12-10-2022 06:59 AM - edited 12-10-2022 07:02 AM
Hi Team, Greetings!!!
I am using below configuration for IPv6-IPsec for IKEv1. But cisco is seding no proposal choosen for other end. i configured all encryption,authentication,dhgroup and pfs same. there is no mis-configuration.
local-address at line2(below) is not accepting ipv6 address so i gave corresponding interface. Is this creating any problem? Please let me know.
The same config with IPv4 is working fine.
crypto keyring keyring-vc-11 vrf c1_global
local-address GigabitEthernet2.11
pre-shared-key address ipv6 FD00:1:1:1::2/128 key secret1
exit
crypto isakmp policy 11
encr aes
authentication pre-share
group 2
exit
crypto isakmp keepalive 10 3
crypto isakmp profile isakmp-vc-11
vrf c1_global
keyring keyring-vc-11
match identity address ipv6 FD00:1:1:1::2/128 c1_global
local-address FD00:BBBB:1:11::1 c1_global
exit
crypto ipsec security-association replay window-size 128
crypto ipsec transform-set ipsec-prop-vc-11 esp-aes esp-sha-hmac
mode tunnel
exit
crypto ipsec df-bit clear
crypto ipsec profile ipsec-vc-11
set security-association lifetime seconds 28800
set transform-set ipsec-prop-vc-11
set pfs group2
set isakmp-profile isakmp-vc-11
exit
interface Tunnel11
vrf forwarding c1_global
no ip address
ipv6 tcp adjust-mss 1320
ipv6 address FD00:2323:2323:2323::1/64
ipv6 enable
tunnel source FD00:BBBB:1:11::1
tunnel mode ipsec ipv6
tunnel destination FD00:1:1:1::2
tunnel vrf c1_global
tunnel protection ipsec profile ipsec-vc-11
end
12-11-2022 07:12 AM
It looks like the issue is with the match identity address ipv6
command in the isakmp-vc-11
profile. The vrf
keyword should be used after the match identity address
command, not before it.
Try this:
crypto keyring keyring-vc-11 vrf c1_global
local-address GigabitEthernet2.11
pre-shared-key address ipv6 FD00:1:1:1::2/128 key secret1
exit
crypto isakmp policy 11
encr aes
authentication pre-share
group 2
exit
crypto isakmp keepalive 10 3
crypto isakmp profile isakmp-vc-11
vrf c1_global
keyring keyring-vc-11
match identity address ipv6 FD00:1:1:1::2/128 vrf c1_global
local-address FD00:BBBB:1:11::1 c1_global
exit
crypto ipsec security-association replay window-size 128
crypto ipsec transform-set ipsec-prop-vc-11 esp-aes esp-sha-hmac
mode tunnel
exit
crypto ipsec df-bit clear
crypto ipsec profile ipsec-vc-11
set security-association lifetime seconds 28800
set transform-set ipsec-prop-vc-11
set pfs group2
set isakmp-profile isakmp-vc-11
exit
interface Tunnel11
vrf forwarding c1_global
no ip address
ipv6 tcp adjust-mss 1320
ipv6 address FD00:2323:2323:2323::1/64
ipv6 enable
tunnel source FD00:BBBB:1:11::1
tunnel mode ipsec ipv6
tunnel destination FD00:1:1:1::2
tunnel vrf c1_global
tunnel protection ipsec profile ipsec-vc-11
end
12-13-2022 12:21 AM
Hi @MaxShantar , Thanks for the response.
We no need to give vrf keyword before vrf name. So that config i posted above, is correct one.
csr1(conf-isa-prof)#match identity address ipv6 FD00:1:1:1::2/128 ?
WORD Specify the F VRF (default global)
<cr>
csr1(conf-isa-prof)#match identity address ipv6 FD00:1:1:1::2/128 vrf c1_global
^
% Invalid input detected at '^' marker.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide