This document discuss about IPv6 IPsec Site-to-Site VPN Using Virtual Tunnel Interface with configuration example.
Cisco IOS IPsec functionality provides network data encryption at the IP packet level, offering a robust, standards-based security solution. IPsec provides data authentication and anti-replay services in addition to data confidentiality services. With IPsec, data can be sent across a public network without observation, modification, or spoofing. General usage scenarios for IPv6 IPSec: 1) Site-to-site VPN – protect all IPv6 traffic between two trusted networks 2) Configured Secure Tunnel – protect IPv6 traffic being tunneled over an non trusted IPv4 network. 3) IPSec can also be used to protect control plane functions, such as IPSec to protect OSPFv3.
In following example IPSec-protected tunnel is set up between CE1 and CE2 to communicate over public network. The routers ISP_IR1 and ISP_IR2 have global IPv6 address and does not have knowledge about private subnets present on CE1 and CE2.
Site-to-site VPN is configure on router as follows:
Step 1: Configure IKE Policy and Pre-shared Key:
Configure same ISAKMP policy on the routers CE1 and CE2
CE1#conf t Enter configuration commands, one per line. End with CNTL/Z. CE1(config)#crypto isakmp policy 10 CE1(config-isakmp)#encryption 3des CE1(config-isakmp)#group 2 CE1(config-isakmp)#authentication pre-share CE1(config-isakmp)#exit
Each router must be configured with the same key, but the configuration statement should designate the address of the appropriate interface on the peer router.
Step 2: Configuring an IPsec Transform Set and IPsec Profile:
Configure same IPsec Transform Set and IPsec Profile on the routers CE1 and CE2:
CE1(config)#crypto ipsec transform-set ipv6_tran esp-3des esp-sha-hmac CE1(cfg-crypto-trans)#mode tunnel CE1(cfg-crypto-trans)#exit CE1(config)#crypto ipsec profile ipv6_ipsec_pro ……(This transform set need to bind in VTI step4) CE1(ipsec-profile)#set transform-set ipv6_tran CE1(ipsec-profile)#exit CE1(config)#
Step 3: Configure an ISAKMP Profile in IPv6:
ISAKMP profile is configured in the routers CE1 and CE2 and ensure that configuration statement must designate the identity address of the appropriate interface on the peer router.
CE1(config)#crypto isakmp profile 3des % A profile is deemed incomplete until it has match identity statements CE1(conf-isa-prof)#self-identity address ipv6 CE1(conf-isa-prof)#match identity address ipv6 2002::1/128 CE1(conf-isa-prof)#keyring default CE1(conf-isa-prof)# exit CE1(config)#
Step 4: Configure ipsec IPv6 VTI :
Configuring IPv6 IPsec VTI on router is pretty simple
To displays a summary of the configuration information for the crypto engines.
CE1#show crypto engine connection active Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP-Address 1 Tu1 IPsec 3DES+SHA 0 95 2001::1 2 Tu1 IPsec 3DES+SHA 128 0 2001::1 1007 Tu1 IKE SHA+3DES 0 0 2001::1
CE1#ping fc01::1 source fc00::1
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to FC01::1, timeout is 2 seconds: Packet sent with a source address of FC00::1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 36/187/388 ms
CE1#traceroute Protocol [ip]: ipv6 Target IPv6 address: fc01::1 Source address: fc00::1 Insert source routing header? [no]: Numeric display? [no]: Timeout in seconds : Probe count : Minimum Time to Live : Maximum Time to Live : Priority : Port Number : Type escape sequence to abort. Tracing the route to FC01::1
Hello Folks, we are using Fortinet firewall and cisco core switch and access switches. VLANs & DHCP are configured on the core switch and access ports are configured on the access switch. Right now the user is connected to an access port that is ...
Good Day,I am facing ARP broadcast issue in my network which causes huge packet drop at endpoints. I have only way to avoid it to protect my endpoints with Antivirus with network protection enabled. I have observed Its only occurring in my single VLAN. Th...
Hi Team, There is requirement to check whether the new Alarm monitoring System in the network is able to capture all the new alarms generated in the nodes. For that we need to generate the alarms in the lab test node integrated with the alarm mo...
Dear Cisco Community, Kindly ask, I have this topology for PoC SDA the issue that I am facing the AP can not join to WLC and WLC looopback can not reach DNAC (even all the other's Loopback are able to reach DNAC) Please ki...