Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4000
Views
5
Helpful
5
Replies

IPv6 support on ASA IPSEC VPN

jason.kwang
Level 1
Level 1

‎05-08-2011 09:39 PM - edited ‎02-21-2020 05:19 PM

Hi All,

I need to implement IPv6 for ASA VPN. But I am not sure anyone have ever try this. According to the ASA_8.4_cli_cfg.pdf , IPv6 is not supported on ASA IPSEC vpn and remote client vpn. I do not have a ASA 8.4, Anyone can help me to verify on ASA8.4 whether the crypto command support ipv6 address ? If  the crypto command do support ipv6 address then probably there is chance it will work. Correct me if i am wrong.

what i mean is eg. crypto map xxx set peer <ipv6 address| ipv4 addres> able to set ipv6 address

It seems there isn't document on the web that clarify this.

Best Regards

Jason

Labels:
0 Helpful
5 Replies 5

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎05-09-2011 05:28 AM

Jason,

There is no problem to do IPv6 over IPv4 or IPv6 over IPv6 IPsec on ASA starting from 8.3.

ciscoasa(config)# crypto map MAP 10 set peer ?
configure mode commands/options:
  Hostname or A.B.C.D     IP address
  Hostname or X:X:X:X::X  IPv6 address

and...

ciscoasa(config)# sh run ipv6
ipv6 access-list IPv6_ANY permit ip any any
ciscoasa(config)# sh run crypto map
crypto map MAP 10 match address IPv6_ANY

From

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_site2site.html

For LAN-to-LAN connections using mixed IPv4 and 
IPv6 addressing, or all IPv6 addressing, the security appliance supports
 VPN tunnels if both peers are Cisco ASA 5500 series security 
appliances, and if both inside networks have matching addressing schemes
 (both IPv4 or both IPv6).

Hope this helps,

Marcin

wsoderberg
Level 1
Level 1
In response to Marcin Latosiewicz

‎05-19-2011 04:37 PM

But does it support IPv6 IPsec remote access?

I've not found any information about this at all.

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to wsoderberg

‎05-20-2011 01:13 AM

William,

That's a bit more complicated. Feel free to doublecheck this info with with your SE and/or account team to more precise information.

AFAIK there is only plan to introduce IPv6 as tunneling protocol for Anyconnect as of 3.1 or 3.2 release.

Currently you should be able to have IPv6 address within IPv4 connection of anyconnet.

But I would encourage you to contact your SE for definite statement.

Marcin

0 Helpful

stepnzi
Level 1
Level 1
In response to Marcin Latosiewicz

‎10-23-2023 02:22 PM

Hello Marcin,

     I am running the following 

Cisco Adaptive Security Appliance Software Version 9.8(2)20
Firepower Extensible Operating System Version 2.2(2.66)
Device Manager Version 7.9(2)152

I have looked everywhere, I am trying to find out if this version can support native ipv6 site-to-site vpn.

Thanks.

0 Helpful

kerstin-534
Level 1
Level 1

‎10-06-2011 04:51 AM

Hi Jason,

I have configured a IPSEC Tunnel (IKEv1) for IPv6 bewteen 2  8.4.2 ASAs.

In my case the IPSEC Tunnel encrypts IPv6, the outer transport-protocol can either

be IPv6 or IPv4. I have successfully tested the use-case of IPv6 as transport protocol.

I would be happy if CSM would support this.

    Crypto map tag: IPV6, seq num: 15, local addr: 192.168.222.1

      access-list ACL_IPV6_CRYPTO extended permit ip fd00:1960:108:110::/64 fd00:1960:108:801::/64

      local ident (addr/mask/prot/port): (fd00:1960:108:110::/64/0/0)

      remote ident (addr/mask/prot/port): (fd00:1960:108:801::/64/0/0)

      current_peer: 192.168.222.2

      #pkts encaps: 29, #pkts encrypt: 29, #pkts digest: 29

      #pkts decaps: 18, #pkts decrypt: 18, #pkts verify: 18

regards,

Herbert

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents