Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3540
Views
5
Helpful
4
Replies

Issue with running IPSec on IPv6 connected interface - VRF/IPSec/IPv6

901563ravi
Level 1
Level 1

‎12-06-2011 10:36 PM - edited ‎03-01-2019 05:31 PM

Hi,

I am trying to run IPSec over IPv6.But I have introduced a complexity here-which is VRF

Router A                                                                             Router B

Router A---fa0/1.59----------------------------------------fa0/0.59---Routrer B

VRF ABC                                                                          VRF ABC

**********************************************************************

Router A Configuration

=======================

interface FastEthernet0/1.59

encapsulation dot1Q 59

vrf forwarding ABC

ip address 172.18.58.18 255.255.255.240

ip ospf cost 200

ipv6 address 2001:DB8:BABE:59::1/64

end

interface Tunnel20
vrf forwarding ABC

no ip address
ipv6 address 2001:DB8:BABE:600::1/64
tunnel source 2001:DB8:BABE:59::1
tunnel mode ipsec ipv6
tunnel destination 2001:DB8:BABE:59::2
tunnel protection ipsec profile SPOKE
end

crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key CISCO address ipv6 ::/0
!
!
crypto ipsec transform-set SPOKE esp-aes 256 esp-sha-hmac
!
crypto ipsec profile SPOKE
set transform-set SPOKE

Router B Configuration

===================

interface FastEthernet0/0.59
description xyz link
encapsulation dot1Q 59
vrf forwarding ABC

ip address 172.18.58.17 255.255.255.240
ip ospf cost 200
ipv6 address 2001:DB8:BABE:59::2/64

end

interface Tunnel20
vrf forwarding ABC no ip address
ipv6 address 2001:DB8:BABE:600::2/64
tunnel source 2001:DB8:BABE:59::2
tunnel mode ipsec ipv6
tunnel destination 2001:DB8:BABE:59::1
tunnel protection ipsec profile SPOKE
end

crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key CISCO address ipv6 ::/0
!
!
crypto ipsec transform-set SPOKE esp-aes 256 esp-sha-hmac
!
crypto ipsec profile SPOKE
set transform-set SPOKE

Problem--

My tunnels show as down on both the routers

Tunnel20 is up, line protocol is down
  Hardware is Tunnel
  MTU 1460 bytes, BW 100 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 2001:DB8:BABE:59::1, destination 2001:DB8:BABE:59::2
  Tunnel protocol/transport IPSEC/IPV6
  Tunnel TTL 255
  Tunnel transport MTU 1460 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "SPOKE")
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out

************************************************************************

Am I missing anything in the tunnel configuration?

I can ping physical link but not tunnel interface.

I am using static routes as IPv6 dynamic routing is not supported on multidefination vrf.

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

I am using 1841s

Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 15.1(4)M2, RELEASE SOFTWARE (fc1)

System image file is "flash:c1841-adventerprisek9-mz.151-4.M2.bin"

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Thanks

Ramu

Labels:
0 Helpful
4 Replies 4

Laurent Aubert
Cisco Employee
Cisco Employee

‎12-07-2011 11:13 AM

Hi Ramu,

It seems you want to use VRF ABC to route the IPSec traffic and not the clear traffic so you need to add this command under the tunnel interface:

tunnel vrf ABC

Also as you are using pre-shared key for authentication, you need to make the key VRF aware as well:

crypto keyring mykey vrf ABC

  pre-shared-key address ipv6 ::0/0 key CISCO

!

crypto isakmp profile IKE-IPv6

   keyring mykey

   match identity address ipv6 ::0/0

!

crypto ipsec profile SPOKE

set isakmp-profile IKE-IPv6

set transform-set SPOKE

!

If you want to use the GRT to route the clear traffic, you need to remove the vrf forwarding ABC command. If you want to use vrf ABC then you need to update the isakmp profile with the following:

crypto isakmp profile IKE-IPv6

vrf ABC

http://www.cisco.com/en/US/partner/docs/ios/ios_xe/sec_secure_connectivity/configuration/guide/sec_vrf_aware_ipsec_xe.html


HTH

Laurent.

0 Helpful

901563ravi
Level 1
Level 1
In response to Laurent Aubert

‎12-07-2011 09:07 PM

Hi Laurent,

              

               I have tried the configs as per your reply; but still the tunnel interface is down.

Thanks for you time once again.

Ramu

0 Helpful

Laurent Aubert
Cisco Employee
Cisco Employee
In response to 901563ravi

‎12-07-2011 09:14 PM

Try to make it work first without any VRF. Please refer to the following link:

http://www.cisco.com/en/US/partner/docs/ios/ipv6/configuration/guide/ip6-ipsec.html

Thanks,

Laurent.

0 Helpful

901563ravi
Level 1
Level 1
In response to Laurent Aubert

‎12-13-2011 03:33 PM

Hi All and Laurent,

                        

I logged a TAC case and the outcome is as folllows-

Engineer found a bug with release 15.0 that does not forward traffic with IPSec and IPv6 VRF.

Email reads

Hi,

I tried giving you a call to discuss this issue, but I hit you're voicemail.
I worked in the lab to try and get this working, but was unable to because of the following issues (I opened a bug for each of them):
1. tunnel vrf command is not IPv6 aware, thus we cannot source our tunnel in a vrf. I opened bug CSCtw82981 to track this (see http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtw82981 for more details). Content of the bug will only be available in a few days.
2. vrf forwarding command fails next hop lookup on return traffic, thus we cannot have traffic flow back from the ivrf to the fvrf. This issue is tracked by CSCtw85229 (http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCtw85229)

I tried to work around these bugs using vrf aware crypto maps, but hit another bug:
1. associating an IPv6 only vrf to an isakmp profile fails. I opened bug CSCtw85409 to track the issue (see http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtw85409)

It looks like it is currently impossible to use vrf in conjunction with ipsec tunnelling. I will try with the latest image and will update you on the outcome of this. In the meantime, if you need further explanations or if you have any questions, feel free to ask anytime.


Sincerely,

xxxxxx

Customer Support Engineer - Security
Phone: xxxx - Email: xxx

Cisco Systems APAC TAC: 12:00-18:00 AEST/UTC+11

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents