Showing results for 
Search instead for 
Did you mean: 
Rising star
Rising star



This document discuss about IPv6 IPsec Site-to-Site VPN Using Virtual Tunnel Interface with configuration example.

Cisco IOS IPsec functionality provides network data encryption at the IP packet level, offering a robust, standards-based security solution. IPsec provides data authentication and anti-replay services in addition to data confidentiality services. With IPsec, data can be sent across a public network without observation, modification, or spoofing.
General usage scenarios for IPv6 IPSec:
1) Site-to-site VPN – protect all IPv6 traffic between two trusted networks
2) Configured Secure Tunnel – protect IPv6 traffic being tunneled over an non trusted IPv4 network.
3) IPSec can also be used to protect control plane functions, such as IPSec to protect OSPFv3.



In following example IPSec-protected tunnel is set up between CE1 and CE2 to communicate over public network. The routers ISP_IR1 and ISP_IR2 have global IPv6 address and does not have  knowledge about private subnets present on CE1 and CE2.

Topology diagram:


Configuration overview:


Site-to-site VPN is configure on router as follows:


Step 1: Configure IKE Policy and Pre-shared Key:


Configure same ISAKMP policy on the routers CE1 and CE2

CE1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
CE1(config)#crypto isakmp policy 10
CE1(config-isakmp)#encryption 3des
CE1(config-isakmp)#group 2
CE1(config-isakmp)#authentication pre-share


Each router must be configured with the same key, but the configuration statement should designate the address of the appropriate interface on the peer router.



CE1(config)#crypto isakmp key 0 ipsecvpn address ipv6 2002::1/128



CE2(config)#crypto isakmp key 0 ipsecvpn address ipv6 2001::1/128


These keys are default ISAKMP keyring. We can use multiple named keyrings used when the router is hosting remote client VPNs for multiple different groups of clients.

crypto keyring keyring-name ……………(to specify keyring)


Step 2: Configuring an IPsec Transform Set and IPsec Profile:

Configure same IPsec Transform Set and IPsec Profile on the routers CE1 and CE2:

CE1(config)#crypto ipsec transform-set ipv6_tran esp-3des esp-sha-hmac
CE1(cfg-crypto-trans)#mode tunnel
CE1(config)#crypto ipsec profile ipv6_ipsec_pro ……(This transform set need to bind in VTI step4)
CE1(ipsec-profile)#set transform-set ipv6_tran


Step 3: Configure an ISAKMP Profile in IPv6:

ISAKMP profile is configured in the routers CE1 and CE2 and ensure that  configuration statement must designate the identity address of the appropriate interface on the peer router.

CE1(config)#crypto isakmp profile 3des
% A profile is deemed incomplete until it has match identity statements
CE1(conf-isa-prof)#self-identity address ipv6
CE1(conf-isa-prof)#match identity address ipv6 2002::1/128
CE1(conf-isa-prof)#keyring default
CE1(conf-isa-prof)# exit


Step 4: Configure ipsec IPv6 VTI :

Configuring IPv6 IPsec VTI on router is pretty simple

CE1(config)#int tunnel 1
CE1(config-if)#ipv6 enable
CE1(config-if)#ipv6 address 2012::1/64
CE1(config-if)#tunnel source 2001::1
CE1(config-if)#tunnel destination 2002::1
CE1(config-if)#tunnel mode ipsec ipv6
CE1(config-if)#tunnel protection ipsec profile ipv6_ipsec_pro
*Mar  1 01:32:30.907: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON


CE2(config)#int tunnel 1
CE2(config-if)#ipv6 enable
CE2(config-if)#ipv6 address 2012::2/64
CE2(config-if)#tunnel source 2002::1
CE2(config-if)#tunnel destination 2001::1
CE2(config-if)#tunnel mode ipsec ipv6
CE2(config-if)#tunnel protection ipsec profile ipv6_ipsec_pro
*Mar  1 01:32:30.907: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON


To make the tunnel as best path for the remote site network, you must configure static routes in the routers CE1 and CE2.


CE1(config)#ipv6 route FC01::/64 2012::2



CE2(config)#ipv6 route FC00::/64 2012::1


Verification commands:

1) This command displays the active ISAKMP sessions on the router

CE1#show crypto isakmp sa
dst             src             state          conn-id slot status




dst: 2002::1
src: 2001::1
state: QM_IDLE         conn-id:   1007 slot:    0 status: ACTIVE


To displays a summary of the configuration information for the crypto engines.

CE1#show crypto engine connection active
Crypto Engine Connections


   ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address
     1 Tu1        IPsec 3DES+SHA                  0       95 2001::1
     2 Tu1        IPsec 3DES+SHA                128        0 2001::1
  1007 Tu1        IKE   SHA+3DES                  0        0 2001::1


CE1#ping fc01::1 source fc00::1


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FC01::1, timeout is 2 seconds:
Packet sent with a source address of FC00::1
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/187/388 ms

Protocol [ip]: ipv6
Target IPv6 address: fc01::1
Source address: fc00::1
Insert source routing header? [no]:
Numeric display? [no]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Priority [0]:
Port Number [33434]:
Type escape sequence to abort.
Tracing the route to FC01::1


  1 FC01::1 304 msec 184 msec 160 msec



Related Information:



Base Initial configuration:


Community Member

Thx Ashish..........very useful

Rising star
Rising star

Hello Akshay,

Thanks for your feedback.


Ashish Shirkar

Technical community manager(Network Infrastructure)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Quick Links