Juniper SRX300 IPv6 tunnel

The SRX300 (and SRX550M) are configured to drop IPv6 traffic by default: see documentation:

When IPv6 is configured on SRX300 Series and the SRX550M devices, the default behavior is set to drop mode because of memory constraints.

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/ipv6-flow-processing-enabling.html

This can be confirmed:

admin@CS7-HQ-FW02> show security flow status
Flow forwarding mode:
Inet forwarding mode: flow based
Inet6 forwarding mode: drop
MPLS forwarding mode: drop
ISO forwarding mode: drop
Enhanced route scaling mode: Disabled
Flow trace status
Flow tracing status: off
Flow session distribution
Distribution mode: RR-based
GTP-U distribution: Disabled
Flow ipsec performance acceleration: off
Flow packet ordering
Ordering mode: Hardware

Configure IPv6 flow mode and reload:

set security forwarding-options family inet6 mode flow-based
commit and-quit
request system reload




…and reboot the SRX.

Next we need to configured a point-to-point interface using the parameters supplied by HE. The source address and IPv6 prefix will be specfic to your location and account, the destination IP can be can any HE broker, but should be geograhpicaly close.

interface ip-0/0/0 {
    unit 0 {
        tunnel {
            source <your_globally_routable_ip>;
            destination 216.66.80.26;
            path-mtu-discovery;
        }
        family inet6 {
            mtu 1280;
            address 2001:470:aaaa:bbbb::2/64;
        }
    }
}
routing-options {
    rib inet6.0 {
        static {
            route ::/0 next-hop 2001:470:aaaa:bbbb::1;
        }
    }
}

Next we need to secure the interface and permit access to it. I will create a new security zone for the tunnel interface and only permit devices residing in the INSIDE zone access to it:

security {
    zones {
        security-zone VPN-HE {
            interfaces {
                ip-0/0/0.0;
            }                           
        }
    }
    polices {
        from-zone INSIDE to-zone VPN-HE {
            policy INSIDE_TO_VPN-HE {
                match {
                    source-address any-ipv6;
                    destination-address any-ipv6;
                    application any;
                }
                then {
                    permit;             
                }
            }
        }
    }
}

Finally configure interface IPv6 addresses and enable Router Advertisements

interfaces {
    irb {
        unit 30 {
            description INSIDE_VLAN;
            family inet6 {
                address 2001:470:cccc:30::1/64;
            }
        }
    }
}
protocols {
    router-advertisement {
        interface irb.30 {
            prefix 2001:470:cccc:30::/64;
        }
    }
}

Now confirm we can ping6 out to the internet and also that local devices have globally routable addresses:

admin@CS7-HQ-FW02> ping 2607:f8b0:4005:804::200e 
PING6(56=40+8+8 bytes) 2001:470:1f08:32d::2 --> 2607:f8b0:4005:804::200e
16 bytes from 2607:f8b0:4005:804::200e, icmp_seq=0 hlim=56 time=147.995 ms
16 bytes from 2607:f8b0:4005:804::200e, icmp_seq=1 hlim=56 time=150.713 ms
16 bytes from 2607:f8b0:4005:804::200e, icmp_seq=2 hlim=56 time=147.667 ms
^C
--- 2607:f8b0:4005:804::200e ping6 statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/std-dev = 147.667/148.792/150.713/1.365 ms

admin@CS7-HQ-FW02> show ipv6 neighbors               
IPv6 Address                  Linklayer Address  State       Exp   Rtr  Secure  Interface               
2001:470:cccc:30:646f:99f:ae9 50:76:af:cb:f9:99  stale       879   no   no      irb.30 [ge-0/0/5.0]     
2001:470:cccc:30:d466:d6d5:30 bc:3d:85:1a:cc:f7  stale       1135  no   no      irb.30 [ge-0/0/5.0]     
2001:470:cccc:30:dd98:1d46:b9 f0:43:47:c5:53:43  stale       1050  no   no      irb.30 [ge-0/0/5.0]     
fe80::39dc:3092:8553:92e6     50:76:af:cb:f9:99  stale       864   no   no      irb.30 [ge-0/0/5.0]     
fe80::be3d:85ff:fe1a:ccf7     bc:3d:85:1a:cc:f7  stale       1046  no   no      irb.30 [ge-0/0/5.0]     
fe80::f243:47ff:fec5:5343     f0:43:47:c5:53:43  stale       1181  no   no      irb.30 [ge-0/0/5.0]     
Total entries: 6

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: