TCP(IPv6) traffic is not successful over IPv6-IPSEC tunnel

Suresh Mandapaka · ‎12-06-2022

Hi Team, Greetings!!!

I established IPSEC-IPv6 tunnel with cisco end point 1000v. ICMP and UDP (IPv6) traffic is working fine over the tunnel but TCP traffic ( IPv6) is not working.Could you please help on this?

Topology:
Lanhost1--[Branchedge]--------[Cisco]---[Linux1]----[Endhost]

If i initiate tcp traffic from Lanhost1 , sync packet is received by Endhost, End host sent syn-ack , Linux1 sent syn-ack to Cisco
but cisco didn't forward this packet to Branch edge
I did tcpdump on branch edge , I see ESP packet from Branch edge to cisco but return esp packet i didn't see.

Cisco config:
crypto ikev2 proposal 21
encryption aes-cbc-128
integrity sha1
group 14

crypto ikev2 policy ikev221
match fvrf c1_global
match address local <Cisco IPv6 ip>
proposal 21

crypto ikev2 profile profile21
match fvrf c1_global
match identity remote address <BranchIPv6 IP>/128
authentication remote pre-share key velocloud
authentication local pre-share key velocloud

crypto ipsec transform-set ipsec-prop-vc-21 esp-aes esp-sha256-hmac
mode tunnel

crypto ipsec profile ipsec_profile21
set transform-set ipsec-prop-vc-21
set pfs group14
set ikev2-profile profile21

interface Tunnel21
vrf forwarding c1_global
no ip address
ipv6 address <some IPv6 ip>/64
ipv6 enable
ipv6 tcp adjust-mss 1320
tunnel source <Cisco IPv6 IP with which tunnel established>
tunnel mode ipsec ipv6
tunnel destination <Branch IP>
tunnel vrf c1_global
tunnel protection ipsec profile ipsec_profile21
end

balaji.bandi · ‎12-06-2022

is this lab or real environment ?

but TCP traffic ( IPv6) is not working.Could you please help on this?

can you explain what is TCP Traffic, is there any web server traffic or what port traffic ?

have checked SA is this encryption and decryption taking place when you intiated the traffic of TCP

ICMP and UDP (IPv6) traffic is working fine over the tunne

Lanhost1 to endhost ?

have you checked on Linux any Firewall ? (by default) also have you enabled ip forwarding in Linux ?

have you run the debug and checked ?

https://community.cisco.com/t5/networking-knowledge-base/configuration-example-site-to-site-vpn-for-ipv6-ipsec/ta-p/3134857

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Suresh Mandapaka · ‎12-06-2022

Thanks @balaji.bandi for the response.

this is lab environment.

Its iperf on port 9005.
End host(Behind cisco) : iperf -V -s -p 9005 -i 1
Lanhost ( behind edge) : iperf -V -c <cisco endhost ip> -p 9005 -i 1 -t 10

I see decryption is taking place but encrypted packets count is not incrementing.

csr1#show crypto ipsec sa ipv6

interface: Tunnel21
Crypto map tag: Tunnel21-head-0, local addr FD00:BBBB:1:11::1

protected vrf: c1_global
local ident (addr/mask/prot/port): (::/0/0/0)
remote ident (addr/mask/prot/port): (::/0/0/0)
current_peer FD00:1:1:1::2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 70601, #pkts encrypt: 70601, #pkts digest: 70601
#pkts decaps: 78356, #pkts decrypt: 78356, #pkts verify: 78356
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

csr1#show crypto ipsec sa ipv6

interface: Tunnel21
Crypto map tag: Tunnel21-head-0, local addr FD00:BBBB:1:11::1

protected vrf: c1_global
local ident (addr/mask/prot/port): (::/0/0/0)
remote ident (addr/mask/prot/port): (::/0/0/0)
current_peer FD00:1:1:1::2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 70601, #pkts encrypt: 70601, #pkts digest: 70601
#pkts decaps: 78360, #pkts decrypt: 78360, #pkts verify: 78360
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

There are no firewall which blocks tcp traffic in between. in-fact , no blocking rules to drop any traffic.

IKE and IPSEC SA are proper , tunnel is up and we are able to send ping6/UDP(IPv6) using iperf

MHM Cisco World · ‎12-06-2022

are you use any Zone firewall ?

Suresh Mandapaka · ‎12-06-2022

Hi @MHM Cisco World , Thanks for the response .

No. I am not using zone firewall.