Re: [CSR-1000v]IPv6-IPSEC tunnel is not establishing for IKEv1 version

Suresh Mandapaka · ‎12-10-2022

Hi Team, Greetings!!!

I am using below configuration for IPv6-IPsec for IKEv1. But cisco is seding no proposal choosen for other end. i configured all encryption,authentication,dhgroup and pfs same. there is no mis-configuration.

local-address at line2(below) is not accepting ipv6 address so i gave corresponding interface. Is this creating any problem? Please let me know.

The same config with IPv4 is working fine.

crypto keyring keyring-vc-11 vrf c1_global
 local-address GigabitEthernet2.11
 pre-shared-key address ipv6 FD00:1:1:1::2/128 key secret1
exit

crypto isakmp policy 11
 encr aes
 authentication pre-share
 group 2
exit

crypto isakmp keepalive 10 3
crypto isakmp profile isakmp-vc-11
   vrf c1_global
   keyring keyring-vc-11
   match identity address ipv6 FD00:1:1:1::2/128 c1_global
   local-address FD00:BBBB:1:11::1 c1_global
   exit

crypto ipsec security-association replay window-size 128
crypto ipsec transform-set ipsec-prop-vc-11 esp-aes esp-sha-hmac
 mode tunnel
exit
crypto ipsec df-bit clear
crypto ipsec profile ipsec-vc-11
 set security-association lifetime seconds 28800
 set transform-set ipsec-prop-vc-11
 set pfs group2
 set isakmp-profile isakmp-vc-11
exit

interface Tunnel11
 vrf forwarding c1_global
 no ip address
 ipv6 tcp adjust-mss 1320
 ipv6 address FD00:2323:2323:2323::1/64
 ipv6 enable
 tunnel source FD00:BBBB:1:11::1
 tunnel mode ipsec ipv6
 tunnel destination FD00:1:1:1::2
 tunnel vrf c1_global
 tunnel protection ipsec profile ipsec-vc-11
end

MaxShantar · ‎12-11-2022

It looks like the issue is with the match identity address ipv6 command in the isakmp-vc-11 profile. The vrf keyword should be used after the match identity address command, not before it.

Try this:

crypto keyring keyring-vc-11 vrf c1_global
 local-address GigabitEthernet2.11
 pre-shared-key address ipv6 FD00:1:1:1::2/128 key secret1
exit

crypto isakmp policy 11
 encr aes
 authentication pre-share
 group 2
exit

crypto isakmp keepalive 10 3
crypto isakmp profile isakmp-vc-11
   vrf c1_global
   keyring keyring-vc-11
   match identity address ipv6 FD00:1:1:1::2/128 vrf c1_global
   local-address FD00:BBBB:1:11::1 c1_global
   exit

crypto ipsec security-association replay window-size 128
crypto ipsec transform-set ipsec-prop-vc-11 esp-aes esp-sha-hmac
 mode tunnel
exit
crypto ipsec df-bit clear
crypto ipsec profile ipsec-vc-11
 set security-association lifetime seconds 28800
 set transform-set ipsec-prop-vc-11
 set pfs group2
 set isakmp-profile isakmp-vc-11
exit

interface Tunnel11
 vrf forwarding c1_global
 no ip address
 ipv6 tcp adjust-mss 1320
 ipv6 address FD00:2323:2323:2323::1/64
 ipv6 enable
 tunnel source FD00:BBBB:1:11::1
 tunnel mode ipsec ipv6
 tunnel destination FD00:1:1:1::2
 tunnel vrf c1_global
 tunnel protection ipsec profile ipsec-vc-11
end

Suresh Mandapaka · ‎12-13-2022

Hi @MaxShantar , Thanks for the response.

We no need to give vrf keyword before vrf name. So that config i posted above, is correct one.

csr1(conf-isa-prof)#match identity address ipv6 FD00:1:1:1::2/128 ?
WORD Specify the F VRF (default global)
<cr>

csr1(conf-isa-prof)#match identity address ipv6 FD00:1:1:1::2/128 vrf c1_global
^
% Invalid input detected at '^' marker.