12-06-2011 10:36 PM - edited 03-01-2019 05:31 PM
Hi,
I am trying to run IPSec over IPv6.But I have introduced a complexity here-which is VRF
Router A Router B
Router A---fa0/1.59----------------------------------------fa0/0.59---Routrer B
VRF ABC VRF ABC
**********************************************************************
Router A Configuration
=======================
interface FastEthernet0/1.59
encapsulation dot1Q 59
vrf forwarding ABC
ip address 172.18.58.18 255.255.255.240
ip ospf cost 200
ipv6 address 2001:DB8:BABE:59::1/64
end
interface Tunnel20
vrf forwarding ABC
no ip address
ipv6 address 2001:DB8:BABE:600::1/64
tunnel source 2001:DB8:BABE:59::1
tunnel mode ipsec ipv6
tunnel destination 2001:DB8:BABE:59::2
tunnel protection ipsec profile SPOKE
end
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key CISCO address ipv6 ::/0
!
!
crypto ipsec transform-set SPOKE esp-aes 256 esp-sha-hmac
!
crypto ipsec profile SPOKE
set transform-set SPOKE
Router B Configuration
===================
interface FastEthernet0/0.59
description xyz link
encapsulation dot1Q 59
vrf forwarding ABC
ip address 172.18.58.17 255.255.255.240
ip ospf cost 200
ipv6 address 2001:DB8:BABE:59::2/64
end
interface Tunnel20
vrf forwarding ABC no ip address
ipv6 address 2001:DB8:BABE:600::2/64
tunnel source 2001:DB8:BABE:59::2
tunnel mode ipsec ipv6
tunnel destination 2001:DB8:BABE:59::1
tunnel protection ipsec profile SPOKE
end
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key CISCO address ipv6 ::/0
!
!
crypto ipsec transform-set SPOKE esp-aes 256 esp-sha-hmac
!
crypto ipsec profile SPOKE
set transform-set SPOKE
Problem--
My tunnels show as down on both the routers
Tunnel20 is up, line protocol is down
Hardware is Tunnel
MTU 1460 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 2001:DB8:BABE:59::1, destination 2001:DB8:BABE:59::2
Tunnel protocol/transport IPSEC/IPV6
Tunnel TTL 255
Tunnel transport MTU 1460 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "SPOKE")
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
************************************************************************
Am I missing anything in the tunnel configuration?
I can ping physical link but not tunnel interface.
I am using static routes as IPv6 dynamic routing is not supported on multidefination vrf.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
I am using 1841s
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 15.1(4)M2, RELEASE SOFTWARE (fc1)
System image file is "flash:c1841-adventerprisek9-mz.151-4.M2.bin"
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Thanks
Ramu
12-07-2011 11:13 AM
Hi Ramu,
It seems you want to use VRF ABC to route the IPSec traffic and not the clear traffic so you need to add this command under the tunnel interface:
tunnel vrf ABC
Also as you are using pre-shared key for authentication, you need to make the key VRF aware as well:
crypto keyring mykey vrf ABC
pre-shared-key address ipv6 ::0/0 key CISCO
!
crypto isakmp profile IKE-IPv6
keyring mykey
match identity address ipv6 ::0/0
!
crypto ipsec profile SPOKE
set isakmp-profile IKE-IPv6
set transform-set SPOKE
!
If you want to use the GRT to route the clear traffic, you need to remove the vrf forwarding ABC command. If you want to use vrf ABC then you need to update the isakmp profile with the following:
crypto isakmp profile IKE-IPv6
vrf ABC
HTH
Laurent.
12-07-2011 09:07 PM
Hi Laurent,
I have tried the configs as per your reply; but still the tunnel interface is down.
Thanks for you time once again.
Ramu
12-07-2011 09:14 PM
Try to make it work first without any VRF. Please refer to the following link:
http://www.cisco.com/en/US/partner/docs/ios/ipv6/configuration/guide/ip6-ipsec.html
Thanks,
Laurent.
12-13-2011 03:33 PM
Hi All and Laurent,
I logged a TAC case and the outcome is as folllows-
Engineer found a bug with release 15.0 that does not forward traffic with IPSec and IPv6 VRF.
Email reads
Hi,
I tried giving you a call to discuss this issue, but I hit you're voicemail.
I worked in the lab to try and get this working, but was unable to because of the following issues (I opened a bug for each of them):
1. tunnel vrf command is not IPv6 aware, thus we cannot source our tunnel in a vrf. I opened bug CSCtw82981 to track this (see http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtw82981 for more details). Content of the bug will only be available in a few days.
2. vrf forwarding command fails next hop lookup on return traffic, thus we cannot have traffic flow back from the ivrf to the fvrf. This issue is tracked by CSCtw85229 (http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCtw85229)
I tried to work around these bugs using vrf aware crypto maps, but hit another bug:
1. associating an IPv6 only vrf to an isakmp profile fails. I opened bug CSCtw85409 to track the issue (see http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtw85409)
It looks like it is currently impossible to use vrf in conjunction with ipsec tunnelling. I will try with the latest image and will update you on the outcome of this. In the meantime, if you need further explanations or if you have any questions, feel free to ask anytime.
Sincerely,
xxxxxx
Customer Support Engineer - Security
Phone: xxxx - Email: xxx
Cisco Systems APAC TAC: 12:00-18:00 AEST/UTC+11
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide