Solved: IPv6 traffic over IPv4 VTI ipsec

sylvain.munaut · ‎07-09-2011

Hi,

I have a VTI ipsec over ipv4 that I use for LAN traffic between sites.

Something like :

interface Tunnel0

ip address 172.16.1.1 255.255.255.0

tunnel source 80.80.80.1

tunnel destination 90.90.90.1

tunnel mode IPsec ipv4

tunnel protection IPsec profile vti_profile

Now I'd like to tunnel IPv6 over those as well.

I tried just adding an IPv6 address on Tunnel0 but that didn't work.

I can create a tunnel over the IPv4 link like this:

interface Tunnel1

tunnel source Tunnel0

tunnel destination 172.16.1.2

tunnel mode ipv6ip

ipv6 enable

ipv6 address 3000::1/112

But I was wondering if there was another solution ?

Cheers,

Sylvain

Marcin Latosiewicz · ‎07-18-2011

Sylvain,

I don't believe you can transport IPv6 over IPv4 SVTI.

I do believe you received a message that this is not supported - the proposals negotiated are explicitly for IPv4:

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

There is a tunnel mode ipsec ipv6 BUT it's ipv6 over IPv6 only.

I think your best choice is to run GRE o IPsec instead of SVTI if you want to tunnel IPv6 at the same time.

(Please note that I have not been keeping up to date with any improvements to VTI recently, things might have changed)

Marcin

Marcin Latosiewicz · ‎07-18-2011