Is IPSec limited to tunneling on IPv6

Minuit · ‎11-12-2017

Doing some coursework for university. My learning materials seem to suggest that IPSec integration is standard with IPv6.

However if i use "show cry ipsec sa"

It says there is no SA's available.

If so should i begin the instructions provided here and create a tunnel? https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/configuration/xe-3s/ipv6-xe-36s-book/ip6-ipsec.pdf

James Leinweber · ‎11-27-2017

IPv6 has IPsec as a standard feature, though it was backported and so does IPv4. In either protocol, you have to actually configure the two ends to do IPSec negotiations. The Cisco crypto infrastructure is sufficiently baroque that on firewalls I usually prefer to do this from the ASDM GUI interface. I can't speak to routers.
The two ends of an IPsec need to agree on a lot: where they are negotiating, e.g. port 500/UDP; what protocol they are negotiating with, e.g. IKEv1 or IKEv2; how they are authenticating the endpoints, e.g. IP address or x509 Certificates; how a shared secret to protect the phase I negotiations is created; what ciphersuite phase I uses (block cipher, key size, hmac, ...), etc. The phase II negotiations which actually create and destroy the SA's can have separate secrets and ciphersuites. Then there is the question of which traffic takes the IPsec tunnel and which doesn't; on ASA firewalls this is controlled by access-lists identifying either hosts (and optionally ports or protocols) or entire subnets. The complete tunnel spec in the CLI can exceed 100 lines per device.
-- Jim Leinweber, WI State Lab of Hygiene