I have a "heartbeat" dynamic tunnel set up on an Juniper (NetScreen) SSG5 with SixXS the configuration below in ScreenOS. You need a host behind the SSG5 to send your heartbeats and bring the tunnel up since the SSG5 can't send them. There is a FreeBSD server that lives behind my SSG5 that runs the AICCU client in heartbeat only mode. You can do the same thing with Windows or Linux. Whatever you use will need to be on and running AICCU the entire time you wish to use the tunnel. There is enough built in to the client and the protocol to handle NAT and discovery of your external IPv4 address on the untrusted side of the SSG5. The config I use for that is: # FREEBSD Heartbeat only AICCU Configuration - Should work for Windows as well. # Replace with your SixXS Username and Password username SIXXS-USERNAME password SIXXS-PASSWORD # Replace this with the tunnel ID of your heartbeat tunnel tunnel_id TXXXXX verbose true daemonize true automatic true requiretls false makebeats true noconfigure true behindnat true # End AICCU config Relevant ScreenOS config from working SixXS tunnel: ! Turn on IPV6 (reboot required) set envar ipv6=yes ! Set Up Untrusted Ethernet Interface with our side of IPv6 in v4 tunnel IPv6 address ! This allows for ping and other management options that won't work elsewhere. set interface "ethernet0/0" ipv6 mode "host" ! Replace below with your side of IPv6 tunnel address set interface "ethernet0/0" ipv6 ip 2001:1938:XXXX:XXXX::2/64 set interface "ethernet0/0" ipv6 enable ! Set Up Tunnel Interface (Interface tunnel.2 is used in my setup because of existing IPv4 VPN tunnel on interface tunnel.1) ! Also enable IPv6 "host" mode on tunnel interface so it can understand and build 6in4 tunnels and IPv6 traffic. ! No addresses can be assigned to "unnumbered" tunnel interfaces. They will use whatever is on the interface they are bound to. set interface tunnel.2 ip unnumbered interface ethernet0/0 set interface "tunnel.2" zone "Untrust" set interface "tunnel.2" ipv6 mode "host" set interface "tunnel.2" ipv6 enable set interface tunnel.2 tunnel encap ip6in4 manual ! Change the IP below to the IPv4 PoP endpoint of your tunnel set interface tunnel.2 tunnel local-if ethernet0/0 dst-ip 209.197.5.66 ! Up the tunnel MTU to 1480 - Make sure you adjust this or the settings on SixXS' site to match set interface tunnel.2 mtu 1480 ! Set default route for all IPv6 traffic to use tunnel set route ::/0 interface tunnel.2 gateway :: preference 20 ! Set route to SixXS PoP IPv6 ip to use tunnel interface due to /64 ! being configured on ethernet0/0 instead of unnumbered and non-addressable tunnel.2 interface. ! No way to override a "connnected" route in ScreenOS that I am aware of but it will allow and prefer ! a more granular route over a larger one. ! Failure to do this will result in a non-functional tunnel or one that is dropped as inactive ! on a regular basis. ! Make sure to change this to the PoP IPv6 address of your tunnel (/128 matches route to a single host) set route 2001:1938:XXXX:XXXX::1/128 interface tunnel.2 gateway :: preference 20 ! Set up local subnet IPv6 address and router advertisement on SSG5 trusted bridge group interface set interface "bgroup0" ipv6 mode "router" ! I could have used the entire assigned /48 here but that would have been silly... Lets use the first of the /64 subnets out of that /48. ! Once again, make sure you change this to match what you have been assigned. set interface "bgroup0" ipv6 ip 2001:1938:XXXX:XXXX::1/64 set interface "bgroup0" ipv6 enable set interface bgroup0 ipv6 ra link-mtu unset interface bgroup0 ipv6 ra link-address set interface bgroup0 ipv6 ra preference high set interface bgroup0 ipv6 ra transmit set interface bgroup0 ipv6 nd nud set interface bgroup0 ipv6 nd dad-count 0 ! Set up policy to log, count and allow outbound IPv6 traffic from any IPv6 address to any IPv6 address. ! This is the only policy you need if you aren't hosting servers that need to be accessible to the outside world. ! The ScreenOS stateful firewall will match inbound connections to the outbound connections that requested them and allow it through. ! Double check the policy ID listed is not in use already. Change it if it is. set policy id 90 from "Trust" to "Untrust" "Any-IPv6" "Any-IPv6" "ANY" permit log count ! Set up policy to log, count and allow INBOUND IPv6 traffic from any IPv6 address to any IPv6 address. ! -- WARNING -- -- WARNING -- -- WARNING -- This leaves your trusted side IPv6 network wide open. ! You should only implement this for temporary testing of inbound services and use more restrictive policies in production. ! Double check the policy ID listed is not in use already. Change it if it is. set policy id 91 from "Untrust" to "Trust" "Any-IPv6" "Any-IPv6" "ANY" permit log count Everything with this setup comes up and I can ping IPv6 hosts from the SSG5 and ping and browse from IPv6 enabled hosts behind it as expected. Note - Initially I tried to use the basic setup from http://bart.motd.be/configuring-ipv6-tunnel-netscreen-ssg-firewall - This caused the SSG5 to lock up and restart about every 5 minutes. I am guessing it is because of the way the tunnel interface was set up as a numbered interface with no IPv4 address. Something in ScreenOS v6.1.0r3 does NOT like it. The current config I listed above has been stable for the last couple of weeks now.