Dual Stack Tunnels over an External Interface
Dual-stack tunnels—parallel IPv4 and IPv6 tunnels over a single physical interface to a peer—are supported for route-based site-to-site VPNs. A physical interface configured with both IPv4 and IPv6 addresses can be used as an external interface for IPv4 and IPv6 gateways on the same peer or on different peers at the same time.
Understanding VPN Tunnel Modes
In VPN tunnel mode, IPsec encapsulates the original IP datagram—including the original IP header—within a second IP datagram. The outer IP header contains the IP address of the gateway, while the inner header contains the ultimate source and destination IP addresses. The outer and inner IP headers can have a protocol field of IPv4 or IPv6. SRX Series Firewalls support four tunnel modes for route-based site-to-site VPNs.
IPv4-in-IPv4 tunnels encapsulate IPv4 packets inside IPv4 packets, as shown in Figure 1. The protocol fields for both the outer and the inner headers are IPv4.
IPv6-in-IPv6 tunnels encapsulate IPv6 packets inside IPv6 packets, as shown in Figure 2. The protocol fields for both the outer and inner headers are IPv6.
IPv6-in-IPv4 tunnels encapsulate IPv6 packets inside IPv4 packets, as shown in Figure 3. The protocol field for the outer header is IPv4 and the protocol field for the inner header is IPv6.
IPv4-in-IPv6 tunnels encapsulate IPv4 packets inside IPv6 packets, as shown in Figure 4. The protocol field for the outer header is IPv6 and the protocol field for the inner header is IPv4.
A single IPsec VPN tunnel can carry both IPv4 and IPv6 traffic.
For example, an IPv4 tunnel can operate in both IPv4-in-IPv4 and IPv6-in-IPv4
tunnel modes at the same time. To allow both IPv4 and IPv6 traffic
over a single IPsec VPN tunnel, the st0 interface bound to that tunnel
must be configured with both family inet and family
inet6.
A physical interface configured with both IPv4 and IPv6 addresses can be used as the external interface for parallel IPv4 and IPv6 tunnels to a peer in a route-based site-to-site VPN. This feature is known as dual-stack tunnels and requires separate st0 interfaces for each tunnel.
For policy-based VPNs, IPv6-in-IPv6 is the only tunnel mode supported and it is only supported on SRX300, SRX320, SRX340, SRX345, and SRX550HM devices.
Understanding Dual-Stack Tunnels over an External Interface
Dual-stack tunnels—parallel IPv4 and IPv6 tunnels over a single physical interface to a peer—are supported for route-based site-to-site VPNs. A physical interface configured with both IPv4 and IPv6 addresses can be used as the external interface to IPv4 and IPv6 gateways on the same peer or on different peers at the same time. In Figure 5, the physical interfaces reth0.0 and ge-0/0/0.1 support parallel IPv4 and IPv6 tunnels between two devices.
In Figure 5, separate secure tunnel (st0) interfaces must be configured for each IPsec VPN tunnel. Parallel IPv4 and IPv6 tunnels that are bound to the same st0 interface are not supported.
A single IPsec VPN tunnel can carry both IPv4 and IPv6 traffic.
For example, an IPv4 tunnel can operate in both IPv4-in-IPv4 and IPv6-in-IPv4
tunnel modes at the same time. To allow both IPv4 and IPv6 traffic
over a single IPsec VPN tunnel, the st0 interface bound to that tunnel
must be configured with both family inet and family
inet6.
If multiple addresses in the same address family are configured
on the same external interface to a VPN peer, we recommend that you
configure local-address at the [edit security ike
gateway gateway-name] hierarchy level.
If local-address is configured, the specified IPv4
or IPv6 address is used as the local gateway address. If only one
IPv4 and one IPv6 address is configured on a physical external interface, local-address configuration is not required.
The
local-address value must be an IP address that is configured on
an interface on the SRX Series Firewall. We recommend that
local-address belong to the external interface of the IKE
gateway. If local-address does not belong to the external interface
of the IKE gateway, the interface must be in the same zone as the external interface
of the IKE gateway and an intra-zone security policy must be configured to permit
traffic.
The local-address value and the remote IKE gateway
address must be in the same address family, either IPv4 or IPv6.
If local-address is not configured, the local gateway
address is based on the remote gateway address. If the remote gateway
address is an IPv4 address, the local gateway address is the primary
IPv4 address of the external physical interface. If the remote gateway
address is an IPv6 address, the local gateway address is the primary
IPv6 address of the external physical interface.
See Also
Example: Configuring Dual-Stack Tunnels over an External Interface
This example shows how to configure parallel IPv4 and IPv6 tunnels over a single external physical interface to a peer for route-based site-to-site VPNs.
Requirements
Before you begin, read Understanding VPN Tunnel Modes.
The configuration shown in this example is only supported with route-based site-to-site VPNs.
Overview
In this example, a redundant Ethernet interface on the local device supports parallel IPv4 and IPv6 tunnels to a peer device:
The IPv4 tunnel carries IPv6 traffic; it operates in IPv6-in-IPv4 tunnel mode. The secure tunnel interface st0.0 bound to the IPv4 tunnel is configured with family inet6 only.
The IPv6 tunnel carries both IPv4 and IPv6 traffic; it operates in both IPv4-in-IPv6 and IPv6-in-IPv6 tunnel modes. The secure tunnel interface st0.1 bound to the IPv6 tunnel is configured with both family inet and family inet6.
Table 1 shows the Phase 1 options used in this example. The Phase 1 option configuration includes two IKE gateway configurations, one to the IPv6 peer and the other to the IPv4 peer.
Option |
Value |
|---|---|
IKE proposal |
ike_proposal |
Authentication method |
Preshared keys |
Authentication algorithm |
MD5 |
Encryption algorithm |
3DES CBC |
Lifetime |
3600 seconds |
IKE policy |
ike_policy |
Mode |
Aggressive |
IKE proposal |
ike_proposal |
Preshared key |
ASCII text |
IPv6 IKE gateway |
ike_gw_v6 |
IKE policy |
ike_policy |
Gateway address |
2000::2 |
External interface |
reth1.0 |
IKE version |
IKEv2 |
IPv4 IKE gateway |
ike_gw_v4 |
IKE policy |
ike_policy |
Gateway address |
20.0.0.2 |
External interface |
reth1.0 |
Table 2 shows the Phase 2 options used in this example. The Phase 2 option configuration includes two VPN configurations, one for the IPv6 tunnel and the other for the IPv4 tunnel.
Option |
Value |
|---|---|
IPsec proposal |
ipsec_proposal |
Protocol |
ESP |
Authentication algorithm |
HMAC SHA-1 96 |
Encryption algorithm |
3DES CBC |
IPsec policy |
ipsec_policy |
Proposal |
ipsec_proposal |
IPv6 VPN |
test_s2s_v6 |
Bind interface |
st0.1 |
IKE gateway |
ike_gw_v6 |
IKE IPsec policy |
ipsec_policy |
Establish tunnels |
Immediately |
IPv4 VPN |
test_s2s_v4 |
Bind interface |
st0.0 |
IKE gateway |
ike_gw_4 |
IKE IPsec policy |
ipsec_policy |
The following static routes are configured in the IPv6 routing table:
Route IPv6 traffic to 3000::1/128 through st0.0.
Route IPv6 traffic to 3000::2/128 through st0.1.
A static route is configured in the default (IPv4) routing table to route IPv4 traffic to 30.0.0.0/24 through st0.1.
Flow-based processing of IPv6 traffic must be enabled with the mode flow-based configuration option at the [edit security
forwarding-options family inet6] hierarchy level.
Topology
In Figure 6, the SRX Series Firewall A supports IPv4 and IPv6 tunnels to device B. IPv6 traffic to 3000::1/128 is routed through the IPv4 tunnel, while IPv6 traffic to 3000::2/128 and IPv4 traffic to 30.0.0.0/24 are routed through the IPv6 tunnel.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set interfaces ge-0/0/1 gigether-options redundant-parent reth1 set interfaces ge-8/0/1 gigether-options redundant-parent reth1 set interfaces reth1 redundant-ether-options redundancy-group 1 set interfaces reth1 unit 0 family inet address 20.0.0.1/24 set interfaces reth1 unit 0 family inet6 address 2000::1/64 set interfaces st0 unit 0 family inet6 set interfaces st0 unit 1 family inet set interfaces st0 unit 1 family inet6 set security ike proposal ike_proposal authentication-method pre-shared-keys set security ike proposal ike_proposal authentication-algorithm md5 set security ike proposal ike_proposal encryption-algorithm 3des-cbc set security ike proposal ike_proposal lifetime-seconds 3600 set security ike policy ike_policy mode aggressive set security ike policy ike_policy proposals ike_proposal set security ike policy ike_policy pre-shared-key ascii-text "$ABC123" set security ike gateway ike_gw_v6 ike-policy ike_policy set security ike gateway ike_gw_v6 address 2000::2 set security ike gateway ike_gw_v6 external-interface reth1.0 set security ike gateway ike_gw_v6 version v2-only set security ike gateway ike_gw_v4 ike-policy ike_policy set security ike gateway ike_gw_v4 address 20.0.0.2 set security ike gateway ike_gw_v4 external-interface reth1.0 set security ipsec proposal ipsec_proposal protocol esp set security ipsec proposal ipsec_proposal authentication-algorithm hmac-sha1-96 set security ipsec proposal ipsec_proposal encryption-algorithm 3des-cbc set security ipsec policy ipsec_policy proposals ipsec_proposal set security ipsec vpn test_s2s_v6 bind-interface st0.1 set security ipsec vpn test_s2s_v6 ike gateway ike_gw_v6 set security ipsec vpn test_s2s_v6 ike ipsec-policy ipsec_policy set security ipsec vpn test_s2s_v6 establish-tunnels immediately set security ipsec vpn test_s2s_v4 bind-interface st0.0 set security ipsec vpn test_s2s_v4 ike gateway ike_gw_v4 set security ipsec vpn test_s2s_v4 ike ipsec-policy ipsec_policy set routing-options rib inet6.0 static route 3000::1/128 next-hop st0.0 set routing-options rib inet6.0 static route 3000::2/128 next-hop st0.1 set routing-options static route 30.0.0.0/24 next-hop st0.1 set security forwarding-options family inet6 mode flow-based
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure dual-stack tunnels:
Configure the external interface.
[edit interfaces] user@host# set ge-0/0/1 gigether-options redundant-parent reth1 user@host# set ge-8/0/1 gigether-options redundant-parent reth1 user@host# set reth1 redundant-ether-options redundancy-group 1 user@host# set reth1 unit 0 family inet address 20.0.0.1/24 user@host# set reth1 unit 0 family inet6 address 2000::1/64
Configure the secure tunnel interfaces.
[edit interfaces] user@host# set st0 unit 0 family inet6 user@host# set st0 unit 1 family inet user@host# set st0 unit 1 family inet6
Configure Phase 1 options.
[edit security ike proposal ike_proposal] user@host# set authentication-method pre-shared-keys user@host# set authentication-algorithm md5 user@host# set encryption-algorithm 3des-cbc user@host# set lifetime-seconds 3600 [edit security ike policy ike_policy] user@host# set mode aggressive user@host# set proposals ike_proposal user@host# set pre-shared-key ascii-text "$ABC123" [edit security ike gateway ike_gw_v6] user@host# set ike-policy ike_policy user@host# set address 2000::2 user@host# set external-interface reth1.0 user@host# set version v2-only [edit security ike gateway ike_gw_v4] user@host# set ike-policy ike_policy user@host# set address 20.0.0.2 user@host# set external-interface reth1.0
Configure Phase 2 options.
[edit security ipsec proposal ipsec_proposal] user@host# set protocol esp user@host# set authentication-algorithm hmac-sha1-96 user@host# set encryption-algorithm 3des-cbc [edit security ipsec policy ipsec_policy] user@host# set proposals ipsec_proposal [edit security ipsec vpn test_s2s_v6 ] user@host# set bind-interface st0.1 user@host# set ike gateway ike_gw_v6 user@host# set ike ipsec-policy ipsec_policy user@host# set establish-tunnels immediately [edit security ipsec vpn test_s2s_v4] user@host# set bind-interface st0.0 user@host# set ike gateway ike_gw_v4 user@host# set ike ipsec-policy ipsec_policy
Configure static routes.
[edit routing-options rib inet6.0] user@host# set static route 3000::1/128 next-hop st0.0 user@host# set static route 3000::2/128 next-hop st0.1 [edit routing-options] user@host# set static route 30.0.0.0/24 next-hop st0.1
Enable IPv6 flow-based forwarding.
[edit security forwarding-options] user@host# set family inet6 mode flow-based
Results
From configuration mode, confirm your configuration
by entering the show interfaces, show security ike, show security ipsec, show routing-options, and show security forwarding-options commands. If the
output does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
[edit]
user@host# show interfaces
ge-0/0/1 {
gigether-options {
redundant-parent reth1;
}
}
ge-8/0/1 {
gigether-options {
redundant-parent reth1;
}
}
reth1 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 20.0.0.1/24;
}
family inet6 {
address 2000::1/64;
}
}
}
st0 {
unit 0 {
family inet;
family inet6;
}
unit 1 {
family inet6;
}
}
[edit]
user@host# show security ike
proposal ike_proposal {
authentication-method pre-shared-keys;
authentication-algorithm md5;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
}
policy ike_policy {
mode aggressive;
proposals ike_proposal;
pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
}
gateway ike_gw_v6 {
ike-policy ike_policy;
address 2000::2;
external-interface reth1.0;
version v2-only;
}
gateway ike_gw_4 {
ike-policy ike_policy;
address 20.0.0.2;
external-interface reth1.0;
}
[edit]
user@host# show security ipsec
proposal ipsec_proposal {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
}
policy ipsec_policy {
proposals ipsec_proposal;
}
vpn test_s2s_v6 {
bind-interface st0.1;
ike {
gateway ike_gw_v6;
ipsec-policy ipsec_policy;
}
establish-tunnels immediately;
}
vpn test_s2s_v4 {
bind-interface st0.0;
ike {
gateway ike_gw_4;
ipsec-policy ipsec_policy;
}
}
[edit]
user@host# show routing-options
rib inet6.0 {
static {
route 3000::1/128 next-hop st0.0;
route 3000::2/128 next-hop st0.1;
}
}
static {
route 30.0.0.0/24 next-hop st0.1;
}
[edit]
user@host# show security forwarding-options
family {
inet6 {
mode flow-based;
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
Verifying IKE Phase 1 Status
Purpose
Verify the IKE Phase 1 status.
Action
From operational mode, enter the show security
ike security-associations command.
user@host> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
1081812113 UP 51d9e6df8a929624 7bc15bb40781a902 IKEv2 2000::2
1887118424 UP d80b55b949b54f0a b75ecc815529ae8f Aggressive 20.0.0.2
Meaning
The show security ike security-associations command lists all active IKE Phase 1 SAs. If no SAs are listed,
there was a problem with Phase 1 establishment. Check the IKE policy
parameters and external interface settings in your configuration.
Phase 1 proposal parameters must match on the peer devices.
Verifying IPsec Phase 2 Status
Purpose
Verify the IPsec Phase 2 status.
Action
From operational mode, enter the show security
ipsec security-associations command.
user@host> show security ipsec security-associations Total active tunnels: 2 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131074 ESP:3des/sha1 8828bd36 3571/ unlim - root 500 20.0.0.2 >131074 ESP:3des/sha1 c968afd8 3571/ unlim - root 500 20.0.0.2 <131073 ESP:3des/sha1 8e9e695a 3551/ unlim - root 500 2000::2 >131073 ESP:3des/sha1 b3a254d1 3551/ unlim - root 500 2000::2
Meaning
The show security ipsec security-associations command lists all active IKE Phase 2 SAs. If no SAs are listed,
there was a problem with Phase 2 establishment. Check the IKE policy
parameters and external interface settings in your configuration.
Phase 2 proposal parameters must match on the peer devices.
Verifying Routes
Purpose
Verify active routes.
Action
From operational mode, enter the show route command.
user@host> show route
inet.0: 20 destinations, 20 routes (20 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.5.0.0/16 *[Static/5] 3d 01:43:23
> to 10.157.64.1 via fxp0.0
10.10.0.0/16 *[Static/5] 3d 01:43:23
> to 10.157.64.1 via fxp0.0
10.150.0.0/16 *[Static/5] 3d 01:43:23
> to 10.157.64.1 via fxp0.0
10.150.48.0/21 *[Static/5] 3d 01:43:23
> to 10.157.64.1 via fxp0.0
10.155.0.0/16 *[Static/5] 3d 01:43:23
> to 10.157.64.1 via fxp0.0
10.157.64.0/19 *[Direct/0] 3d 01:43:23
> via fxp0.0
10.157.72.36/32 *[Local/0] 3d 01:43:23
Local via fxp0.0
10.204.0.0/16 *[Static/5] 3d 01:43:23
> to 10.157.64.1 via fxp0.0
10.206.0.0/16 *[Static/5] 3d 01:43:23
> to 10.157.64.1 via fxp0.0
10.209.0.0/16 *[Static/5] 3d 01:43:23
> to 10.157.64.1 via fxp0.0
20.0.0.0/24 *[Direct/0] 03:45:41
> via reth1.0
20.0.0.1/32 *[Local/0] 03:45:41
Local via reth1.0
30.0.0.0/24 *[Static/5] 00:07:49
> via st0.1
50.0.0.0/24 *[Direct/0] 03:45:42
> via reth0.0
50.0.0.1/32 *[Local/0] 03:45:42
Local via reth0.0
172.16.0.0/12 *[Static/5] 3d 01:43:23
> to 10.157.64.1 via fxp0.0
192.168.0.0/16 *[Static/5] 3d 01:43:23
> to 10.157.64.1 via fxp0.0
192.168.102.0/23 *[Static/5] 3d 01:43:23
> to 10.157.64.1 via fxp0.0
207.17.136.0/24 *[Static/5] 3d 01:43:23
> to 10.157.64.1 via fxp0.0
207.17.136.192/32 *[Static/5] 3d 01:43:23
> to 10.157.64.1 via fxp0.0
inet6.0: 10 destinations, 14 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
2000::/64 *[Direct/0] 03:45:41
> via reth1.0
2000::1/128 *[Local/0] 03:45:41
Local via reth1.0
3000::1/128 *[Static/5] 00:03:45
> via st0.0
3000::2/128 *[Static/5] 00:03:45
> via st0.1
5000::/64 *[Direct/0] 03:45:42
> via reth0.0
5000::1/128 *[Local/0] 03:45:42
Local via reth0.0
fe80::/64 *[Direct/0] 03:45:42
> via reth0.0
[Direct/0] 03:45:41
> via reth1.0
[Direct/0] 03:45:41
> via st0.0
[Direct/0] 03:45:13
> via st0.1
fe80::210:dbff:feff:1000/128
*[Local/0] 03:45:42
Local via reth0.0
fe80::210:dbff:feff:1001/128
*[Local/0] 03:45:41
Local via reth1.0
Meaning
The show route command lists active entries
in the routing tables.