Marcin,

I'm trying to implement IPv4 over IPv6 (both sites have IPv4 inside network and IPv6 outside).

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/site2sit.html

This guide seems to say that both peers have to be Cisco Asa...

Can you confirm this ?

Thanks for your answer

Armand,

I do not have lab access now to confirm this, but having a look at the docs  it looks like IOS is supporting IPv6 over IPv6 and IPv4 over IPv4 IPsec only. This is pure IPsec (VTI and crypto maps), there should be no problem to send this traffic with GREoIPsec, but it's not supported on the ASA (no virtual interfaces are).

Marcin

Marcin,

So i will need both Asa ? Is there any solution to do IPv4 over IPv6 ?

There is a scheme which describes what i want to do :

Armand

Armand,

I have not tried this, butI think something like this would work (provided you have a device on ASA side which can do IPv6 GRE)

Now the docs say that ASA supports IPv6 over IPv6 when both peers are ASAs but I'm not sure if we're doing any tricks.

I would say you'd need to load the very latest software on 880 (15.1.4T ?) and give it a try.

Marcin

Marcin,

Is there another solution yet ?

If both peers are ASA, can I keep the internal networks IPv4 and have a 4in6 tunnel between the sites ?

Thanks,

Armand

Armand,

At a glance you'd need two devices of the same kind to have easiest solution (either IOS or ASA).

I guess the development guys need to work a bit more on inter-operability. I saw quite a few indications that it's coming, but as it stands now in docs, it's far from perfect.

Marcin

Marcin,

Firstable, thanks for your answer.

My ISP says that Cisco routers support IPv4-in-IPv6 IPSec (IPv4 internal and IPv6 external) but I can't find any Cisco docs which say that..

You said "it looks like IOS is supporting IPv6 over IPv6 and IPv4 over IPv4 IPsec only."

Can you tell me who is right ?

Armand

Armand,

As far as I know VTI will not allow you to transport IPv6 over IPv4 directly.

But as I said GRE should allow you to transport anything.

If you will give me a few days I should be able to test this.

Marcin

Marcin,

I want to set-up IPv4 over IPv6 tunnel (IPv4 packet encapsulated into a IPv6 one), not IPv6 over IPv4.

It means that both peers have IPv6 External, and IPv4 Internal interfaces.

Moreover, my company would not like to use GRE...

Armand

Armand,

Hopefully now the situation will be clear.

IPv6 GRE;

R2#ping 192.168.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.23.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/10/12 ms
R2#ping fe80::23:3
Output Interface: tunnel23
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FE80::23:3, timeout is 2 seconds:
Packet sent with a source address of FE80::23:2%Tunnel23
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/12 ms
R2#sh run int tu23
Building configuration...
Current configuration : 219 bytes
!
interface Tunnel23
 ip address 192.168.23.2 255.255.255.0
 ipv6 address FE80::23:2 link-local
 tunnel source Ethernet0/0
 tunnel mode gre ipv6
 tunnel destination 2001:DB8::3
 tunnel protection ipsec profile PRO
end

Situation with IPv6 VTI:

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#int tu23
R2(config-if)#tunnel mode ipsec ipv6
R2(config-if)#
*Sep 15 12:23:33.127: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel23, changed state to down
R2(config-if)#
*Sep 15 12:23:45.219: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel23, changed state to up
R2(config-if)#exit
R2(config)#exit
R2#ena
*Sep 15 12:23:51.319: %SYS-5-CONFIG_I: Configured from console by console
R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#^Z
R2#
*Sep 15 12:23:58.415: %SYS-5-CONFIG_I: Configured from console by console
R2#ping fe80::23:3
Output Interface: tunnel23
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FE80::23:3, timeout is 2 seconds:
Packet sent with a source address of FE80::23:2%Tunnel23
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/10/12 ms
R2#ping 192.168.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.23.3, timeout is 2 seconds:
*Sep 15 12:24:29.679: %IPSECV6-4-PKT_PROTOCOL_MISMATCH: IP protocol in packet mismatched with tunnel mode, packet from 192.168.23.2 to 192.168.23.3 dropped by Tunnel23.....
Success rate is 0 percent (0/5)

IPv6 VTI cannot carry IPv4 and IPv4 VTI cannot IPv6 because of the proxy identities.

Tested today on 15.2.1.T

Marcin

Thanks,

but if I want pure IPSec (no GRE) :  can IOS routers form IPSec tunnels between IPv6 endpoints, and transport IPv4 packets inside it ?

Thanks

FYI, we created following enhancement request for native IPv6 over IPv4 support on IOS.

CSCtu09251.

If you're interested in this functionality please contact your SE and/or account team to have them talk to BU.

Marcin

Thanks, but like I said I'm trying to make an IPSec tunnel between IPv6 endpoints.. (IPv4 over IPv6)

PS :  ---- [ASA] ----- ---- [881] -------