cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
948
Views
0
Helpful
6
Replies

IPv6 IPsec VPN problem

AtoDawit
Level 1
Level 1

Hi All,

I was working on a test lab for IPv6 site-to-site VPN and would like help in troubleshooting connection problem. I have end to end connection between the two routers but the two internal networks (Branch and HQ) can not communicate with each other.

Here is the running config for HQ

HQ#show run
Building configuration...

Current configuration : 1648 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HQ
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
multilink bundle-name authenticated
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key ipsecvpn address ipv6 2002:C59C:5AC1:1::2/64
crypto isakmp profile 3des
keyring default
match identity address ipv6 2002:C59C:5AC1:1::2/64
!
!
crypto ipsec transform-set ipv6_tran esp-3des esp-sha-hmac
!
crypto ipsec profile ipv6_ipsec_pro
set transform-set ipv6_tran
!
!
ip tcp synwait-time 5
!
!
interface Tunnel1
no ip address
ipv6 address 2012::1/64
ipv6 enable
tunnel source 2002:D537:49D3:1::2
tunnel destination 2002:C59C:5AC1:1::2
tunnel mode ipsec ipv6
tunnel protection ipsec profile ipv6_ipsec_pro
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
ipv6 address 2002:D537:49D3:1::2/64
ipv6 enable
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
ipv6 address FDF6:6BE7:B6E0:1::1/64
ipv6 enable
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
ipv6 route FDF6:6BE7:B6E0:2::/64 2012::2
ipv6 route ::/0 2002:D537:49D3:1::1
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end

-------------------------------------------------------------------------------------------

And here is the running config for Branch


Branch#show run
Building configuration...

Current configuration : 1652 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Branch
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key ipsecvpn address ipv6 2002:D537:49D3:1::2/64
crypto isakmp profile 3des
keyring default
match identity address ipv6 2002:D537:49D3:1::2/64
!
!
crypto ipsec transform-set ipv6_tran esp-3des esp-sha-hmac
!
crypto ipsec profile ipv6_ipsec_pro
set transform-set ipv6_tran
!
!
ip tcp synwait-time 5
!
!
interface Tunnel1
no ip address
ipv6 address 2012::2/64
ipv6 enable
tunnel source 2002:C59C:5AC1:1::2
tunnel destination 2002:D537:49D3:1::2
tunnel mode ipsec ipv6
tunnel protection ipsec profile ipv6_ipsec_pro
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
ipv6 address FDF6:6BE7:B6E0:2::1/64
ipv6 enable
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
ipv6 address 2002:C59C:5AC1:1::2/64
ipv6 enable
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
ipv6 route FDF6:6BE7:B6E0:1::/64 2012::1
ipv6 route ::/0 2002:C59C:5AC1:1::1
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end

-------------------------------------------------------------------

HQ#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status

IPv6 Crypto ISAKMP SA

dst: 2002:D537:49D3:1::2
src: 2002:C59C:5AC1:1::2
state: QM_IDLE conn-id: 1001 slot: 0 status: ACTIVE

HQ#show crypto engine connection active
Crypto Engine Connections

ID Interface Type Algorithm Encrypt Decrypt IP-Address
1 Fa0/0 IPsec 3DES+SHA 0 0 2002:D537:49D3:1::2
2 Fa0/0 IPsec 3DES+SHA 7 0 2002:D537:49D3:1::2
1001 Fa0/0 IKE SHA+3DES 0 0 2002:D537:49D3:1::2

HQ#ping fdf6:6be7:b6e0:2::1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FDF6:6BE7:B6E0:2::1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Any suggestion is much appreciated.

Thanks.

6 Replies 6

Philip D'Ath
VIP Alumni
VIP Alumni

Can one tunnel endpoint ping the other end of the tunnel (e,g. can 2012::1/64 ping 2012::2/64)?

Yes they can ping each other.

Then that means the crypto must be correct.  It must be something to do with forwarding.

Have you got "ipv6 unicast-routing" on both routers to enable IPv6 forwarding?

Hi Philip,

Yes that is enabled too.

You definitely have something plugged into both LAN ports, FastEthernet0/1?

Peter Koltl
Level 7
Level 7

show crypto session detail

show crypto ipsec sa

HQ#ping fdf6:6be7:b6e0:2::1 source Fa0/1

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: