05-08-2011 09:39 PM - edited 02-21-2020 05:19 PM
Hi All,
I need to implement IPv6 for ASA VPN. But I am not sure anyone have ever try this. According to the ASA_8.4_cli_cfg.pdf , IPv6 is not supported on ASA IPSEC vpn and remote client vpn. I do not have a ASA 8.4, Anyone can help me to verify on ASA8.4 whether the crypto command support ipv6 address ? If the crypto command do support ipv6 address then probably there is chance it will work. Correct me if i am wrong.
what i mean is eg. crypto map xxx set peer <ipv6 address| ipv4 addres> able to set ipv6 address
It seems there isn't document on the web that clarify this.
Best Regards
Jason
05-09-2011 05:28 AM
Jason,
There is no problem to do IPv6 over IPv4 or IPv6 over IPv6 IPsec on ASA starting from 8.3.
ciscoasa(config)# crypto map MAP 10 set peer ?
configure mode commands/options:
Hostname or A.B.C.D IP address
Hostname or X:X:X:X::X IPv6 address
and...
ciscoasa(config)# sh run ipv6
ipv6 access-list IPv6_ANY permit ip any any
ciscoasa(config)# sh run crypto map
crypto map MAP 10 match address IPv6_ANY
From
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_site2site.html
For LAN-to-LAN connections using mixed IPv4 and IPv6 addressing, or all IPv6 addressing, the security appliance supports VPN tunnels if both peers are Cisco ASA 5500 series security appliances, and if both inside networks have matching addressing schemes (both IPv4 or both IPv6).
Hope this helps,
Marcin
05-19-2011 04:37 PM
But does it support IPv6 IPsec remote access?
I've not found any information about this at all.
05-20-2011 01:13 AM
William,
That's a bit more complicated. Feel free to doublecheck this info with with your SE and/or account team to more precise information.
AFAIK there is only plan to introduce IPv6 as tunneling protocol for Anyconnect as of 3.1 or 3.2 release.
Currently you should be able to have IPv6 address within IPv4 connection of anyconnet.
But I would encourage you to contact your SE for definite statement.
Marcin
10-23-2023 02:22 PM
Hello Marcin,
I am running the following
Cisco Adaptive Security Appliance Software Version 9.8(2)20
Firepower Extensible Operating System Version 2.2(2.66)
Device Manager Version 7.9(2)152
I have looked everywhere, I am trying to find out if this version can support native ipv6 site-to-site vpn.
Thanks.
10-06-2011 04:51 AM
Hi Jason,
I have configured a IPSEC Tunnel (IKEv1) for IPv6 bewteen 2 8.4.2 ASAs.
In my case the IPSEC Tunnel encrypts IPv6, the outer transport-protocol can either
be IPv6 or IPv4. I have successfully tested the use-case of IPv6 as transport protocol.
I would be happy if CSM would support this.
Crypto map tag: IPV6, seq num: 15, local addr: 192.168.222.1
access-list ACL_IPV6_CRYPTO extended permit ip fd00:1960:108:110::/64 fd00:1960:108:801::/64
local ident (addr/mask/prot/port): (fd00:1960:108:110::/64/0/0)
remote ident (addr/mask/prot/port): (fd00:1960:108:801::/64/0/0)
current_peer: 192.168.222.2
#pkts encaps: 29, #pkts encrypt: 29, #pkts digest: 29
#pkts decaps: 18, #pkts decrypt: 18, #pkts verify: 18
regards,
Herbert
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: