Discussion:
[j-nsp] Juniper -> FreeBSD IPv6 tunnel
Paul Connally
2005-04-01 22:48:58 UTC
Permalink
I cannot figure out how to make an IPv6 in IPv4 tunnel between a Juniper
router and FreeBSD box work. Followed the advice on Juniper techpubs as
far as how to set up an IPv6 in IPv4 tunnel between two Juniper's, and
the standard FreeBSD gif tunnel stuff, and cannot get em to play nice.

Here's what I've tried setting up thus far (I've got an Adaptive
Services-II PIC, so tunnelling should work):

IP addresses sanitized...

Juniper router
---------------
show configuration interfaces gr-2/1/0
/* Test IPv6 Tunnel*/
unit 0 {
tunnel {
source <Juniper local IPv4 address>;
destination <FreeBSD remote IPv4 address>;
}
family inet6 {
address <IPv6 Address::1>/64;
}
}

FreeBSD box:
-------------

# ifconfig gif0 create
# ifconfig gif0 tunnel <FreeBSD IPv4 local> <Juniper IPv4 remote>
# ifconfig gif0 inet6 <IPv6 address::2> prefixlen 64

# ifconfig -a
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet <FreeBSD local> netmask 0xffffff00 broadcast <removed>
inet6 fe80::2a0:c9ff:fe67:8fc3%fxp0 prefixlen 64 scopeid 0x2
ether 00:a0:c9:67:8f:c3
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active

gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
tunnel inet <FreeBSD> --> <Juniper>
inet6 <IPv6 address::2> prefixlen 64
inet6 fe80::201:3ff:fe2c:2b1b%gif0 prefixlen 64 scopeid 0x9


Still, from either side, neither IPv6 address can ping the other.
Regular, non-tunnelled IPv4 traffic between the Juniper and FreeBSD box
works fine; both sides can ping each other. Any ideas?
Ruud de Rooij
2005-04-01 23:11:48 UTC
Permalink
Post by Paul Connally
I cannot figure out how to make an IPv6 in IPv4 tunnel between a Juniper
router and FreeBSD box work. Followed the advice on Juniper techpubs as
far as how to set up an IPv6 in IPv4 tunnel between two Juniper's, and
the standard FreeBSD gif tunnel stuff, and cannot get em to play nice.
show configuration interfaces gr-2/1/0
This creates a tunnel using GRE encapsulation. To use plain
IPv6-in-IPv4 encapsulation use the ip-2/1/0 interface instead.

Hope this helps,

Ruud de Rooij
Luna.nl
--
Luna.nl B.V.
Puntegaalstraat 109 * 3024 EB Rotterdam
Postbus 63000 * 3002 JA Rotterdam
T 010 7502000 * F 010 7502002 * www.luna.nl
Paul Connally
2005-04-02 00:07:45 UTC
Permalink
Post by Ruud de Rooij
Post by Paul Connally
I cannot figure out how to make an IPv6 in IPv4 tunnel between a Juniper
router and FreeBSD box work. Followed the advice on Juniper techpubs as
far as how to set up an IPv6 in IPv4 tunnel between two Juniper's, and
the standard FreeBSD gif tunnel stuff, and cannot get em to play nice.
show configuration interfaces gr-2/1/0
This creates a tunnel using GRE encapsulation. To use plain
IPv6-in-IPv4 encapsulation use the ip-2/1/0 interface instead.
show configuration interfaces ip-2/1/0
unit 0 {
tunnel {
source <Juniper IPv4>;
destination <FreeBSD IPv4;
}
family inet6 {
address <IPv6::1>/64;


Ok, I tried that. Things are a little better; at least now, when
pinging IPv6 from the FreeBSD box to the Juniper, the Juniper interface
sees in and out packets. However, not getting packets on the return
from the Juniper back towards the FreeBSD box; there's nothing listed
on the gif0 interface (though I'm definately seeing packets exit the
gif0 interfaces, and seeing them on the inbound at the Juniper):

# netstat -I gif0 1
input (gif0) output
packets errs bytes packets errs bytes colls
0 0 0 2 0 120 0
0 0 0 2 0 120 0
0 0 0 2 0 120 0
0 0 0 1 0 56 0
0 0 0 1 0 56 0


When I try pinging IPv6 from the Juniper to the FreeBSD box, it's zero's
all the way across on gif0. Nothing's coming in....

Anything else I might need in the Juniper config? Specify an unnumbered
'family inet' under the ip-2/1/0 unit 0?
Pekka Savola
2005-04-02 07:18:18 UTC
Permalink
Post by Ruud de Rooij
show configuration interfaces ip-2/1/0
unit 0 {
tunnel {
source <Juniper IPv4>;
destination <FreeBSD IPv4;
}
family inet6 {
address <IPv6::1>/64;
You may be hitting AFAIK an undocumented (though we opened a case
requesting documentation) "implementation feature" of tunneling, if
you use IP filtering at the underlying interfaces.

You must allow the particular encapsulation, with <Juniper IPv4>
source address to be used as a source address "from the outside".

For example, we're using uRPF, and have to have the following as the
first term of the RPF_FAIL filter.

term Allow_Juniper_IP_Encapsulation_Bug {
from {
source-address {
<v4 tunnel endpoint>/32;
}
protocol [ ipip gre ipv6 ];
}
then {
count IPIP-encapsulation;
accept;
}
}
[...]
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
Paul Connally
2005-04-04 18:25:25 UTC
Permalink
Post by Pekka Savola
Post by Ruud de Rooij
show configuration interfaces ip-2/1/0
unit 0 {
tunnel {
source <Juniper IPv4>;
destination <FreeBSD IPv4;
}
family inet6 {
address <IPv6::1>/64;
You may be hitting AFAIK an undocumented (though we opened a case
requesting documentation) "implementation feature" of tunneling, if you
use IP filtering at the underlying interfaces.
I figured it out; there IS a firewall at the edge of our network a few
hops past the FreeBSD box (before you reach the Juniper, which is
another AS).

I had to permit protocol 41 (IPv6, oddly enough) inbound on the firewall
before it'd work. It's quite interesting, as you see the outbound
traffic go thru the firewall and hit the Juniper, but the return inbound
doesn't come back in without the permit.

Even though our firewall is 'supposed' to be stateful, the initiating
outbound flow won't let protocol 41 back in.

Loading...