IPv6 through IPv4 VPN Tunnel with Juniper SSGs

The most common transition method for IPv6 (that is: how to enable IPv6 on a network that does not have a native IPv6 connection to the Internet) is a “6in4” tunnel. Even other tunneling methods such as Teredo or SixXS are found on different literatures. However, another method that is not often explained is to tunnel the IPv6 packets through a VPN connection. For example, if the main office has a native IPv6 connection to the Internet, as well as VPN connections to its remote offices, it is easy to bring IPv6 subnets to these stations.

Here is how I did it with some Juniper SSG firewalls:

I assume that there is already a VPN connection between two Juniper ScreenOS firewalls in place. If so, the steps to tunnel IPv6 through this VPN tunnel are quite easy. (Note that this is NOT a 6in4 tunnel! It is simply a forwarding of IPv6 packets through a common IPsec site-to-site tunnel.)


The following configuration steps are required:

  1. Enable IPv6 in the “host” mode on the tunnel interfaces
  2. Configure static IPv6 routes through these tunnel interfaces
  3. Do regular IPv6 stuff: Enable IPv6 with Router Advertisements at the remote site and configure the appropriate security policies

This is how my networks look like, followed by the configuration screenshots:

IPv6 through IPv4 VPN Tunnel - Lab

(For further information: Read the descriptions under the screenshots.)

Done. 😉

Latency & Hop Count

One side note about the latency: Yes, since the IPv6 connection must travel through the IPv4 tunnel (with its hops to the main site) as well as through the native IPv6 Internet to the final destination, the total hop count (i.e., latency) is approximately doubled. However, I made an interesting observation: My main site has a quite good ISP connection with almost the same ping times of IPv4 and IPv6 (latency of 3-4 ms). My home site has a normal German DSL connection and I am surfing via WLAN –> IPv4 latency of about 23 ms. And now, my new IPv6 connection has an added latency of about 29 ms, which is compared to the native IPv4 connectivity not that bad. 😉


One thought on “IPv6 through IPv4 VPN Tunnel with Juniper SSGs

Leave a Reply

Your email address will not be published. Required fields are marked *