cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
3417
Views
5
Helpful
4
Replies
jason.kwang
Beginner

IPv6 support on ASA IPSEC VPN

Hi All,

I need to implement IPv6 for ASA VPN. But I am not sure anyone have ever try this. According to the ASA_8.4_cli_cfg.pdf , IPv6 is not supported on ASA IPSEC vpn and remote client vpn. I do not have a ASA 8.4, Anyone can help me to verify on ASA8.4 whether the crypto command support ipv6 address ? If  the crypto command do support ipv6 address then probably there is chance it will work. Correct me if i am wrong.

what i mean is eg. crypto map xxx set peer <ipv6 address| ipv4 addres> able to set ipv6 address

It seems there isn't document on the web that clarify this.

Best Regards

Jason

4 REPLIES 4
Marcin Latosiewicz
Cisco Employee

Jason,

There is no problem to do IPv6 over IPv4 or IPv6 over IPv6 IPsec on ASA starting from 8.3.

ciscoasa(config)# crypto map MAP 10 set peer ?

configure mode commands/options:
  Hostname or A.B.C.D     IP address
  Hostname or X:X:X:X::X  IPv6 address

and...

ciscoasa(config)# sh run ipv6
ipv6 access-list IPv6_ANY permit ip any any
ciscoasa(config)# sh run crypto map
crypto map MAP 10 match address IPv6_ANY

From

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_site2site.html

For LAN-to-LAN connections using mixed IPv4 and IPv6 addressing, or all IPv6 addressing, the security appliance supports VPN tunnels if both peers are Cisco ASA 5500 series security appliances, and if both inside networks have matching addressing schemes (both IPv4 or both IPv6).

Hope this helps,

Marcin

But does it support IPv6 IPsec remote access?

I've not found any information about this at all.

William,

That's a bit more complicated. Feel free to doublecheck this info with with your SE and/or account team to more precise information.

AFAIK there is only plan to introduce IPv6 as tunneling protocol for Anyconnect as of 3.1 or 3.2 release.

Currently you should be able to have IPv6 address within IPv4 connection of anyconnet.

But I would encourage you to contact your SE for definite statement.

Marcin

kerstin-534
Beginner

Hi Jason,

I have configured a IPSEC Tunnel (IKEv1) for IPv6 bewteen 2  8.4.2 ASAs.

In my case the IPSEC Tunnel encrypts IPv6, the outer transport-protocol can either

be IPv6 or IPv4. I have successfully tested the use-case of IPv6 as transport protocol.

I would be happy if CSM would support this.

    Crypto map tag: IPV6, seq num: 15, local addr: 192.168.222.1

      access-list ACL_IPV6_CRYPTO extended permit ip fd00:1960:108:110::/64 fd00:1960:108:801::/64

      local ident (addr/mask/prot/port): (fd00:1960:108:110::/64/0/0)

      remote ident (addr/mask/prot/port): (fd00:1960:108:801::/64/0/0)

      current_peer: 192.168.222.2

      #pkts encaps: 29, #pkts encrypt: 29, #pkts digest: 29

      #pkts decaps: 18, #pkts decrypt: 18, #pkts verify: 18

regards,

Herbert

Content for Community-Ad