I need to implement IPv6 for ASA VPN. But I am not sure anyone have ever try this. According to the ASA_8.4_cli_cfg.pdf , IPv6 is not supported on ASA IPSEC vpn and remote client vpn. I do not have a ASA 8.4, Anyone can help me to verify on ASA8.4 whether the crypto command support ipv6 address ? If the crypto command do support ipv6 address then probably there is chance it will work. Correct me if i am wrong.
what i mean is eg. crypto map xxx set peer <ipv6 address| ipv4 addres> able to set ipv6 address
It seems there isn't document on the web that clarify this.
There is no problem to do IPv6 over IPv4 or IPv6 over IPv6 IPsec on ASA starting from 8.3.
ciscoasa(config)# crypto map MAP 10 set peer ?
configure mode commands/options:
Hostname or A.B.C.D IP address
Hostname or X:X:X:X::X IPv6 address
ciscoasa(config)# sh run ipv6
ipv6 access-list IPv6_ANY permit ip any any
ciscoasa(config)# sh run crypto map
crypto map MAP 10 match address IPv6_ANY
For LAN-to-LAN connections using mixed IPv4 and IPv6 addressing, or all IPv6 addressing, the security appliance supports VPN tunnels if both peers are Cisco ASA 5500 series security appliances, and if both inside networks have matching addressing schemes (both IPv4 or both IPv6).
Hope this helps,
That's a bit more complicated. Feel free to doublecheck this info with with your SE and/or account team to more precise information.
AFAIK there is only plan to introduce IPv6 as tunneling protocol for Anyconnect as of 3.1 or 3.2 release.
Currently you should be able to have IPv6 address within IPv4 connection of anyconnet.
But I would encourage you to contact your SE for definite statement.
I have configured a IPSEC Tunnel (IKEv1) for IPv6 bewteen 2 8.4.2 ASAs.
In my case the IPSEC Tunnel encrypts IPv6, the outer transport-protocol can either
be IPv6 or IPv4. I have successfully tested the use-case of IPv6 as transport protocol.
I would be happy if CSM would support this.
Crypto map tag: IPV6, seq num: 15, local addr: 192.168.222.1
access-list ACL_IPV6_CRYPTO extended permit ip fd00:1960:108:110::/64 fd00:1960:108:801::/64
local ident (addr/mask/prot/port): (fd00:1960:108:110::/64/0/0)
remote ident (addr/mask/prot/port): (fd00:1960:108:801::/64/0/0)
#pkts encaps: 29, #pkts encrypt: 29, #pkts digest: 29
#pkts decaps: 18, #pkts decrypt: 18, #pkts verify: 18