I'm struggling a bit with my Juniper NetScreen (ScreenOS, not JunOS), because there doesn't seem to be an option to set up an UN-encrypted tunnel for 6-over-4...
KeS
I'm having the same issue here with an SSG5 running ScreenOS v6.1.0r3 (also tested r2) when using HE as the tunnel broker. I've tried everything I can think of to make the tunnel work with no success.
A "heartbeat" tunnel set up with SixXS using the same configuration in ScreenOS as the HE tunnel doesn't have the same issue. It comes right up and starts passing traffic as soon as the first heartbeat goes out from the software client.
NOTE: I have not tried a static tunnel or even set up a routed subnet with SixXS due to their ISK "currency" limits...
Relevant config from working SixXS tunnel:
! Turn on IPV6 (reboot required)
set envar ipv6=yes
! Set Up Untrusted Ethernet Interface with our side of IPv6 in v4 tunnel IPv6 address
set interface "ethernet0/0" ipv6 mode "host"
set interface "ethernet0/0" ipv6 ip 2001:1938:XXXX:XXXX::2/64
set interface "ethernet0/0" ipv6 enable
! Set Up Tunnel Interface (Interface tunnel.2 is used in my setup because of existing VPN tunnel on interface tunnel.1)
set interface tunnel.2 ip unnumbered interface ethernet0/0
set interface "tunnel.2" zone "Untrust"
set interface "tunnel.2" ipv6 mode "host"
set interface "tunnel.2" ipv6 enable
set interface tunnel.2 tunnel encap ip6in4 manual
set interface tunnel.2 tunnel local-if ethernet0/0 dst-ip 209.197.5.66
set interface tunnel.2 mtu 1480
! Set default route for IPv6 traffic
set route ::/0 interface tunnel.2 gateway :: preference 20
! Set route to SixXS PoP IPv6 ip to use tunnel interface due to /64
! being configured on ethernet0/0 instead of unnumbered and non-addressable tunnel.2 interface
set route 2001:1938:XXXX:XXXX::1/128 interface tunnel.2 gateway :: preference 20
Everything with this setup comes up and I can ping IPv6 hosts from the SSG5 as expected.
Note - I tried to use the basic setup from
http://bart.motd.be/configuring-ipv6-tunnel-netscreen-ssg-firewall for both HE and SixXS (HE never worked with this as well) - This caused the SSG5 to lock up and restart about every 5 minutes. I am guessing it is because of the way the tunnel interface was set up as a numbered interface with no IPv4 address. Something in v6.1.0r3 does NOT like it. The current config I listed above seems to be stable so far.
