Setting up Juniper SSG with dynamic IP address
Shadow Hawkins on Sunday, 11 May 2008 17:43:34
Hi folks,
anybody already tried to configure a Juniper SSG firewall with a dynamic public IP address to connect to Sixxs? I couldn't find any information about supporting heartbeat protocol or so. Is there a way to get IPv6 running on my SSG? (general IPv6 support is activated)
Regards
Julian
Setting up Juniper SSG with dynamic IP address
Carmen Sandiego on Tuesday, 24 June 2008 18:18:36
Why the packets are dropped, have you debugged yet?
You can debug by using cli commands:
clear dbuf
set ffilt dst-ip y.y.y.y (<- POP address)
debug flow basic
run and test
undebug all
get dbuf stre
or are you trying to get SSG to get ipv6 address from pop?
Setting up Juniper SSG with dynamic IP address
Shadow Hawkins on Friday, 12 September 2008 01:48:48
I can't find a way to enable either heartbeat or ping on an SSG tunnel interface; that may possibly match your problem. Error message is that 6over4 tunneling doesn't support heartbeat; and you can't configure "set int tun.x manage ping" on any tunnel; just not supported. Silly since the very first thing anyone setting up a tunnel wants to do is ping the endpoints, and many monitoring systems rely on it.
KeS
Setting up Juniper SSG with dynamic IP address
Shadow Hawkins on Saturday, 13 September 2008 14:10:36
I have a "heartbeat" dynamic tunnel set up on an Juniper (NetScreen) SSG5 with SixXS the configuration below in ScreenOS. You need a host behind the SSG5 to send your heartbeats and bring the tunnel up since the SSG5 can't send them.
There is a FreeBSD server that lives behind my SSG5 that runs the AICCU client in heartbeat only mode. You can do the same thing with Windows or Linux. Whatever you use will need to be on and running AICCU the entire time you wish to use the tunnel. There is enough built in to the client and the protocol to handle NAT and discovery of your external IPv4 address on the untrusted side of the SSG5. The config I use for that is:
# FREEBSD Heartbeat only AICCU Configuration - Should work for Windows as well.
# Replace with your SixXS Username and Password
username SIXXS-USERNAME
password SIXXS-PASSWORD
# Replace this with the tunnel ID of your heartbeat tunnel
tunnel_id TXXXXX
verbose true
daemonize true
automatic true
requiretls false
makebeats true
noconfigure true
behindnat true
# End AICCU config
Relevant ScreenOS config from working SixXS tunnel:
! Turn on IPV6 (reboot required)
set envar ipv6=yes
! Set Up Untrusted Ethernet Interface with our side of IPv6 in v4 tunnel IPv6 address
! This allows for ping and other management options that won't work elsewhere.
set interface "ethernet0/0" ipv6 mode "host"
! Replace below with your side of IPv6 tunnel address
set interface "ethernet0/0" ipv6 ip 2001:1938:XXXX:XXXX::2/64
set interface "ethernet0/0" ipv6 enable
! Set Up Tunnel Interface (Interface tunnel.2 is used in my setup because of existing IPv4 VPN tunnel on interface tunnel.1)
! Also enable IPv6 "host" mode on tunnel interface so it can understand and build 6in4 tunnels and IPv6 traffic.
! No addresses can be assigned to "unnumbered" tunnel interfaces. They will use whatever is on the interface they are bound to.
set interface tunnel.2 ip unnumbered interface ethernet0/0
set interface "tunnel.2" zone "Untrust"
set interface "tunnel.2" ipv6 mode "host"
set interface "tunnel.2" ipv6 enable
set interface tunnel.2 tunnel encap ip6in4 manual
! Change the IP below to the IPv4 PoP endpoint of your tunnel
set interface tunnel.2 tunnel local-if ethernet0/0 dst-ip 209.197.5.66
! Up the tunnel MTU to 1480 - Make sure you adjust this or the settings on SixXS' site to match
set interface tunnel.2 mtu 1480
! Set default route for all IPv6 traffic to use tunnel
set route ::/0 interface tunnel.2 gateway :: preference 20
! Set route to SixXS PoP IPv6 ip to use tunnel interface due to /64
! being configured on ethernet0/0 instead of unnumbered and non-addressable tunnel.2 interface.
! No way to override a "connnected" route in ScreenOS that I am aware of but it will allow and prefer
! a more granular route over a larger one.
! Failure to do this will result in a non-functional tunnel or one that is dropped as inactive
! on a regular basis.
! Make sure to change this to the PoP IPv6 address of your tunnel (/128 matches route to a single host)
set route 2001:1938:XXXX:XXXX::1/128 interface tunnel.2 gateway :: preference 20
! Set up local subnet IPv6 address and router advertisement on SSG5 trusted bridge group interface
set interface "bgroup0" ipv6 mode "router"
! I could have used the entire assigned /48 here but that would have been silly... Lets use the first of the /64 subnets out of that /48.
! Once again, make sure you change this to match what you have been assigned.
set interface "bgroup0" ipv6 ip 2001:1938:XXXX:XXXX::1/64
set interface "bgroup0" ipv6 enable
set interface bgroup0 ipv6 ra link-mtu
unset interface bgroup0 ipv6 ra link-address
set interface bgroup0 ipv6 ra preference high
set interface bgroup0 ipv6 ra transmit
set interface bgroup0 ipv6 nd nud
set interface bgroup0 ipv6 nd dad-count 0
! Set up policy to log, count and allow outbound IPv6 traffic from any IPv6 address to any IPv6 address.
! This is the only policy you need if you aren't hosting servers that need to be accessible to the outside world.
! The ScreenOS stateful firewall will match inbound connections to the outbound connections that requested them and allow it through.
! Double check the policy ID listed is not in use already. Change it if it is.
set policy id 90 from "Trust" to "Untrust" "Any-IPv6" "Any-IPv6" "ANY" permit log count
! Set up policy to log, count and allow INBOUND IPv6 traffic from any IPv6 address to any IPv6 address.
! -- WARNING -- -- WARNING -- -- WARNING -- This leaves your trusted side IPv6 network wide open.
! You should only implement this for temporary testing of inbound services and use more restrictive policies in production.
! Double check the policy ID listed is not in use already. Change it if it is.
set policy id 91 from "Untrust" to "Trust" "Any-IPv6" "Any-IPv6" "ANY" permit log count
Everything with this setup comes up and I can ping IPv6 hosts from the SSG5 and ping and browse from IPv6 enabled hosts behind it as expected.
Note - Initially I tried to use the basic setup from http://bart.motd.be/configuring-ipv6-tunnel-netscreen-ssg-firewall - This caused the SSG5 to lock up and restart about every 5 minutes. I am guessing it is because of the way the tunnel interface was set up as a numbered interface with no IPv4 address. Something in ScreenOS v6.1.0r3 does NOT like it. The current config I listed above has been stable for the last couple of weeks now.
Posting is only allowed when you are logged in. |