Hi! It seems that SRX is unable to encapsulate ipv6 traffic over ipv4 ipsec tunnel.
We have this topology:
st0.0 10.15.15.34/30 10.15.15.33/30 sp-1/2/0.7
st0.0 2fff:ffff::e/126 2fff:ffff::d/126 sp-1/2/0.7
SRX210he2 node 0 =================================================== M7i
SRX210he2 node 1Configs:
> version
admin@SRX-GW0> show version
node0:
--------------------------------------------------------------------------
Hostname: SRX-GW0
Model: srx210he2
JUNOS Software Release [12.1X46-D65.4]
node1:
--------------------------------------------------------------------------
Hostname: SRX-GW1
Model: srx210he2
JUNOS Software Release [12.1X46-D65.4]
> tunnel interface
admin@SRX-GW0> show configuration interfaces st0 unit 0
description "ipsec to m7i";
family inet {
/* 1492 of ppp - 20 of outer ip - 57 of 3des/sha1 */
mtu 1415;
address 10.15.15.34/30;
}
family inet6 {
/* 1492 of ppp - 20 of outer ip - 57 of 3des/sha1 */
mtu 1415;
/* some prefix */
address 2fff:ffff::e/126;
}
M7i:> vesion
admin@M7i-GW1> show version
Hostname: M7i-GW1
Model: m7i
Junos: 13.3R6.5
JUNOS Base OS boot [13.3R6.5]
JUNOS Base OS Software Suite [13.3R6.5]
JUNOS Kernel Software Suite [13.3R6.5]
JUNOS Crypto Software Suite [13.3R6.5]
JUNOS Packet Forwarding Engine Support (M/T/EX Common) [13.3R6.5]
JUNOS Packet Forwarding Engine Support (M7i/M10i) [13.3R6.5]
JUNOS Online Documentation [13.3R6.5]
JUNOS Services AACL Container package [13.3R6.5]
JUNOS Services Application Level Gateways [13.3R6.5]
JUNOS AppId Services [13.3R6.5]
JUNOS Border Gateway Function package [13.3R6.5]
JUNOS Services Captive Portal and Content Delivery Container package [13.3R6.5]
JUNOS Services HTTP Content Management package [13.3R6.5]
JUNOS IDP Services [13.3R6.5]
JUNOS Services Jflow Container package [13.3R6.5]
JUNOS Services LL-PDF Container package [13.3R6.5]
JUNOS Services MobileNext Software package [13.3R6.5]
JUNOS Services Mobile Subscriber Service Container package [13.3R6.5]
JUNOS Services NAT [13.3R6.5]
JUNOS Services PTSP Container package [13.3R6.5]
JUNOS Services RPM [13.3R6.5]
JUNOS Services Stateful Firewall [13.3R6.5]
JUNOS Voice Services Container package [13.3R6.5]
JUNOS Services Crypto [13.3R6.5]
JUNOS Services SSL [13.3R6.5]
JUNOS Services IPSec [13.3R6.5]
JUNOS platform Software Suite [13.3R6.5]
JUNOS Routing Software Suite [13.3R6.5]
JUNOS Runtime Software Suite [13.3R6.5]
JUNOS py-base-i386 [13.3R6.5]> tunnel interface
admin@M7i-GW1> show configuration interfaces sp-1/2/0
unit 7 {
description "in ipsec tunnel to SRX-GW0";
family inet {
/* 1492 of ppp (on the other side) - 20 of outer ip - 57 of 3des/sha1 */
mtu 1415;
address 10.15.15.33/30;
}
family inet6 {
/* 1492 of ppp (on the other side) - 20 of outer ip - 57 of 3des/sha1 */
mtu 1415;
address 2fff:ffff::d/126;
}
service-domain inside;
}
unit 8 {
description "out ipsec tunnel to SRX-GW0";
family inet;
family inet6;
service-domain outside;
}Problem:
- IPv4 traffic goes through tunnel properly:
admin@SRX-GW0> ping count 4 10.15.15.33 PING 10.15.15.33 (10.15.15.33): 56 data bytes 64 bytes from 10.15.15.33: icmp_seq=0 ttl=64 time=46.725 ms 64 bytes from 10.15.15.33: icmp_seq=1 ttl=64 time=45.815 ms 64 bytes from 10.15.15.33: icmp_seq=2 ttl=64 time=45.649 ms 64 bytes from 10.15.15.33: icmp_seq=3 ttl=64 time=45.689 ms --- 10.15.15.33 ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max/stddev = 45.649/45.969/46.725/0.440 ms
- However IPv6 fails
admin@SRX-GW0> ping inet6 count 4 2fff:ffff::d PING6(56=40+8+8 bytes) 2fff:ffff::e --> 2fff:ffff::d --- 2fff:ffff::d ping6 statistics --- 4 packets transmitted, 0 packets received, 100% packet loss
- Monitor traffic show this picture during ping 2fff:ffff::e --> 2fff:ffff::d
admin@SRX-GW0> monitor traffic interface st0.0 no-resolve size 1600 print-hex verbose output suppressed, use <detail> or <extensive> for full protocol decode Address resolution is OFF. Listening on st0.0, capture size 1600 bytes 10:19:09.991039 Out unknown protocol (0x006c) /* OSPF3 Hello packet */ 6c00 0000 0024 5901 fe80 0000 0000 0000 120e 7e0f fcd6 56c0 ff02 0000 0000 0000 0000 0000 0000 0005 0301 0024 0ac8 0001 0000 0000 900c 0000 0000 0005 8000 0013 000a 0028 0000 0000 0000 0000 10:19:11.186678 In IP 10.15.15.33 > 224.0.0.5: OSPFv2, Hello, length 84 10:19:13.483581 Out unknown protocol (0x0060) /* ipv6 ping echo request */ 6000 0000 0010 3a40 2fff ffff 0000 0000 0000 0000 0000 000e 2fff ffff 0000 0000 0000 0000 0000 000d 8000 d1ae ef7c 0000 599d 56a1 0007 6025 10:19:13.485303 Out unknown protocol (0x0060) /* ipv6 ping echo request */ 6000 0000 0010 3a40 2fff ffff 0000 0000 0000 0000 0000 000e 2fff ffff 0000 0000 0000 0000 0000 000d 8000 cae1 ef7c 0001 599d 56a1 0007 66f1 10:19:14.484738 Out unknown protocol (0x0060) /* ipv6 ping echo request */ 6000 0000 0010 3a40 2fff ffff 0000 0000 0000 0000 0000 000e 2fff ffff 0000 0000 0000 0000 0000 000d 8000 ccf8 ef7c 0002 599d 56a2 0007 64d8 10:19:14.677695 Out IP 10.15.15.34 > 224.0.0.5: OSPFv2, Hello, length 84 10:19:15.486542 Out unknown protocol (0x0060) /* ipv6 ping echo request */ 6000 0000 0010 3a40 2fff ffff 0000 0000 0000 0000 0000 000e 2fff ffff 0000 0000 0000 0000 0000 000d 8000 c60b ef7c 0003 599d 56a3 0007 6bc3 10:19:19.325805 In IP 10.15.15.33 > 224.0.0.5: OSPFv2, Hello, length 84 10:19:19.932314 Out unknown protocol (0x006c) /* OSPF3 Hello packet */ 6c00 0000 0024 5901 fe80 0000 0000 0000 120e 7e0f fcd6 56c0 ff02 0000 0000 0000 0000 0000 0000 0005 0301 0024 0ac8 0001 0000 0000 900c 0000 0000 0005 8000 0013 000a 0028 0000 0000 0000 0000 10:19:23.290296 Out IP 10.15.15.34 > 224.0.0.5: OSPFv2, Hello, length 84 10:19:28.767944 In IP 10.15.15.33 > 224.0.0.5: OSPFv2, Hello, length 84 10:19:29.726334 Out unknown protocol (0x006c) /* OSPF3 Hello packet */ 6c00 0000 0024 5901 fe80 0000 0000 0000 120e 7e0f fcd6 56c0 ff02 0000 0000 0000 0000 0000 0000 0005 0301 0024 0ac8 0001 0000 0000 900c 0000 0000 0005 8000 0013 000a 0028 0000 0000 0000 0000 10:19:32.029572 Out IP 10.15.15.34 > 224.0.0.5: OSPFv2, Hello, length 84
- monitor traffic on M7i does not show neither echo requests nor OSPF3 hello packets from SRX but shows OSPF3 hello packets and echo requests from M7i
Could you please suggest any tips for further troubleshooting?
