Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
621
Views
0
Helpful
4
Replies

Site-to-Site VPN for IPv6 IPsec on Routers-Tunnel Issue

Go to solution
Ali Haider
Level 1
Level 1

‎04-01-2013 10:09 AM - edited ‎02-21-2020 06:47 PM

Hi,  i am facing one problem can any one address the below issue and let me  know the solution. I have two routers and try to build "Site-to-Site VPN  for IPv6 IPsec". I follow the commands from Cisco document and  community but when i apply my ipsec profile to the tunnel interf the  tunnel went down.

https://supportforums.cisco.com/docs/DOC-27009
1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎04-02-2013 01:40 AM

Ali,

VTI tunnels are supposed to be down when there are no active SPIs negotiatied.

The tunnel will go up/up when there is a way to transport packets - i.e. SPIs are present.

You can monitor SPIs in "show crypto ipsec sa peer " command.

For debugging:

debug crypto isa

debug crypto ipsec

M.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎04-02-2013 01:40 AM

Ali,

VTI tunnels are supposed to be down when there are no active SPIs negotiatied.

The tunnel will go up/up when there is a way to transport packets - i.e. SPIs are present.

You can monitor SPIs in "show crypto ipsec sa peer " command.

For debugging:

debug crypto isa

debug crypto ipsec

M.

0 Helpful

Go to solution
Ali Haider
Level 1
Level 1
In response to Marcin Latosiewicz

‎04-02-2013 04:09 AM

Hi Marcin,

Thanks for your great help, actually i was testing the same configuration on 7200 (15.0(1) IOS. My tunnel was not UP.

Now i tried the same configs on 3725 Version 12.4(15) and my tunnel is up even without gerating the traffic.

I have one question, i only call the IPSec profile which only include (transform set) on my tunnel interface. Do it also required to put the ISAKMP profile on in the ipsec profile as best practice?

following are the configs.

crypto ipsec transform-set ipv6_tran esp-3des esp-sha-hmac

mode tunnel

!

crypto ipsec profile ipv6_ipsec_pro

set transform-set ipv6_tran

!

crypto isakmp profile 3des

self-identity address ipv6

match identity address ipv6 2001:1:1::2/64

keyring default

!

!

int tunnel 1

ipv6 enable

ipv6 address 2012:2:2::1/64

tunnel source 2001:1:1::1

tunnel destination 2001:1:1::2

tunnel mode ipsec ipv6

tunnel protection ipsec profile ipv6_ipsec_pro

!

In above configs i am not using isakmp profile on tunnle only i use the ipsec profile will it be the best practice?

0 Helpful

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Ali Haider

‎04-02-2013 04:34 AM

Ali,

I would not say it's recommended to use isakmp profile, it's a feature that allows a bit more flexability and several functionalities. 

If you use isakmp profile (for example if you want to use VRF-list deployment) yes it's best to map it in the ipsec profile, for best results.

In most scenarios this step will not be required.

M.

0 Helpful

Go to solution
Ali Haider
Level 1
Level 1
In response to Marcin Latosiewicz

‎04-02-2013 05:03 AM

Marcin,

Thanks a lot.

Regards,

Ali...

0 Helpful
Customers Also Viewed These Support Documents