Juniper ScreenOS with a 6in4 Tunnel

Yes, I know I know, the Juniper ScreenOS devices are Out-of-Everything (OoE), but I am still using them for a couple of labs. They simply work as a router and VPN gateway as well as a port-based firewall. Perfect for labs.

For some reasons I had another lab without native IPv6 Internet. Hence I used the IPv6 Tunnel Broker one more time. Quite easy with the SSGs, since HE offers a sample config. But even through the GUI it’s just a few steps:

Note that this post is one of many related to IPv6. Click here for a structured list.

I am using a SSG 140 with ScreenOS 6.3.0r27.0. Prerequisite is a static IPv4 address on the Internet facing “untrust” interface.

The “Example Configuration” from Hurricane Electric is already almost complete. You simple have to replace the “untrust” keyword for your layer 3 untrust interface:

Step-by-Step through the GUI

Anyway, doing it by hand through the GUI involves these steps:

  1. Creating a new tunnel interface within the “Untrust” zone.
  2. Enabling IPv6 type “host” on that tunnel interface, IPv6 address as the “Client IPv6 Address” from the HE tunnel information.
  3. Disable NUD, the Neighbor Unreachability Detection.
  4. Enable and configure the 6in4 tunnel aka “IPv6 in IPv4 Tunneling Encapsulation Settings”.
  5. Add a (permanent) default route.
  6. Add IPv6 subnets to your internal interfaces with “Allow RA Transmission” and so on as always.
  7. Add security policies as always.

GUI Screenshots:

CLI Commands

CLI commands incl. user subnet config. I am using ethernet0/8 as my untrust interface and bgroup0/0 as my trust interface:

 

Up and Running

Just a few IPv6 related CLI commands (link for some more):

 

Happy IPv6-firewalling! ;D

Featured image “Rabštejn – Lightpaint” by david_drei is licensed under CC BY-NC-ND 2.0.

Leave a Reply

Your email address will not be published. Required fields are marked *