Re: Cisco ASR44xx/AnyConnect: Unable to establish an IPv6 tunnel (IPSe

swscco001 · ‎02-15-2022

Hello everybody,

our customer has the problem that many AnyConnect (4.10.04065) users are abroad
and many of them get just an IPv6 address from their providers. The client OS is
Windows 10 Enterprise 20H2. IPv6 support is enabled there.

So he try to make it possible that they can establish an IPv6 tunnel (IPSec)
to the ASR44xx router (IOS 17.06.02) that transport IPv4 packets.
The authentication based on certificates. Their LAN has just IPv4
devices. They need to encapsulate IPv4 packets in IPv6 and encrypt/decrypt them.

He did a lot of testing but don't get this working. The IPv6 line protocol on
virtual-access interface goes down immediately during the IPv6 tunnel establishment.
No IPv4 packet goes through the tunnel (encap/decap keep on 0).

The establishment of a IPv4 tunnel between the AnyConnect clients and the ISR router
was no problem.

Attached you find the router configuration and the loggs of a IPv4 and IPv6
tunnel establishment. These looks pretty identical.

The Questions are:

1. Is it possible to establish a IPv6 tunnel between an AnyConnect client
and an ISR router that transport IPv4 packets?

2. If this is possible at all, can you provicde a sample configuration or can
tell what we are doing wrong.

Every hint is welcome!

Thanks a lot!

Bye

R.

Milos_Jovanovic · ‎02-17-2022

Hi @swscco001,

If the client has only IPv6, and your headend device has only IPv4, then it is not possible. You need something in between that can convert one protocol to another (NAT64). Another and prefered option is to introduce IPv6 on your headend GW, making it work as dual stack.

BR,

Milos

Cisco ASR44xx/AnyConnect: Unable to establish an IPv6 tunnel (IPSec)