provides a summary of information about IPv4 and IPv6 IP-IP tunnel supported features and limitations in SRX series devices encountered while configuring IKE peer gateway addresses as IPv6 addresses.

Symptoms:

When you try to configure IKE peer gateway addess as IPv6 address, then SRX returns the following  error messages:

error: invalid ip address or hostname:
error: statement creation failed:

Cause:
 
Solution:

 As of Junos OS Release 12.1X46-D10, the following tunnel modes are supported on SRX Series devices:

  • IPv4-in-IPv4 tunnels encapsulate IPv4 packets inside IPv4 packets.
  • IPv6-in-IPv6 tunnels encapsulate IPv6 packets inside IPv6 packets.

  • IPv6-in-IPv4 tunnels encapsulate IPv6 packets inside IPv4 packets.
  • IPv4-in-IPv6 tunnels encapsulate IPv4 packets inside IPv6 packets.

Limitations:

  • IPv6 policy-based VPNs are not supported on high-end SRX Series devices or on branch SRX Series devices in chassis cluster configurations. IPv6 policy-based VPNs are only supported with IPv6-in-IPv6 tunnels on standalone branch SRX Series devices.
  • Only one-to-one site-to-site VPN is supported. Many-to-one site-to-site VPN (NHTB) is not supported. NHTB configuration cannot be committed for tunnel modes other than IPv4-in-IPv4 tunnels.

  • IPsec VPN with active-active mode is supported only on branch SRX Series devices for route-based IPv6 tunnels. IPsec VPN with active-active mode is not supported on high-end SRX Series devices.
  • As with IPv4 tunnels, peer gateway address changes in the DNS name are not supported with IPv6 tunnels.

  • AutoVPN, group VPN, multicast dynamic routing and Xauth or modecfg over IPv6 are not supported.
  • NAT-T is supported only for IPv6-in-IPv4 and IPv4-in-IPv4 tunnel modes with IKEv1. IPv6-in-IPv6 and IPv4-in-IPv6 tunnel modes are not supported. IKEv2 is not supported for NAT-T. NAT-T from IPv6 to IPv4 or from IPv4 to IPv6 is not supported.

  • DPD gateway failover is only supported for different gateway addresses within the same family. Failover from an IPv6 gateway address to an IPv4 gateway address, or vice versa, is not supported.
  • Multiple traffic selector pairs are supported with IKEv1 only.

  • IPv6 extension headers and IPv4 options for IKE and IPsec packets are accepted but are not processed. AH with mutable EHs and options is not supported.
  • IPv6 dynamic endpoint VPNs are blocked during negotiation and IPv6 dialup VPNs are blocked during negotiation.

For more information, refer to the Release notes for 12.1x46.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search