Solved: Re: IPv6 over IPv4 IPSec issue

bvl · ‎04-14-2022

Hi,

I'm trying to set up IPv6 over IPv4 IPSec on a C1101-4P with IOS-XE 16.12.04, but the IPv6 packet silently disappears.

Crypto works fine with only IPv4 (tunnel mode ipsec ipv4), traffic works both ways.

Switching to IPv6 over IPv4 (tunnel mode ipsec ipv4 v6-overlay), and packets are dropped silently.

Tunnel config:

interface Tunnel0

no ip address

ipv6 address 2001:DB80:123::1/128

ipv6 enable

ipv6 mtu 1400

tunnel source GigabitEthernet0/0/0

tunnel mode ipsec ipv4 v6-overlay

tunnel destination <dst IP>

tunnel protection ipsec profile <profile>

IPSec SA and sessions is up and working as far as I can tell. Same as for working IPv4 only.

IPv6 routing is simple:

ipv6 route ::/0 tunnel 0

Debug log for IPv6 packets when pinging dst 2001:db88::1 from lo 0 with ipv6 add 2001:d900::1/128:

IPv6-Fwd: SAS on intf Loopback0 picked source 2001:D900::1 for 2001:DB88::1

*Apr 14 23:31:31.878: IPv6-Fwd: Destination lookup for 2001:DB88::1 : i/f=Tunnel0, nexthop=2001:DB88::1

*Apr 14 23:31:31.878: IPV6: source 2001:D900::1 (local)

*Apr 14 23:31:31.878: dest 2001:DB88::1 (Tunnel0)

*Apr 14 23:31:31.878: traffic class 0, flow 0x0, len 100+0, prot 58, hops 64, originating

*Apr 14 23:31:31.878: IPv6-Fwd: Created tmp mtu cache entry for 2001:D900::1 2001:DB88::1 00000000

*Apr 14 23:31:31.878: IPv6-Fwd: L3 injection feature enabled: skipping pak_encap

Debug platform packet-trace with same ping:

Packet: 0 CBUG ID: 111

Summary

Input : internal0/0/rp:0

Output : internal0/0/rp:0

State : DROP 33 (Ipv6NoRoute)

Timestamp

Start : 192459559663440 ns (04/14/2022 23:35:27.121780 UTC)

Stop : 192459559686360 ns (04/14/2022 23:35:27.121803 UTC)

Path Trace

Feature: IPV6(Input)

Input : internal0/0/rp:0

Output : <unknown>

Source : 2001:d900:0000:0000:0000:0000:0000:0001

Destination : 2001:db88:0000:0000:0000:0000:0000:0001

Protocol : 58 (IPv6-ICMP)

Debug platform packet-trace (fia):

Packet: 0 CBUG ID: 116

Summary

Input : internal0/0/rp:0

Output : internal0/0/rp:0

State : DROP 33 (Ipv6NoRoute)

Timestamp

Start : 192578566639320 ns (04/14/2022 23:37:26.791553 UTC)

Stop : 192578566669040 ns (04/14/2022 23:37:26.791582 UTC)

Path Trace

Feature: IPV6(Input)

Input : internal0/0/rp:0

Output : <unknown>

Source : 2001:d900:0000:0000:0000:0000:0000:0001

Destination : 2001:db88:0000:0000:0000:0000:0000:0001

Protocol : 58 (IPv6-ICMP)

Feature: DEBUG_COND_INPUT_PKT_EXT

Entry : Input - 0x10e897d8

Input : internal0/0/rp:0

Output : <unknown>

Lapsed time : 53 ns

Feature: DEBUG_COND_APPLICATION_IN_EXT

Entry : Input - 0x10e897cc

Input : internal0/0/rp:0

Output : <unknown>

Lapsed time : 93 ns

Feature: DEBUG_COND_APPLICATION_IN_CLR_TXT_EXT

Entry : Input - 0x10e897c8

Input : internal0/0/rp:0

Output : <unknown>

Lapsed time : 0 ns

Feature: IPV6_INPUT_DST_LOOKUP_CONT_EXT

Entry : Input - 0x10ea4768

Input : internal0/0/rp:0

Output : <unknown>

Lapsed time : 186 ns

Feature: IPV6_INPUT_DST_LOOKUP_CONSUME_EXT

Entry : Input - 0x10ea4528

Input : internal0/0/rp:0

Output : <unknown>

Lapsed time : 306 ns

Feature: IPV6_INTERNAL_INPUT_SRC_LOOKUP_ISSUE_EXT

Entry : Input - 0x10ea4788

Input : internal0/0/rp:0

Output : <unknown>

Lapsed time : 173 ns

Feature: IPV6_INTERNAL_INPUT_SRC_LOOKUP_CONT_EXT

Entry : Input - 0x10ea4784

Input : internal0/0/rp:0

Output : <unknown>

Lapsed time : 200 ns

Feature: IPV6_INTERNAL_INPUT_SRC_LOOKUP_CONSUME_EXT

Entry : Input - 0x10ea4780

Input : internal0/0/rp:0

Output : <unknown>

Lapsed time : 173 ns

Feature: LFTS_INJECT_PKT_EXT

Entry : Input - 0x10e8a5cc

Input : internal0/0/rp:0

Output : <unknown>

Lapsed time : 53 ns

Feature: IPV6_INTERNAL_FOR_US_EXT

Entry : Input - 0x10ea4540

Input : internal0/0/rp:0

Output : <unknown>

Lapsed time : 280 ns

Feature: IPV6_PREF_TX_IF_SELECT_EXT

Entry : Input - 0x10ea47a8

Input : internal0/0/rp:0

Output : <unknown>

Lapsed time : 26 ns

Feature: IPV6_INPUT_LOOKUP_PROCESS_EXT

Entry : Input - 0x10ea4538

Input : internal0/0/rp:0

Output : <unknown>

Lapsed time : 4666 ns

Can anybody make sense of what's going wrong here?

bvl · ‎04-19-2022

Guys, thanks for helping out.

It suddenly started working. I have since repeated several different small changes. For instance with and without ip unnumbered. And they don't matter.

Seems the router was stuck in some state. After shutting down several interfaces and bringing them back up, it all started working.

Thanks again.

View solution in original post

Flavio Miranda · ‎04-15-2022

Did you looked into this:

State : DROP 33 (Ipv6NoRoute)

bvl · ‎04-15-2022

Thanks for looking at this Flavio.

I have seen it, but can´t find any information on what this means, except the obvious it states.

But from the IPv6 packet trace it looks ip the destination address and find´s it should be sendt out tunnel 0.

I have tried setting a /64 on tunnel 0 and pinging an ipv6 address within the scope of that /64, but different from the interface it self, which shows up in the logg as sending on tunnel 0.
But no packet is ever sendt.

Flavio Miranda · ‎04-15-2022

MTU world be my next idea.

bvl · ‎04-17-2022

Thanks for the follow up.

With v4 in v4 IPSec tunnel I can do a ping <address> size 1480.

And with v6 in v4, I don't even get size 48 to pass.

So I don't think MTU is an issue.

MHM Cisco World · ‎04-17-2022

tunnel mode ipsec ipv4 v6-overlay <- the tunnel is IPv6 so this may be wrong
tunnel mode ipsec ipv6 v4-overlay <-replace it with this command

Can I see full config if failed.

bvl · ‎04-17-2022

Thanks for the tip MHM, but I think tunnel mode ipsec ipv4 v6-overlay is correct.

Going with pure IPv4 (tunnel mode ipsec ipv4) I can see a child-sa form with scope 0.0.0.0/0

Setting tunnel mode ipsec ipv4 v6-overlay deletes that child-sa and creates a new ::/0 child-sa.

Doing tunnel mode ipsec ipv6 v4-overlay results in no SA, actually no IP packets is exchanged between peers at all.

The config is pretty much like this:

!

ipv6 unicast-routing

!

interface Tunnel0

ip unnumbered Vlan10

ipv6 address 2001:DB80::1/64

ipv6 enable

tunnel source GigabitEthernet0/0/0

tunnel mode ipsec ipv4 v6-overlay

tunnel destination <Strongswan GW>

tunnel protection ipsec profile GCP_VTI_PRO

!

interface GigabitEthernet0/0/0

ip address dhcp

negotiation auto

!

interface GigabitEthernet0/1/0

switchport access vlan 10

switchport mode access

!

interface Vlan10

ip address 172.16.2.1 255.255.255.0

ip mtu 1370

ip tcp adjust-mss 1300

!

ip route 0.0.0.0 0.0.0.0 Tunnel0

ip route <Strongswan GW> 255.255.255.255 GigabitEthernet0/0/0 dhcp

!

ipv6 route ::/0 Tunnel0

Removing vlan 10, removing ip unnumbered from tun 0, setting static ipv4 un tun 0, no ipv4 on tun 0 does not make any difference on the result.

Looking at show crypto sa and session show no counter changes when passing ipv6 packets.

Debug logg still ends with:

IPv6-Fwd: L3 injection feature enabled: skipping pak_encap

MHM Cisco World · ‎04-17-2022

interface Tunnel0

ip unnumbered Vlan10 <-Delete this

ipv6 address 2001:DB80::1/64

ipv6 enable

tunnel source GigabitEthernet0/0/0

tunnel mode ipsec ipv6 v4-overlay

tunnel destination <Strongswan GW> <-if the Strongswan use IPv4

tunnel protection ipsec profile GCP_VTI_PRO <- the pre shared key is 0.0.0.0 or ::/0 ? so to troubleshooting remove IPSec from tunnel to check the tunnel is UP/UP and then we will reconfig the IPSec profile.

!

ip route <Strongswan GW> 255.255.255.255 GigabitEthernet0/0/0 dhcp <- IP address must be IPv4

bvl · ‎04-19-2022

Guys, thanks for helping out.

It suddenly started working. I have since repeated several different small changes. For instance with and without ip unnumbered. And they don't matter.

Seems the router was stuck in some state. After shutting down several interfaces and bringing them back up, it all started working.

Thanks again.

MHM Cisco World · ‎04-19-2022

can you share the final config ?

bvl · ‎04-20-2022

Of course, here it is:

!

ipv6 unicast-routing

!

crypto ikev2 proposal CRYPTO_PP

encryption aes-gcm-256

prf sha384

group 21

no crypto ikev2 proposal default

!

crypto ikev2 policy CRYPTO_POL

proposal CRYPTO_PP

no crypto ikev2 policy default

!

crypto ikev2 keyring CRYPTO_KR

peer CRYPTO

address <IPv4_PEER>

pre-shared-key <KEY>

!

crypto ikev2 profile CRYPTO_PRO

match identity remote fqdn vpngw.com

identity local fqdn net2.com

authentication remote pre-share

authentication local pre-share

keyring local CRYPTO_KR

!

crypto ipsec transform-set CRYPTO_TS esp-gcm 256

mode tunnel

!

crypto ipsec profile CRYPTO_VTI_PRO

set transform-set CRYPTO_TS

set pfs group21

set ikev2-profile CRYPTO_PRO

!

interface Tunnel0

no ip address

ipv6 unnumbered Vlan11

ipv6 enable

tunnel source GigabitEthernet0/0/0

tunnel mode ipsec ipv4 v6-overlay

tunnel destination <IPv4_PEER>

tunnel protection ipsec profile CRYPTO_VTI_PRO

!

interface GigabitEthernet0/0/0

ip address dhcp

negotiation auto

!

interface GigabitEthernet0/1/0

switchport access vlan 11

switchport mode access

!

interface Vlan11

no ip address

ipv6 address 2001:DB80::1/64

ipv6 mtu 1370

ipv6 tcp adjust-mss 1300

!

ipv6 route ::/0 Tunnel0

!

end

MHM Cisco World · ‎04-20-2022

thanks for sharing