01-13-2016 11:33 PM - edited 02-21-2020 08:37 PM
Hi All,
I was working on a test lab for IPv6 site-to-site VPN and would like help in troubleshooting connection problem. I have
Here is the running config for HQ
HQ#show run
Building configuration...
Current
!
version 12.4
service timestamps debug
service timestamps log
no service password-encryption
!
hostname HQ
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size
no
!
!
multilink bundle-name authenticated
!
!
archive
log config
!
!
crypto
authentication pre-share
group 2
crypto
crypto
keyring default
match identity address ipv6 2002:C59C:5AC1:1::2/64
!
!
crypto
!
crypto
set transform-set ipv6_tran
!
!
!
!
interface Tunnel1
no
ipv6 address 2012::1/64
ipv6 enable
tunnel source 2002:D537:49D3:1::2
tunnel destination 2002:C59C:5AC1:1::2
tunnel mode
tunnel protection
!
interface FastEthernet0/0
no
duplex auto
speed auto
ipv6 address 2002:D537:49D3:1::2/64
ipv6 enable
!
interface FastEthernet0/1
no
duplex auto
speed auto
ipv6 address FDF6:6BE7:B6E0:1::1/64
ipv6 enable
!
!
!
no
no
!
no
ipv6 route FDF6:6BE7:B6E0:2::/64 2012::2
ipv6 route ::/0 2002:D537:49D3:1::1
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line
login
!
!
end
-------------------------------------------------------------------------------------------
And here is the running config for Branch
Branch#show run
Building configuration...
Current configuration : 1652 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Branch
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key ipsecvpn address ipv6 2002:D537:49D3:1::2/64
crypto isakmp profile 3des
keyring default
match identity address ipv6 2002:D537:49D3:1::2/64
!
!
crypto ipsec transform-set ipv6_tran esp-3des esp-sha-hmac
!
crypto ipsec profile ipv6_ipsec_pro
set transform-set ipv6_tran
!
!
ip tcp synwait-time 5
!
!
interface Tunnel1
no ip address
ipv6 address 2012::2/64
ipv6 enable
tunnel source 2002:C59C:5AC1:1::2
tunnel destination 2002:D537:49D3:1::2
tunnel mode ipsec ipv6
tunnel protection ipsec profile ipv6_ipsec_pro
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
ipv6 address FDF6:6BE7:B6E0:2::1/64
ipv6 enable
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
ipv6 address 2002:C59C:5AC1:1::2/64
ipv6 enable
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
ipv6 route FDF6:6BE7:B6E0:1::/64 2012::1
ipv6 route ::/0 2002:C59C:5AC1:1::1
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
-------------------------------------------------------------------
HQ#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
IPv6 Crypto ISAKMP SA
dst: 2002:D537:49D3:1::2
src: 2002:C59C:5AC1:1::2
state: QM_IDLE conn-id: 1001 slot: 0 status: ACTIVE
HQ#show crypto engine connection active
Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP-Address
1 Fa0/0 IPsec 3DES+SHA 0 0 2002:D537:49D3:1::2
2 Fa0/0 IPsec 3DES+SHA 7 0 2002:D537:49D3:1::2
1001 Fa0/0 IKE SHA+3DES 0 0 2002:D537:49D3:1::2
HQ#ping fdf6:6be7:b6e0:2::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FDF6:6BE7:B6E0:2::1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Any suggestion is much appreciated.
Thanks.
01-15-2016 01:16 AM
Can one tunnel endpoint ping the other end of the tunnel (e,g. can 2012::1/64 ping 2012::2/64)?
01-15-2016 02:25 AM
01-16-2016 12:50 AM
Then that means the crypto must be correct. It must be something to do with forwarding.
Have you got "ipv6 unicast-routing" on both routers to enable IPv6 forwarding?
01-16-2016 06:48 AM
Hi Philip,
Yes that is enabled too.
01-16-2016 02:19 PM
You definitely have something plugged into both LAN ports, FastEthernet0/1?
01-18-2016 12:45 PM
show crypto session detail
show crypto ipsec sa
HQ#ping fdf6:6be7:b6e0:2::1 source Fa0/1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide