Re: IPv6 IPSec

scikara · ‎04-29-2005

Maybe someone can help me with the problem I'm having:

I'm trying to establish IPv6 IPSec tunnels between two routers in a point-to-point configuration using IOS v 12.3(6), like in the below configuration.

PC1------Router1-------Router2------PC2

After reading the cisco documentation, this is apparently not possible. I quote:

"Currently, IPv6 IPSec is only available for the control plane. IPv6 IPSec for the data plane will be available in a future release, Implementing Security for IPv6"

As an alternative, I have tried to use IPv6-to-IPv4 tunnel (shown below). But I cant get anything to trigger the ISAKMP transfer (and hence setup the IPSec tunnel.

PC1--(IPv6)--Router1--(IPv4 tunnel)--Router2--(IPv6)--PC2

Does anyone have any suggestions? Is it just not possible at the moment to implement IPv6 and IPSec on cisco routers?

Any help would be greatly appreciated!

COnfigs are posted below:

Router1

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router1

!

boot-start-marker

boot-end-marker

!

memory-size iomem 10

no network-clock-participate slot 1

no network-clock-participate wic 0

no aaa new-model

ip subnet-zero

!

ip cef

ipv6 cef

ipv6 unicast-routing

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 5

crypto isakmp key xxxx address 192.168.3.2

!

interface Tunnel1

no ip address

ipv6 address 2000:3::1/64

tunnel source 192.168.3.1

tunnel destination 192.168.3.2

tunnel mode ipv6ip

no shut

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

ipv6 address 2000:1::1/64

ipv6 enable

no shut

!

interface Serial0/0

no ip address

shutdown

no fair-queue

!

interface BRI0/0

no ip address

shutdown

!

interface FastEthernet0/1

ip address 192.168.3.1 255.255.255.0

duplex auto

speed auto

no shut

!

interface Serial0/1

no ip address

shutdown

!

ip http server

no ip http secure-server

ip classless

!

ipv6 route 2000:2::/64 tunnel 1

ipv6 route 2000:3::/64 tunnel 1

!

access-list 100 permit ip any any

!

line con 0

line aux 0

line vty 0 4

login

!

end

Router2:

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router2

!

boot-start-marker

boot-end-marker

!

memory-size iomem 10

no network-clock-participate slot 1

no network-clock-participate wic 0

no aaa new-model

ip subnet-zero

!

ip cef

ipv6 cef

ipv6 unicast-routing

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 5

crypto isakmp key xxxx address 192.168.3.1

!

interface Tunnel1

no ip address

ipv6 address 2000:3::2/64

tunnel source 192.168.3.2

tunnel destination 192.168.3.1

tunnel mode ipv6ip

no shut

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

ipv6 address 2000:2::1/64

ipv6 enable

no shut

!

interface Serial0/0

no ip address

shutdown

no fair-queue

!

interface BRI0/0

no ip address

shutdown

!

interface FastEthernet0/0

ip address 192.168.3.2 255.255.255.0

duplex auto

speed auto

no shut

!

interface Serial0/1

no ip address

shutdown

!

ip http server

no ip http secure-server

ip classless

!

ipv6 route 2000:1::/64 tunnel 1

ipv6 route 2000:3::/64 tunnel 1

!

access-list 100 permit ip any any

!

line con 0

line aux 0

line vty 0 4

login

!

end

mhussein · ‎04-29-2005

Hello,

I don't have much to offer as far as IPv6, but I am interested in seeing whether a GRE tunnel would do the trick as documented here:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_configuration_guide_chapter09186a00801d6604.html#wp1037113

It would be nice if you could share your results.

Mustafa