Re: Problem with IPSEC tunnel using IPv6

SDABIS · ‎05-22-2022

Hello. I'm trying to implement a tunnel between two endpoints in a IPv6 network, using IPSEC.

The tunnel establishes correctly: I used wireshark to see the IKE packets during the negotiation.

The problem is, pings are not going through the tunnel correctly.

The real addresses of the tunnel endpoints are "2001:db8:100::1" and "2001:db8:200::1". The addresses of the tunnel interfaces are "2001:db8:300::1" and "2001:db8:300::2".

This is my configuration:

Endpoint 1:

interface Tunnel0
ip address 100.40.0.1 255.255.255.0
ipv6 address 2001:DB8:300::1/64
ipv6 enable
tunnel source 2001:DB8:100::1
tunnel mode gre ipv6
tunnel destination 2001:DB8:200::1
tunnel path-mtu-discovery
tunnel protection ipsec profile custom_ipsec_profile

Endpoint 2:

interface Tunnel0
ip address 100.40.0.2 255.255.255.0
ipv6 address 2001:DB8:300::2/64
ipv6 enable
tunnel source 2001:DB8:200::1
tunnel mode gre ipv6
tunnel destination 2001:DB8:100::1
tunnel path-mtu-discovery
tunnel protection ipsec profile custom_ipsec_profile

Output of "show crypto ipsec sa":

interface: Tunnel0
   Crypto map tag: Tunnel0-head-0, local addr 2001:DB8:100::1

  protected vrf: (none)
  local ident (addr/mask/prot/port): (2001:DB8:100::1/128/47/0)
  remote ident (addr/mask/prot/port): (2001:DB8:200::1/128/47/0)
  current_peer 2001:DB8:200::1 port 500
    PERMIT, flags={origin_is_acl,}
   #pkts encaps: 79, #pkts encrypt: 79, #pkts digest: 79
   #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
   #pkts compressed: 0, #pkts decompressed: 0
   #pkts not compressed: 0, #pkts compr. failed: 0
   #pkts not decompressed: 0, #pkts decompress failed: 0
   #send errors 0, #recv errors 0

    local crypto endpt.: 2001:DB8:100::1,
    remote crypto endpt.: 2001:DB8:200::1
    plaintext mtu 1462, path mtu 1500, ipv6 mtu 1500, ipv6 mtu idb GigabitEthernet2
    current outbound spi: 0x38443141(943993153)
    PFS (Y/N): N, DH group: none

    inbound esp sas:
     spi: 0x4CE5675(80631413)
       transform: esp-aes esp-sha-hmac ,
       in use settings ={Transport, }
       conn id: 2018, flow_id: CSR:18, sibling_flags FFFFFFFF80000009, crypto map: Tunnel0-h
ead-0

"traceroute" of ping through the tunnel:

traceroute 2001:db8:300::2
Type escape sequence to abort.
Tracing the route to 2001:DB8:300::2

1 * * *
2 * * *

MHM Cisco World · ‎05-22-2022

use source with Ping and traceroute commend.
ping x.x.x. source y.y.y.y
x.x.x.x is IPv6 tunnel IP
y.y.y.y is IPv6 remote tunnel IP

SDABIS · ‎05-22-2022

Thank you for your reply.

I have tried:

ping 2001:db8:300::2 source 2001:db8:300::1

Same result, failed.

I don't understand why the packet is being lost, when "show ipv6 route" shows the correct route through the tunnel.

MHM Cisco World · ‎05-22-2022

ping tunnel destination using tunnel source
check the reachability in both side.

tunnel is UP but destination is not reachable.

Deepak Kumar · ‎05-22-2022

Hello,

I am looking at

#pkts encaps: 79, #pkts encrypt: 79, #pkts digest: 79
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

I can't see Decaps packets. Which is indicating me that something is wrong in routing or phase2 configuration.

1. verify same on other end

2. check your phase2 configuration

3. share phase2 logs or debug logs from both ends

4. Also check routing at both ends.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

SDABIS · ‎05-22-2022

Thank you for your reply.

The same pattern occurs in the other end: a lot of encaps, no decaps.

What do you mean with "phase2"? are there any logs I can look for to find out what's happening?

Deepak Kumar · ‎05-22-2022

Share complete configuration from both devices.

If there is same from both ends than where packets getting drop?

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Rob Ingram · ‎05-22-2022

@SDABIS so you can see enaps counters increasing at BOTH ends, but no decaps?

Do you have a firewall/ACL in front of either device that could be blocking ESP?