Author Topic: IPV4 over IPV6 remote access XAuth  (Read 2414 times)

test2003

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
IPV4 over IPV6 remote access XAuth
« on: December 21, 2005, 10:02:24 pm »
Hi ALL,
 
           I am trying to setup a remote access xAuth IPV6 tunnel on 5GT using 5.3.0 release. I want to setup a IPV6 tunnel and send IPV4 data through it.  Network is setup on simple ethernet switches. I am trying to setup route based VPN. If anybody has a sample config please help me out. It is getting difficult to configure V6 and V4 combinations together. I am ok with policy based VPN's too as long as i can do IPV4 data through IPV6 remote access tunnels. I am running 5.3.0 version.
 
 
 
-Regards
Bob
 
Network Diagram
============
Client
-------
4FFE::0200:FF:FE00:1
Juniper DUT
--------------
4ffe::200:ff:fe00:2/64===10.48.123.2---------->10.48.123.10 untrust                                trust                     (server)
 
I am using routing mode on both trust and untrust interfaces.

Rejected an IKE packet on untrust from 4ffe::200:ff:fe00:1:500 to 4ffe::200:ff:fe00:2:500 with cookies 906bda9f0343993d and 7a1e61b35b8dfa9b because there were no acceptable Phase 1 proposals.
2005-12-21 19:40:14 info IKE<4ffe::200:ff:fe00:1> Phase 1: Responder starts AGGRESSIVE mode negotiations

Here is my relevant config
=================
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
set interface "tunnel.1" zone "Untrust"
set interface "tunnel.2" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 10.48.123.2/24
set interface trust route
set interface untrust ip 10.48.122.2/24
set interface "untrust" ipv6 mode "router"
set interface "untrust" ipv6 ip 4ffe::200:ff:fe00:2/64
set interface "untrust" ipv6 enable
set interface untrust route
set interface tunnel.2 ip unnumbered interface untrust
set interface "tunnel.2" ipv6 mode "host"
set interface "tunnel.2" ipv6 enable
set interface tunnel.2 mtu 1500
set interface trust manage-ip 10.48.123.3
unset interface trust ip manageable
set interface untrust ip manageable
set interface untrust manage ping
set interface untrust ipv6 ra link-address
set interface untrust ipv6 nd nud
set interface tunnel.2 ipv6 nd nud
set interface tunnel.2 ipv6 nd dad-count 0
set flow tcp-mss
unset flow tcp-syn-check
set hostname ns5gt
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address Trust "10.48.123.0/24" 10.48.123.0 255.255.255.0
set address Untrust "10.48.122.0/24" 10.48.122.0 255.255.255.0
set ippool "p1" 10.48.123.30 10.48.123.40
set ippool "p2" 10.48.124.30 10.48.124.40
set user "user1" uid 3
set user "user1" ike-id fqdn "ISAKMPIDV6" share-limit 1
set user "user1" type  ike xauth
set user "user1" password "GHS8r114NluQA5s7nCCDbq66qcnQQFMWng=="
unset user "user1" type auth
set user "user1" "enable"
set ike gateway "av6-1" dialup "user1" Main outgoing-interface "untrust" local-address "4ffe::200:ff:fe00:2" preshare "I3F/tPuFNlty/WsKolCvL
aT1CRnBO8t5Vg==" proposal "pre-g1-des-md5"
unset ike gateway "av6-1" nat-traversal
set ike respond-bad-spi 1
set xauth default ippool "p2"
set xauth server config-after-auth
set vpn "av6-2" gateway "av6-1" no-replay tunnel idletime 0 proposal "nopfs-esp-des-md5"
set vpn "av6-2" id 5 bind interface tunnel.2
set policy id 1 from "Untrust" to "Trust"  "Any-IPv4" "Any-IPv4" "ANY" permit
set policy id 1
set policy id 2 from "Trust" to "Untrust"  "Any-IPv4" "Any-IPv4" "ANY" permit
set policy id 2
set policy id 3 from "Untrust" to "Trust"  "Any-IPv6" "Any-IPv6" "ANY" permit
set policy id 3
set policy id 4 from "Trust" to "Untrust"  "Any-IPv6" "Any-IPv6" "ANY" permit
set policy id 4
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface trust gateway 10.48.123.1
set route 0.0.0.0/0 interface tunnel.1
set route ::/0 interface tunnel.2 gateway :: preference 20
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit