Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Dual Stack Tunnels over an External Interface

Dual-stack tunnels—parallel IPv4 and IPv6 tunnels over a single physical interface to a peer—are supported for route-based site-to-site VPNs. A physical interface configured with both IPv4 and IPv6 addresses can be used as an external interface for IPv4 and IPv6 gateways on the same peer or on different peers at the same time.

Understanding VPN Tunnel Modes

In VPN tunnel mode, IPsec encapsulates the original IP datagram—including the original IP header—within a second IP datagram. The outer IP header contains the IP address of the gateway, while the inner header contains the ultimate source and destination IP addresses. The outer and inner IP headers can have a protocol field of IPv4 or IPv6. SRX Series Firewalls support four tunnel modes for route-based site-to-site VPNs.

IPv4-in-IPv4 tunnels encapsulate IPv4 packets inside IPv4 packets, as shown in Figure 1. The protocol fields for both the outer and the inner headers are IPv4.

Figure 1: IPv4-in-IPv4 TunnelIPv4-in-IPv4 Tunnel

IPv6-in-IPv6 tunnels encapsulate IPv6 packets inside IPv6 packets, as shown in Figure 2. The protocol fields for both the outer and inner headers are IPv6.

Figure 2: IPv6-in-IPv6 TunnelIPv6-in-IPv6 Tunnel

IPv6-in-IPv4 tunnels encapsulate IPv6 packets inside IPv4 packets, as shown in Figure 3. The protocol field for the outer header is IPv4 and the protocol field for the inner header is IPv6.

Figure 3: IPv6-in-IPv4 TunnelIPv6-in-IPv4 Tunnel

IPv4-in-IPv6 tunnels encapsulate IPv4 packets inside IPv6 packets, as shown in Figure 4. The protocol field for the outer header is IPv6 and the protocol field for the inner header is IPv4.

Figure 4: IPv4-in-IPv6 TunnelIPv4-in-IPv6 Tunnel

A single IPsec VPN tunnel can carry both IPv4 and IPv6 traffic. For example, an IPv4 tunnel can operate in both IPv4-in-IPv4 and IPv6-in-IPv4 tunnel modes at the same time. To allow both IPv4 and IPv6 traffic over a single IPsec VPN tunnel, the st0 interface bound to that tunnel must be configured with both family inet and family inet6.

A physical interface configured with both IPv4 and IPv6 addresses can be used as the external interface for parallel IPv4 and IPv6 tunnels to a peer in a route-based site-to-site VPN. This feature is known as dual-stack tunnels and requires separate st0 interfaces for each tunnel.

For policy-based VPNs, IPv6-in-IPv6 is the only tunnel mode supported and it is only supported on SRX300, SRX320, SRX340, SRX345, and SRX550HM devices.

Understanding Dual-Stack Tunnels over an External Interface

Dual-stack tunnels—parallel IPv4 and IPv6 tunnels over a single physical interface to a peer—are supported for route-based site-to-site VPNs. A physical interface configured with both IPv4 and IPv6 addresses can be used as the external interface to IPv4 and IPv6 gateways on the same peer or on different peers at the same time. In Figure 5, the physical interfaces reth0.0 and ge-0/0/0.1 support parallel IPv4 and IPv6 tunnels between two devices.

Figure 5: Dual-Stack TunnelsDual-Stack Tunnels

In Figure 5, separate secure tunnel (st0) interfaces must be configured for each IPsec VPN tunnel. Parallel IPv4 and IPv6 tunnels that are bound to the same st0 interface are not supported.

A single IPsec VPN tunnel can carry both IPv4 and IPv6 traffic. For example, an IPv4 tunnel can operate in both IPv4-in-IPv4 and IPv6-in-IPv4 tunnel modes at the same time. To allow both IPv4 and IPv6 traffic over a single IPsec VPN tunnel, the st0 interface bound to that tunnel must be configured with both family inet and family inet6.

If multiple addresses in the same address family are configured on the same external interface to a VPN peer, we recommend that you configure local-address at the [edit security ike gateway gateway-name] hierarchy level.

If local-address is configured, the specified IPv4 or IPv6 address is used as the local gateway address. If only one IPv4 and one IPv6 address is configured on a physical external interface, local-address configuration is not required.

The local-address value must be an IP address that is configured on an interface on the SRX Series Firewall. We recommend that local-address belong to the external interface of the IKE gateway. If local-address does not belong to the external interface of the IKE gateway, the interface must be in the same zone as the external interface of the IKE gateway and an intra-zone security policy must be configured to permit traffic.

The local-address value and the remote IKE gateway address must be in the same address family, either IPv4 or IPv6.

If local-address is not configured, the local gateway address is based on the remote gateway address. If the remote gateway address is an IPv4 address, the local gateway address is the primary IPv4 address of the external physical interface. If the remote gateway address is an IPv6 address, the local gateway address is the primary IPv6 address of the external physical interface.

Example: Configuring Dual-Stack Tunnels over an External Interface

This example shows how to configure parallel IPv4 and IPv6 tunnels over a single external physical interface to a peer for route-based site-to-site VPNs.

Requirements

Before you begin, read Understanding VPN Tunnel Modes.

The configuration shown in this example is only supported with route-based site-to-site VPNs.

Overview

In this example, a redundant Ethernet interface on the local device supports parallel IPv4 and IPv6 tunnels to a peer device:

  • The IPv4 tunnel carries IPv6 traffic; it operates in IPv6-in-IPv4 tunnel mode. The secure tunnel interface st0.0 bound to the IPv4 tunnel is configured with family inet6 only.

  • The IPv6 tunnel carries both IPv4 and IPv6 traffic; it operates in both IPv4-in-IPv6 and IPv6-in-IPv6 tunnel modes. The secure tunnel interface st0.1 bound to the IPv6 tunnel is configured with both family inet and family inet6.

Table 1 shows the Phase 1 options used in this example. The Phase 1 option configuration includes two IKE gateway configurations, one to the IPv6 peer and the other to the IPv4 peer.

Table 1: Phase 1 Options for Dual-Stack Tunnel Configuration

Option

Value

IKE proposal

ike_proposal

Authentication method

Preshared keys

Authentication algorithm

MD5

Encryption algorithm

3DES CBC

Lifetime

3600 seconds

IKE policy

ike_policy

Mode

Aggressive

IKE proposal

ike_proposal

Preshared key

ASCII text

IPv6 IKE gateway

ike_gw_v6

IKE policy

ike_policy

Gateway address

2000::2

External interface

reth1.0

IKE version

IKEv2

IPv4 IKE gateway

ike_gw_v4

IKE policy

ike_policy

Gateway address

20.0.0.2

External interface

reth1.0

Table 2 shows the Phase 2 options used in this example. The Phase 2 option configuration includes two VPN configurations, one for the IPv6 tunnel and the other for the IPv4 tunnel.

Table 2: Phase 2 Options for Dual-Stack Tunnel Configuration

Option

Value

IPsec proposal

ipsec_proposal

Protocol

ESP

Authentication algorithm

HMAC SHA-1 96

Encryption algorithm

3DES CBC

IPsec policy

ipsec_policy

Proposal

ipsec_proposal

IPv6 VPN

test_s2s_v6

Bind interface

st0.1

IKE gateway

ike_gw_v6

IKE IPsec policy

ipsec_policy

Establish tunnels

Immediately

IPv4 VPN

test_s2s_v4

Bind interface

st0.0

IKE gateway

ike_gw_4

IKE IPsec policy

ipsec_policy

The following static routes are configured in the IPv6 routing table:

  • Route IPv6 traffic to 3000::1/128 through st0.0.

  • Route IPv6 traffic to 3000::2/128 through st0.1.

A static route is configured in the default (IPv4) routing table to route IPv4 traffic to 30.0.0.0/24 through st0.1.

Flow-based processing of IPv6 traffic must be enabled with the mode flow-based configuration option at the [edit security forwarding-options family inet6] hierarchy level.

Topology

In Figure 6, the SRX Series Firewall A supports IPv4 and IPv6 tunnels to device B. IPv6 traffic to 3000::1/128 is routed through the IPv4 tunnel, while IPv6 traffic to 3000::2/128 and IPv4 traffic to 30.0.0.0/24 are routed through the IPv6 tunnel.

Figure 6: Dual-Stack Tunnel ExampleDual-Stack Tunnel Example

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure dual-stack tunnels:

  1. Configure the external interface.

  2. Configure the secure tunnel interfaces.

  3. Configure Phase 1 options.

  4. Configure Phase 2 options.

  5. Configure static routes.

  6. Enable IPv6 flow-based forwarding.

Results

From configuration mode, confirm your configuration by entering the show interfaces, show security ike, show security ipsec, show routing-options, and show security forwarding-options commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying IKE Phase 1 Status

Purpose

Verify the IKE Phase 1 status.

Action

From operational mode, enter the show security ike security-associations command.

Meaning

The show security ike security-associations command lists all active IKE Phase 1 SAs. If no SAs are listed, there was a problem with Phase 1 establishment. Check the IKE policy parameters and external interface settings in your configuration. Phase 1 proposal parameters must match on the peer devices.

Verifying IPsec Phase 2 Status

Purpose

Verify the IPsec Phase 2 status.

Action

From operational mode, enter the show security ipsec security-associations command.

Meaning

The show security ipsec security-associations command lists all active IKE Phase 2 SAs. If no SAs are listed, there was a problem with Phase 2 establishment. Check the IKE policy parameters and external interface settings in your configuration. Phase 2 proposal parameters must match on the peer devices.

Verifying Routes

Purpose

Verify active routes.

Action

From operational mode, enter the show route command.

Meaning

The show route command lists active entries in the routing tables.