IPv6 tunnel through IPv4 with a Netscreen

Michael Dale

I finally got an IPv6 tunnel going on my Netscreen SSG 5. So I thought I'd post the relevant configuration details here.

I'm currently running ScreenOS 5.4.0r3a0; there seems to be some WebUI bugs with IPv6 so it is best to do it via the command line.

Update: I just got a response back from JTAC. IPv6 is only supported on the ISG2000. So I'm unsure when/if it the WebUI bugs will be fixed.

Update2: IPv6 is now supported on the SSG 5 under screenos 6, the WEBUI bug has been fixed.

Background info:

• Trust interface 10.0.0.254/22 - bgroup0
• Untrust interface - bgroup2
• IPv6 broker (broker.aarnet.net.au) - 202.158.196.131
• IPv6 subnet - 2001:388:c021::1/64

The first step is to enable IPv6 on your Netscreen.

Type the following then save your config and restart the device:


Now let's setup the trust interface:


So we've setup my trust interface with the IPv6 subnet and autoconfiguration should be working.

Now let's setup a tunnel interface for the traffic to run through:


Now we'll setup a static route for IPv6 traffic to go through:


And finally we need to setup a policy to allow traffic out:


You may want to setup some policies to allow traffic in too.

That should be all you need to do.

New Server

Michael Dale

Our web server died a few weeks ago, I was lucky enough to borrow a spare DL380 G1 from work. Although we still have it, I'm not sure if we'll be able to keep it.

So this new server is a DL360 G1 (1 rack unit):

• Dual Pentium 3 1.266GHz (512K L2 Cache)
• 256mb Ram (we will upgrade it if it goes into production)
• 18gb SCSI HDD
• 2 100mbit onboard nics

Here is what it looks like:

Contacts - LDAP

Michael Dale

I finally setup LDAP on Kerio. I now have my contacts synced with webmail, mac address book and my phone. Awesome.



Anyone who uses our email server can now make use of this too.

The server (mail.lttd.net) allows secure LDAP connections on port 16360 (636 is the standard port but the mail server is also a domain controller, so that port is in use).

More details can be found in the Kerio User Manual:
http://download.kerio.com/dwn/kmsug6-en.pdf

Mail Server Spam Stats

Michael Dale

Akismet timeout, fixed?

Michael Dale

I think I've found the cause for Akismet not working as well as it should have.

The class I was using had a low timeout value; I've since increased this to 10 seconds, inline with the new Wordpress 2 plugin.

So hopefully that will improve the amount of spam being caught.

Spam System Upgraded

Michael Dale

I'm testing out a new spam system I quickly wrote.

Hopefully now if you're either logged in or have posted before with the same email address your comment shouldn't be deleted.



I plan to add more tests (see post below) later.

Spam

Michael Dale

Argh. Too much spam is getting through again; even with Akismet. So I'm in the process of writing a new spam class. The aim is to build a comment score (similar to email spam filtering programs) based on the following:

• Email Address/Name/Website
• Comment Body (number of links etc)
• If the user is registered
• If the user has successfully posted a comment before
• white and black lists
• response from akismet
• how old and how many comments a post has

So hopefully I can cut down the spam.

Servers Moved

Michael Dale

And that should be the last time for a while.

IP Addresses
Web: 202.129.82.194
Mail: 202.129.82.193

EDIT: Looks like some of our secondary DNS servers (rollernet.us) are having problems updating. I've just made some changes to try and fix it.

We've also just purchased an SSL Certificate for mail.lttd.net, so the primary mail server address will soon be mail.lttd.net.

Juniper SSG 5

Michael Dale

We'll I finally got my new Juniper SSG 5 firewall (the replacement model for my old Netscreen 5gt).

I ordered it back in November, originally I was going to get the wireless version but they were still out of stock early this year so I ended up getting the base model (with 256mb of ram).

The main reason for the upgrade was that we'd run out of VPN tunnels (the 5gt did 10). The new version supports 25, plus it upgradeable to 40.
The SSG also has the following advantages over the 5gt (I'm comparing the base model 5gt and SSG 5):

• 4000 sessions, up from 2000
• 25 VPN tunnels, up from 10
• Unlimited users, up from 20 (my 5gt has an upgrade to support 20 users)
• 7 ethernet interfaces, up from 5 (plus they aren't limited in terms of zones like the 5gt).
• DMZ support (we've just got a subnet so this should be useful)
• Support for ScreenOS 6 which should be out this year
• Faster (160mb firewall (from 75mb), 40mb VPN (from 20mb))
• 256mb Ram, up from 128mb
• 64mb Flash, up from 32mb

So the device is pretty much double everything that the 5gt is.

It also cost me double. I got the 5gt off ebay for $320, where as the SSG 5 new cost me $640. I got a really good price on it has Bryn was able to sign up as a Juniper reseller, the SSG 5 is about $1200 retail.

The main limitation of the old Netscreen 5gt was the port modes.

The port mode defines what zone (untrust, trust, dmz etc) each ethernet interface is in. Any time you needed to change this you were required to reset the device and config (see below).


Where as the SSG 5 has something called bridge groups allowing you to easily change what zone each interface is in without resetting the device and/or config.

Much more useful if you're playing round with different network topologies (see below).


I've updated some of the IPSEC benchmarks to include both the SSG 5 and an old Netscreen 100 I picked up.

Spam Server

Michael Dale

I found the following address in my logs. Looks like a spamming program. Feel free to try and take it offline. http://serversinfo.org/VIP/master.php EDIT: I've changed the message so it spams it own site, hopefully taking itself offline. The stop command didn't seem to work, so this is the next best thing. EDIT2: Looks like the owner has password protected the area.