Bluetrait (Program)
                IBM N2200 8363

Thu, 15 Feb 2007 9:49 PM

IPv6 tunnel through IPv4 with a Netscreen

Michael Dale
I finally got an IPv6 tunnel going on my Netscreen SSG 5. So I thought I'd post the relevant configuration details here.

I'm currently running ScreenOS 5.4.0r3a0; there seems to be some WebUI bugs with IPv6 so it is best to do it via the command line.

Update: I just got a response back from JTAC. IPv6 is only supported on the ISG2000. So I'm unsure when/if it the WebUI bugs will be fixed.

Update2: IPv6 is now supported on the SSG 5 under screenos 6, the WEBUI bug has been fixed.

Background info:
  • Trust interface - bgroup0
  • Untrust interface - bgroup2
  • IPv6 broker ( -
  • IPv6 subnet - 2001:388:c021::1/64
The first step is to enable IPv6 on your Netscreen.

Type the following then save your config and restart the device:

set envar ipv6=yes

Now let's setup the trust interface:

set interface "bgroup0" ipv6 mode "router"
set interface "bgroup0" ipv6 ip 2001:388:c021::1/64
set interface "bgroup0" ipv6 enable
unset interface bgroup0 ipv6 ra link-address
set interface bgroup0 ipv6 ra transmit
set interface bgroup0 ipv6 nd nud

So we've setup my trust interface with the IPv6 subnet and autoconfiguration should be working.

Now let's setup a tunnel interface for the traffic to run through:

set interface "tunnel.1" zone "Untrust"
set interface tunnel.1 ip unnumbered interface bgroup2
set interface "tunnel.1" ipv6 mode "host"
set interface "tunnel.1" ipv6 enable
set interface tunnel.1 tunnel encap ip6in4 manual
set interface tunnel.1 tunnel local-if bgroup2 dst-ip

Now we'll setup a static route for IPv6 traffic to go through:

set route ::/0 interface tunnel.1 gateway :: preference 20

And finally we need to setup a policy to allow traffic out:

set policy id 77 from "Trust" to "Untrust" "Any-IPv6" "Any-IPv6" "ANY" permit log
set policy id 77

You may want to setup some policies to allow traffic in too.

That should be all you need to do.


On Wed, 01 Jun 2011 at 11:53 PM, saeed wrote Is 4in6 tunneling support avalible in screenos 6.2 on SSG 520 firewall? 1: Comment Link

On Wed, 08 Jun 2011 at 6:43 PM, Michael Dale (of wrote Yes I believe so. 2: Comment Link


HTML allowed: <a href="" title="" rel=""></a> <b></b> <blockquote cite=""></blockquote> <em></em> <i></i> <strike></strike> <strong></strong> <li></li> <ol></ol> <ul></ul>
ie: <b>bold</b>

Your comment may need to be reviewed before it is published.



Email (not shown)

WWW (optional)

Allow contact form email

Remember details