I finally got an IPv6 tunnel going on my Netscreen SSG 5. So I thought I'd post the relevant configuration details here.
I'm currently running ScreenOS 5.4.0r3a0; there seems to be some WebUI bugs with IPv6 so it is best to do it via the command line.
Update: I just got a response back from JTAC. IPv6 is only supported on the ISG2000. So I'm unsure when/if it the WebUI bugs will be fixed.
Update2: IPv6 is now supported on the SSG 5 under screenos 6, the WEBUI bug has been fixed.
- Trust interface 10.0.0.254/22 - bgroup0
- Untrust interface - bgroup2
- IPv6 broker (broker.aarnet.net.au) - 22.214.171.124
- IPv6 subnet - 2001:388:c021::1/64
The first step is to enable IPv6 on your Netscreen.
Type the following then save your config and restart the device:
set envar ipv6=yes
Now let's setup the trust interface:
set interface "bgroup0" ipv6 mode "router"
set interface "bgroup0" ipv6 ip 2001:388:c021::1/64
set interface "bgroup0" ipv6 enable
unset interface bgroup0 ipv6 ra link-address
set interface bgroup0 ipv6 ra transmit
set interface bgroup0 ipv6 nd nud
So we've setup my trust interface with the IPv6 subnet and autoconfiguration should be working.
Now let's setup a tunnel interface for the traffic to run through:
set interface "tunnel.1" zone "Untrust"
set interface tunnel.1 ip unnumbered interface bgroup2
set interface "tunnel.1" ipv6 mode "host"
set interface "tunnel.1" ipv6 enable
set interface tunnel.1 tunnel encap ip6in4 manual
set interface tunnel.1 tunnel local-if bgroup2 dst-ip 126.96.36.199
Now we'll setup a static route for IPv6 traffic to go through:
set route ::/0 interface tunnel.1 gateway :: preference 20
And finally we need to setup a policy to allow traffic out:
set policy id 77 from "Trust" to "Untrust" "Any-IPv6" "Any-IPv6" "ANY" permit log
set policy id 77
You may want to setup some policies to allow traffic in too.
That should be all you need to do.