Re: IPV6 IPSEC Site-to-Site issue

sakatzidisgiwrgos · ‎11-01-2023

Hello community,

I have an issue while i am trying to configure a Site-to-Site VPN with crypto maps with IPV6.

The topology is uploaded as an attachment.

I noticed that when i apply my crypto map on the outside interfaces on the routers, i get this message:

%CRYPTO-4-RECVD_PKT_NOT_IPSEC_V6: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /FF02::1, src_addr= FE80::C803:3BFF:FED8:1C, prot= 58

The configuration of each router is uploaded also.

In addition, on R3 i can see some error messages regarding ipv6:

1 20:24:32.963: ICMPv6: Sent Unreachable code 3, src=2001:DB8:0:1::2, Dst=2001:DB8:0:1::1
*Nov 1 20:24:32.967: ICMPv6: Sent N-Solicit, src=2001:DB8:0:1::2, Dst=FF02::1:FF00:1
R3#
*Nov 1 20:24:34.055: ICMPv6: Sent N-Solicit, src=2001:DB8:0:1::2, Dst=FF02::1:FF00:1
R3#
*Nov 1 20:24:35.143: ICMPv6: Sent N-Solicit, src=2001:DB8:0:1::2, Dst=FF02::1:FF00:1

The result is that the IPSec tunnel cannot be established.

Any help would be appreciated

Thanks in advance.

MHM Cisco World · ‎11-04-2023

https://community.cisco.com/t5/networking-knowledge-base/configuration-example-site-to-site-vpn-for-ipv6-ipsec/ta-p/3134857

check this example.

I am weak in IPv6 but I will try as much as I can to help you in this lab.

Thanks A Lot
MHM

Rich R · ‎11-04-2023

Hopefully the link @MHM Cisco World provided will help explain it for you but let's clarify some info about what you're trying to do:
- which routers are you trying to create the IPSEC tunnel between? R1 & R2?
- you've provided config for R1 & R2 but not R3?

Are you aware that crypto maps are being deprecated? Latest IOS already doesn't support crypto map on some interfaces and Cisco plan to discontinue support for crypto maps altogether:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-16-8/sec-sec-for-vpns-w-ipsec-xe-16-8-book/sec-cfg-vpn-ipsec.html#GUID-318AA5E9-036B-4CE8-A53E-3E15065F2F01
https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-xe-17/bulletin-c25-744830.html
https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-ipsec/white-paper-c11-744879.html
https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/214728-configure-multi-sa-virtual-tunnel-interf.html

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs