04-12-2012 02:48 PM - edited 03-01-2019 05:34 PM
hi,
I wonder if there is one use case one can think of that is not possible with Cisco IOS:
Establish a IPsec tunnel over an IPv6 network tranporting both IPv4 and Ipv6 traffic. Even IPsec tunnel over an IPv6 network transporting IPv4 only does not work.
I tried several things in my lab but couldn't get it running.
I tried to search the net for my use case but I only find the other way round.
Question: is it possible to achieve connectivity of the following IPv4 addresses over an IIPsec tunnel over Ipv6 network?
Ultimately, the same tunnel should be capable transporting both. A dedicated Tunnel for IPv4 and IPv6 tunnel on the same routers would also be OK.
,_
Svr A ( ) Svr B
+----+ , `,( .) +----+
| | +----+ ( .( ...) +----+ | |
| |---| R1 |---` .....)---| R2 |---| |
| | +----+ ( ......) +----+ | |
+----+ +----+
10.0.23.1/24 IPv6 only 10.0.42.1/24
network
04-12-2012 03:49 PM
http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-ipsec.html is a good place to start.
Just use an IPv6 source and destination for a GRE tunnel, and activate IPv4 on the tunnel interface to carry IPv4 over IPv6. Then, use IPsec to secure the GRE packets.
You will need to be sure you have a version of software and license that support the requisite IPv6 features.
04-13-2012 10:54 AM
Thanks Remaker,
that was the missing peace.
Now it's perfectly working.
Cheers
05-24-2012 04:09 AM
Is it possible to do this with full IPSec instead of GRE ?
Thanks.
05-24-2012 10:05 PM
Hi,
Today on IOS we don't support mixed mode with native IPSec encapsulation (IPv6 over IPv4 or vice versa), so you can only achieve this by using GRE and then run it over an IPSec tunnel.
Thanks,
Wen
05-31-2012 03:41 PM
One more question in regard to Nexus: Will it be possible with NX-OS or there a limitation in one RFC?
Alex
07-25-2013 09:16 AM
Same/similar question but the case is instead of Site to Site VPN, it would be using the Cisco VPN Client. The host on the left side is connected to an IPv6-only network. They need to communicate with IPv4 devices across the Internet (behind a Cisco ASA).
Is this possible?
Cisco VPN Client ( ) Cisco ASA
+----+ , `,( .) +----+
| | +----+ ( .( ...) +----+ | |
| |---| R1 |---` .....)---| R2 |---| |----IPv4 network
| | +----+ ( ......) +----+ | |
+----+ +----+
IPv6-only HOST IPv6 Network has IPv6 Interface on public side
alexander.koeppe wrote:
hi,
I wonder if there is one use case one can think of that is not possible with Cisco IOS:
Establish a IPsec tunnel over an IPv6 network tranporting both IPv4 and Ipv6 traffic. Even IPsec tunnel over an IPv6 network transporting IPv4 only does not work.
I tried several things in my lab but couldn't get it running.
I tried to search the net for my use case but I only find the other way round.
Question: is it possible to achieve connectivity of the following IPv4 addresses over an IIPsec tunnel over Ipv6 network?
Ultimately, the same tunnel should be capable transporting both. A dedicated Tunnel for IPv4 and IPv6 tunnel on the same routers would also be OK.
,_
Svr A ( ) Svr B
+----+ , `,( .) +----+
| | +----+ ( .( ...) +----+ | |
| |---| R1 |---` .....)---| R2 |---| |
| | +----+ ( ......) +----+ | |
+----+ +----+
10.0.23.1/24 IPv6 only 10.0.42.1/24
network
07-25-2013 05:57 PM
Hi Michael,
This scenario is not possible as the Cisco VPN client does not support IPv6.
Regards
07-26-2013 06:06 AM
Thanks Harold, I've been doing some more digging and found some stuff that might contradict your statement. Granted, it's been a while since I've had to work with this client VPN stuff, maybe I have the terminology wrong (VPN Client vs AnyConnect Client).
There's this link:
that talks about enabling IPv6 for the AnyConnect client. The link mentions:
You can configure the ASA to assign an IPv4 address, an IPv6 address, or both an IPv4 and an IPv6 address to an AnyConnect client
So in the case where an AnyConnect client (using IKE/IPSec) connects to the ASA using IPv6, could the ASA assign an IPv4 address?
There is a reference in the link above to this link:
The row third from the bottom looks to meet my design criteria.
I'm looking at this from quite a high level. Ae there issues in the details of this configuration? Or maybe I'm not understanding something correctly?
Thanks!
07-26-2013 06:59 AM
Hi Michael,
I thought you were referring to the legacy Cisco VPN client, which does not support ipv6, other than tunneled over ipv4. Anyconnect handles both ipv4 and ipv6 natively. The third row from the bottom refers to dual stack between on the ASA but you stated that the connection from the client to the ASA would need to be IPv6 only, right?
Regards
07-26-2013 08:47 AM
OK awesome. Thanks for the clarifications. So with the AnyConnect, the solution is possible?
AnyConnect VPN Client user would be IPv6 only (but with the IPv4 stack installed on the computer)
Cisco ASA public facing interface would be IPv4 and IPv6 (Dual Stack)
Cisco ASA internal interfaces would be IPv4, and addresses assigned to the client would be IPv4. Client would be accessing internal systems using IPv4.
07-26-2013 03:23 PM
Hi Michael,
As far as I know Anyconnect does not offer any kind of service to tunnel ipv4 in ipv6. If the requirement is for ipv6 only traffic coming from the remote client to access ipv4 destination, maybe nat64 on the ASA would help in reaching that goal.
Regards
07-29-2013 12:45 PM
I would recommend asking this question in a NEW topic over in the Anyconnect or Firewall discussion boards to be sure.
This thread is all mixed up (in general, you should start a new thread for a new topic).
If I understand, you have an IPv6 only VPN client (Is it required to be IPv6 only?) which needs to talk to an IPv4 device.
Is the client onl an IPv6 network, or will it be IPv6 only in the tunnel interface?
There is nothing stopping a host on an IPv6 only network from running a dual stack tunnel interface.
It would help to start with the desired objective and constraints rather than the proposed design.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide