Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new blog
11266
Views
10
Helpful
11
Comments

ASA: Parallel IPv4 and IPv6 IPsec tunnels over IPv4

Marcin Latosiewicz
Cisco Employee
Cisco Employee
‎03-03-2012 05:44 AM

[toc:faq]

Disclaimer

Please note that while the below scenario should work for most setups, it is to be considered a hack/workaround/kludge.

There is an upcoming enhancement to IPsec code in ASA release codenamed Arsenal, which will be out later this year. 

Background

A few days ago Greg opened a case with TAC where he was looking for documentation on how to achieve parallel IPsec tunnels over IPv4 for both IPv4 and IPv6 traffic.

His actual topology were multiple devices all around the world connecting to a central hub location in Australia.

Not all the devices had IPv6 addressing so as an interim solution he wanted to tunnel IPv6 over IPv4 in a secure way.

The documentaion is quite scarce on this topic, so we had to go to the lab an test this out.


Topology diagram

Diagram1.png

Solution

The solution that worked for us was based on ASA 8.4.3 on all sites.

We run a parallel IKEv2 for IPv4 over IPv4 IPsec tunnel and IPv6 over IPv4 IKEv1 based tunnel.

Configuration

Basic configuration.

Site without IPv6 internet access

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 10.48.67.5 255.255.254.0
 ipv6 enable
 ipv6 nd suppress-ra
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 ipv6 address 2001:db8:11::1/64
crypto ipsec ikev1 transform-set TRA1 esp-aes esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal TRA2
 protocol esp encryption aes-192 aes
 protocol esp integrity sha-1
crypto map MAP 10 match address V4
crypto map MAP 10 set peer 10.48.67.11
crypto map MAP 10 set ikev2 ipsec-proposal TRA2
crypto map MAP 20 match address V6
crypto map MAP 20 set peer 10.48.67.11
crypto map MAP 20 set ikev1 transform-set TRA1
crypto map MAP interface outside
crypto ikev2 policy 10
 encryption aes-192 aes
 integrity sha256 sha
 group 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
tunnel-group 10.48.67.11 type ipsec-l2l
tunnel-group 10.48.67.11 ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
access-list V4 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
ipv6 route outside ::/0 fe80::1111
ipv6 access-list V6 permit ip 2001:db8:11::/64 2001:db8:22::/64

Site with IPv6 internet.

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 10.48.67.11 255.255.254.0
 ipv6 address 2001:db8::2/64
 ipv6 nd suppress-ra
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0
 ipv6 address 2001:db8:22::1/64
access-list V4 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
ipv6 route outside ::/0 2001:db8::1
ipv6 access-list V6 permit ip 2001:db8:22::/64 2001:db8:11::/64
crypto ipsec ikev1 transform-set TRA1 esp-aes esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal TRA2
 protocol esp encryption aes-192 aes
 protocol esp integrity sha-1
crypto map MAP 10 match address V4
crypto map MAP 10 set peer 10.48.67.5
crypto map MAP 10 set ikev2 ipsec-proposal TRA2
crypto map MAP 20 match address V6
crypto map MAP 20 set peer 10.48.67.5
crypto map MAP 20 set ikev1 transform-set TRA1
crypto map MAP interface outside
crypto ikev2 policy 10
 encryption aes-192 aes
 integrity sha256 sha
 group 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
tunnel-group 10.48.67.5 type ipsec-l2l
tunnel-group 10.48.67.5 ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

Result

After applying this configuration all remote sites were able to reach IPv6 internet.

Note that all IPv6 addresses need to be routable and typically assigned from same /48 or /56 pool as headquarters.

Verification

Let's check if both IKEv1 and IKEv2 are up. 

bsns-asa5540-3# sh cry isa sa
IKEv1 SAs:
   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1   IKE Peer: 10.48.67.5
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
IKEv2 SAs:
Session-id:3, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id                 Local                Remote     Status         Role
  1002325       10.48.67.11/500        10.48.67.5/500      READY    INITIATOR
      Encr: AES-CBC, keysize: 192, Hash: SHA256, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/17 sec
Child sa: local selector  192.168.2.0/0 - 192.168.2.255/65535
          remote selector 192.168.1.0/0 - 192.168.1.255/65535
          ESP spi in/out: 0x390ef9d2/0xcfee516

References

RFC 4306  - IKEv2

http://www.ietf.org/rfc/rfc4306.txt

RFC 2409 - IKEv1

http://www.ietf.org/rfc/rfc2409.txt

ASA product references:

http://www.cisco.com/en/US/products/ps6120/products_installation_and_configuration_guides_list.html

Comments? Feedback?

Leave a comment under this post.

Labels:
11 Comments
jamiero54
Level 1
Level 1
‎04-05-2012 10:26 PM
‎04-05-2012 10:26 PM

Ive never seen a website using IPv6 although it has been around since quite long

0 Helpful
Kooopobol
Level 1
Level 1
‎05-10-2012 12:14 AM
‎05-10-2012 12:14 AM

Can we do the same thing over IPv6 internet ? (IPv4 over IPv6)

0 Helpful
Netmagic-NW_Operation Team
Level 1
Level 1
‎12-12-2012 06:38 AM
‎12-12-2012 06:38 AM

Thanks for the configuaration.

But what abt the NAT part?

Do we need to bypass NAT where the interesting traffic is IPv6?

0 Helpful
Marcin Latosiewicz
Cisco Employee
Cisco Employee
‎12-12-2012 06:58 AM
‎12-12-2012 06:58 AM

No there is no need to bypass NAT since IPv4 does not apply to IPv6 traffic, unless you're thinking about NTA64?

0 Helpful
Marcin Latosiewicz
Cisco Employee
Cisco Employee
‎12-12-2012 06:58 AM
‎12-12-2012 06:58 AM

Arman,

Yes same thing should apply to IPv6 internet although I have not heard anyone using that :-)

M.

0 Helpful
Marcin Latosiewicz
Cisco Employee
Cisco Employee
‎12-12-2012 06:59 AM
‎12-12-2012 06:59 AM

Jamie,

The objective is rather to enable rapid testing of IPv6 accross the board rather than IPv6 only internet :-)

This solution give you an option of using both IP stacks.

M.

0 Helpful
munurewan1
Level 1
Level 1
‎12-16-2012 02:26 AM
‎12-16-2012 02:26 AM

hello macin,

i am trying to run the similar setup asa ---cloud---thirdparty, ipsec tunnel is up, seems like when i initiate the ping from behind  ASA, its dropping and packet trace shows the "drop by comfigured rule". i dont have inside to outside any rule (100-->0 no rule need). debug crypto ipsec sa seems that packets are encrypted. when i initate theping from other end, asa says 'descarding the esp packet'.

asa 8.4.2

thanks.

rewant

0 Helpful
Marcin Latosiewicz
Cisco Employee
Cisco Employee
‎12-16-2012 02:33 AM
‎12-16-2012 02:33 AM

Rewant,

We're missing quite a few information.

Open up a TAC case, this setup has worked for a few people flawlessly, so most likely it's just a quesion of finding out what's different on your side.

M.

0 Helpful
munurewan1
Level 1
Level 1
‎12-16-2012 05:42 AM
‎12-16-2012 05:42 AM

hello Marcini,

here is the config and detailed output:

interface GigabitEthernet0

nameif OUT

security-level 0

ip address 10.10.10.10 255.255.255.0

ipv6 enable

ipv6 nd suppress-ra

!

interface GigabitEthernet1

nameif inside

security-level 100

no ip address

ipv6 address 2001::1/64

!

crypto ipsec ikev1 transform-set t-set esp-aes esp-sha-hmac

crypto map mymap 10 match address 101

crypto map mymap 10 set peer 192.168.1.3

crypto map mymap 10 set ikev1 transform-set t-set

crypto map mymap interface OUT

crypto ikev1 enable OUT

crypto ikev1 policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

!

tunnel-group 192.168.1.3 type ipsec-l2l

tunnel-group 192.168.1.3 ipsec-attributes

ikev1 pre-shared-key *****

!

! just a route is need for the ipv6 traffic.

ipv6 route OUT ::/0 fe80::1111

ipv6 access-list 101 permit ip host 2001::2 host 2002::2

route OUT 0.0.0.0 0.0.0.0 10.10.10.1 1

!

****output

Here is the icmp teardown log msg in asa-------------when initated ping from host 2001::2 to 2002::2

ciscoasa# %ASA-7-609001: Built local-host inside:2001::2

%ASA-7-609001: Built local-host OUT:2002::2

%ASA-6-302020: Built outbound ICMP connection for faddr 2002::2/0(LOCAL\192.168.1.3) gaddr 2001::2/816 laddr 2001::2/816

ciscoasa# %ASA-7-609001: Built local-host inside:fe80::c801:6ff:fe28:8

%ASA-7-609001: Built local-host identity:2001::1

%ASA-6-302020: Built inbound ICMP connection for faddr fe80::c801:6ff:fe28:8/0 gaddr 2001::1/0 laddr 2001::1/0

%ASA-6-302020: Built outbound ICMP connection for faddr fe80::c801:6ff:fe28:8/0 gaddr 2001::1/0 laddr 2001::1/0

ciscoasa#  logge%ASA-6-302021: Teardown ICMP connection for faddr fe80::c801:6ff:fe28:8/0 gaddr 2001::1/0 laddr 2001::1/0

%ASA-6-302021: Teardown ICMP connection for faddr fe80::c801:6ff:fe28:8/0 gaddr 2001::1/0 laddr 2001::1/0

%ASA-7-609002: Teardown local-host identity:2001::1 duration 0:00:02

%ASA-7-609002: Teardown local-host inside:fe80::c801:6ff:fe28:8 duration 0:00:

ciscoasa# no%ASA-7-609001: Built local-host identity:fe80::2aa:ff:fec1:ab01

%ASA-7-609001: Built local-host inside:fe80::c801:6ff:fe28:8

%ASA-6-302020: Built outbound ICMP connection for faddr fe80::c801:6ff:fe28:8/0 gaddr fe80::2aa:ff:fec1:ab01/0 laddr fe80::2aa:ff:fec1:ab01/0

%ASA-6-302021: Teardown ICMP connection for faddr 2002::2/0(LOCAL\192.168.1.3) gaddr 2001::2/816 laddr 2001::2/816

%ASA-7-609002: Teardown local-host inside:2001::2 duration 0:00:09

%ASA-7-609002: Teardown local-host OUT:2002::2 duration 0:00:09

%ASA-6-302020: Built inbound ICMP connection for faddr fe80::c801:6ff:fe28:8/0 gaddr fe80::2aa:ff:fec1:ab01/0 laddr fe80::2aa:ff:fec1:ab01/0

Flow Trace--

ciscoasa# packet-tracer input inside icmp 2001::2 8 0 2002::2 detailed

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xbc36db70, priority=1, domain=permit, deny=false

        hits=35, user_data=0x0, cs_id=0x0, l3_type=0xdd86

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

        input_ifc=inside, output_ifc=any

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   ::              ::              OUT

Phase: 3

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xbc371408, priority=66, domain=inspect-icmp-error, deny=false

        hits=32, user_data=0xbc370820, cs_id=0x0, use_real_addr, flags=0x0, protocol=58

        src ip/id=::/0, icmp-type=0

        dst ip/id=::/0, icmp-code=0

        input_ifc=inside, output_ifc=any

Phase: 4

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xbc42fbb8, priority=70, domain=encrypt, deny=false

        hits=2, user_data=0x2d94, cs_id=0xbc2ad6e8, reverse, flags=0x0, protocol=0

        src ip/id=2001::2/128, port=0

        dst ip/id=2002::2/128, port=0

        input_ifc=any, output_ifc=OUT

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: OUT

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

ciscoasa# show crypto ipsec sa

interface: OUT

    Crypto map tag: mymap, seq num: 10, local addr: 10.10.10.10

      access-list 101 extended permit ip host 2001::2 host 2002::2

      local ident (addr/mask/prot/port): (2001::2/128/0/0)

      remote ident (addr/mask/prot/port): (2002::2/128/0/0)

      current_peer: 192.168.1.3

      #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.10.10.10/0, remote crypto endpt.: 192.168.1.3/0

      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: 54B3E3D8

      current inbound spi : E0E61926

As the packet seems to hit by implicit firewall rule, though the packets seem to encrypted as per 'show crypto ispec sa'. no firewall policy from inside to outside(100-->0).  flow trace route lookup is ok?

Hope this helps.

thanks,

rewant

0 Helpful
corentin.villa1
Level 1
Level 1
‎11-25-2015 05:09 AM
‎11-25-2015 05:09 AM 
When I try to add my ipv6 access-list to my crypto-map, the folowing ERROR message commes

ciscoasa(config)#  crypto map int_OetM_map3 1 match address extended-ipv6
ERROR: access-list should be of type extended

But the ipv6 access-list is alredy extendid, isn't it ? 
what should I do ?
0 Helpful
AnastasiaBrown
Level 1
Level 1
‎03-24-2016 02:09 AM
‎03-24-2016 02:09 AM

Thanks its very informative. I use different VPN tunnel Point-to-point tunneling protocol (PPTP) is the most basic and common VPN protocol, which is natively supported on all platforms of Windows that’s why it is also known as MPE.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Popular Articles
Customers Also Viewed These Support Documents