Adding ipv6 support to an ezvpn configuration

fabios · ‎07-30-2011

Hello all,

I have posted this one in Security->VPN but probably it is better here, sorry for the duplicate.

I am in the process of deploying ipv6 in my network and I had some difficulties figuring this out.

Scenario is a Cisco 1921 acting as main router which provides Internet connectivity and all services to the network.

This router has an ezvpn configuration associated to its Internet interface (dialer 9). Multiple clients (hosts like laptops and iPad iPhones etc) remotely connect and receive an ip address from the pool specified in the matched ISAKMP profile.

to this ezvpn config I wish to add ipv6 addressing. Kind of just providing an ipv6 address to the clients connecting and tunneling ipv6 traffic. Transport would need to remain ipv4. I tought it might be sufficient just to add a ipv6 address pool but I could not find any documentation for it (or maybe I searched in the wrong place).

Any suggestions greatly apreciated

Fabio

Config snippets for the most interested============

Crypto Map "CM-1" 100 ipsec-isakmp

Dynamic map template tag: DM-1

Crypto Map "CM-1" 200 ipsec-isakmp

Dynamic map template tag: DM-2

Crypto Map "CM-1" 65536 ipsec-isakmp

Peer = 109.113.164.235

ISAKMP Profile: IP-1

Extended IP access list

access-list permit ip any host 192.168.131.197

dynamic (created from dynamic map DM-1/100)

Current peer: 109.113.164.235

Security association lifetime: 4608000 kilobytes/3600 seconds

Responder-Only (Y/N): N

PFS (Y/N): Y

DH group: group2

Transform sets={

TS-1: { esp-aes esp-sha-hmac } ,

}

Interfaces using crypto map CM-1:

Virtual-Access2

Dialer9

crypto isakmp client configuration group XX1

key elided

dns 192.168.1.1

pool PO-vpnclients

save-password

include-local-lan

pfs

banner ^C Welcome to SARLAN ^C

!

crypto isakmp client configuration group XX2

key elided

dns 10.118.0.1

pool PO-vpnclients2

save-password

include-local-lan

pfs

banner ^CC Welcome to SARLAN USA ^C

!

crypto dynamic-map DM-1 100

set transform-set TS-1

set reverse-route distance 10

set isakmp-profile IP-1

!

crypto dynamic-map DM-2 100

set transform-set TS-1

set reverse-route distance 10

set isakmp-profile IP-2

!

crypto map CM-1 client authentication list AAA-ua

crypto map CM-1 isakmp authorization list AAA-ga

crypto map CM-1 client configuration address respond

crypto map CM-1 100 ipsec-isakmp dynamic DM-1

crypto map CM-1 200 ipsec-isakmp dynamic DM-2

lgijssel · ‎08-03-2011

The following link may be useful:

http://www.cisco.com/en/US/partner/docs/ios/ipv6/configuration/guide/ip6-tunnel.html#wp1055455

regards,

Leo

fabios · ‎08-04-2011

Hi Leo,

Thanks for the reply. The link you gave me provides a nice 403 even when logged on with my Cisco TAC enabled account. Your link probably requires partner access.

By reading the URL appears you are pointing me in the tunnel direction. ISATAP or GRE. By reading

http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-tunnel.html

Is this the same doc?

If I configure an additional tunnel, how would I set up the device on the other side, there are no configurable parameters there. the IPv6 address should be pushed down during the IPv4 IPsec negotiation (ISAKMP phase2).

Your toughts please.

Fabio

lgijssel · ‎08-04-2011

You can edit the link to omit /partner. Then it will work without special acess privileges.

I normally do this myself before posting but apparently I forgot it this time.

Seems you are indeed looking at the same doc.

Haven't tried this myself yet; just give it a try I would say.

I did already find that ipv6 over IPsec is not supported on the ASA with 8.2 software. (not really relevant for you but perhaps nice to know)

regards,

Leo

fabios · ‎08-04-2011

Hi Leo,

thanks again for your time.

I am offsite until Saturday and then I will give it a try.

Quoting the doc:

IPv6 traffic can be carried over IPv4 GRE tunnels using the standard GRE tunneling technique that is designed to provide the services necessary to implement any standard point-to-point encapsulation scheme. As in IPv6 manually configured tunnels, GRE tunnels are links between two points, with a separate tunnel for each link. The tunnels are not tied to a specific passenger or transport protocol, but in this case, carry IPv6 as the passenger protocol with the GRE as the carrier protocol and IPv4 or IPv6 as the transport protocol.

Unquote

Appears that you are pointing me in the right direction but looking at the summary step

1. enable

2. configure terminal

3. interface tunnel tunnel-number

4. ipv6 address ipv6-prefix/prefix-length [eui-64]

5. tunnel source {ip-address | ipv6-address | interface-type interface-number}

6. tunnel destination {host-name | ip-address | ipv6-address}

7. tunnel mode {aurp | cayman | dvmrp | eon | gre | gre multipoint | gre ipv6 | ipip [decapsulate-any] | iptalk | ipv6 | mpls | nos}

8. end

I start having problems with step 5 which could be the interface to which the ipv4 ipsec crypto map is associated;

what really troubles me is step 6. Am I going to use the ipv4 address dynamically associated with the remote end point? I.e. the one issued from the PO-vpnclients ip address pool defined in the ISAKMP profile?

This means I need to define as many tunnels as IP addresses in the pool ....

Or am I missing something here?

Finally step 7 I guess it should be GRE.

Cheers

Fabio

lgijssel · ‎08-05-2011

Hi Fabio,

Reconsideing your scenario, I believe there are other options available to you.

Of course you can try to add an ipv6 pool to the EZVPN config but it may not be supported.

(Command: ipv6 local pool ipv6pool 2001:DB8:1:1::5/64 100 ; Use your own IPv6 prefix here)

Another option which is compliant with all standards would be using 6to4 tunnels.

http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-tunnel.html

The encryption would then have to be delivered by ipv6.

However, this is a real possibility because -unlike ipv4- encryption is already part of the standard.

Perhaps this is not a solution you can get to work straight away but I believe it is the way forward.

Eventually this will become a method of choice using native ipv6 and IPsec in transport mode without the tunnel header.

As far as I have checked, IPv6 encryption is fully supported on Vista and Win7.

regards,

Leo

fabios · ‎08-05-2011

Hi Leo,

A few more words on the scenario are in order.

This set up is my home network. The router is an ISR G2 Cisco 1921 router which is connected to the Internet via DSL.

I get a IPv6 connection through a tunnel broker on a manually configured ipv6ip tunnel and I have a /64 and a /48 globally routable ipv6 address space. There are 5 VLANs (administrative, guests, phones, kids which is web proxy filtered and computers) when I travel and I need Internet access, I connect to local access points in Hotels and airports I connect to the home router via ezvpn for protection and use my applications or access the Internet or use home telephony. At home my MacBook Pro or my iPad iPhone and kids' iPods all receive ipv6 ip addresses via autoconfig.

What I am trying to achieve is to extend my home ipv6 network as I am doing with the ipv4. All of this need to be achieved in an ipv4 infrastructure (I doubt I will find an ipv6 hotspot in an airport anytime soon .... The final goal is to get autoconfig to work across the ipv4 IPSec tunnel.

You provided me with great insight and I thank you for this. I will try both setups and see how it works

Cheers

Fabio

Sent from Cisco Technical Support iPad App

fabios · ‎08-30-2011

Hi all,

I managed to solve the original issue:

I can establish a ipv6ip tunnel within a IPSEC tunnel created by an ezvpn client by:

1. create a loopback interface for the router (optional)

2. create a tunel interface with source loopback and destination the ipv4 assigned by the ezvpn server to the client

3. tunnel mode ipv6ip

4. assign an ipv6 address/128 to the tunnel

5. create a static route to the client ipv6 address->tunnel interface

on the (mac) client:

sudo ifconfig gif0 tunnel 192.168.131.194 192.168.136.249(create the tunnel defining locan end and router end)

sudo ifconfig gif0 inet6 alias 20xx:xxxx:xxxx:f0::2 20xx:xxxx:xxxxx:f0::1 prefixlen 128 (assign ipv6 addresses)

sudo route add -inet6 default -interface gif0 (add ipv6 default route)

and it works fine. Lot of overhead but with a few scripts can be automated on both sides. Hope this is useful to those who are experimenting and solicit some fruitful discussion.

Now I would like to see if anybody has an idea on how to handle autoconfig across this setup. I need to use autoconfig because devices like iPhone/iPad do not have the possibility to define tunnel interfaces but they autoconfig themselves when they receive the proper multicasts.

Anybody had any experience or has suggestions?

Cheers

Fabio