05-22-2022 03:17 AM
Hello. I'm trying to implement a tunnel between two endpoints in a IPv6 network, using IPSEC.
The tunnel establishes correctly: I used wireshark to see the IKE packets during the negotiation.
The problem is, pings are not going through the tunnel correctly.
The real addresses of the tunnel endpoints are "2001:db8:100::1" and "2001:db8:200::1". The addresses of the tunnel interfaces are "2001:db8:300::1" and "2001:db8:300::2".
This is my configuration:
Endpoint 1:
interface Tunnel0
ip address 100.40.0.1 255.255.255.0
ipv6 address 2001:DB8:300::1/64
ipv6 enable
tunnel source 2001:DB8:100::1
tunnel mode gre ipv6
tunnel destination 2001:DB8:200::1
tunnel path-mtu-discovery
tunnel protection ipsec profile custom_ipsec_profile
Endpoint 2:
interface Tunnel0
ip address 100.40.0.2 255.255.255.0
ipv6 address 2001:DB8:300::2/64
ipv6 enable
tunnel source 2001:DB8:200::1
tunnel mode gre ipv6
tunnel destination 2001:DB8:100::1
tunnel path-mtu-discovery
tunnel protection ipsec profile custom_ipsec_profile
Output of "show crypto ipsec sa":
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 2001:DB8:100::1
protected vrf: (none)
local ident (addr/mask/prot/port): (2001:DB8:100::1/128/47/0)
remote ident (addr/mask/prot/port): (2001:DB8:200::1/128/47/0)
current_peer 2001:DB8:200::1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 79, #pkts encrypt: 79, #pkts digest: 79
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 2001:DB8:100::1,
remote crypto endpt.: 2001:DB8:200::1
plaintext mtu 1462, path mtu 1500, ipv6 mtu 1500, ipv6 mtu idb GigabitEthernet2
current outbound spi: 0x38443141(943993153)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x4CE5675(80631413)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2018, flow_id: CSR:18, sibling_flags FFFFFFFF80000009, crypto map: Tunnel0-h
ead-0
"traceroute" of ping through the tunnel:
traceroute 2001:db8:300::2
Type escape sequence to abort.
Tracing the route to 2001:DB8:300::2
1 * * *
2 * * *
05-22-2022 03:51 AM - edited 05-22-2022 04:11 AM
use source with Ping and traceroute commend.
ping x.x.x. source y.y.y.y
x.x.x.x is IPv6 tunnel IP
y.y.y.y is IPv6 remote tunnel IP
05-22-2022 04:29 AM
Thank you for your reply.
I have tried:
ping 2001:db8:300::2 source 2001:db8:300::1
Same result, failed.
I don't understand why the packet is being lost, when "show ipv6 route" shows the correct route through the tunnel.
05-22-2022 04:32 AM - edited 05-22-2022 04:33 AM
ping tunnel destination using tunnel source
check the reachability in both side.
tunnel is UP but destination is not reachable.
05-22-2022 04:05 AM
Hello,
I am looking at
#pkts encaps: 79, #pkts encrypt: 79, #pkts digest: 79
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
I can't see Decaps packets. Which is indicating me that something is wrong in routing or phase2 configuration.
1. verify same on other end
2. check your phase2 configuration
3. share phase2 logs or debug logs from both ends
4. Also check routing at both ends.
05-22-2022 04:30 AM
Thank you for your reply.
The same pattern occurs in the other end: a lot of encaps, no decaps.
What do you mean with "phase2"? are there any logs I can look for to find out what's happening?
05-22-2022 04:55 AM
Share complete configuration from both devices.
If there is same from both ends than where packets getting drop?
05-22-2022 06:28 AM
@SDABIS so you can see enaps counters increasing at BOTH ends, but no decaps?
Do you have a firewall/ACL in front of either device that could be blocking ESP?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide