cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3258
Views
0
Helpful
17
Replies

VPN over IPv6

Service Spring
Level 1
Level 1

I've been trying to create a VPN between my 5505 and 5520 over IPv6.

I think I have everything set up correctly, but when I reboot the 5505, it will ping the 5520 over IPv6 (and get a reply), but nothing else happens.

Has anyone else tried this?

I"m running 8.3.2 on both end points

Thanks

17 Replies 17

Marcin Latosiewicz
Cisco Employee
Cisco Employee

I've tried this before 8.3.1 in lab setup.

It should work flowlessly - can you share logs on informational level and configurations?

Sure...I'll attach them to this reply.

I tried to give you all the lines relvant to this...If I've left one out, let me know and I'll track it down.

Concenrs:

- Are you sure those HOST addresses are valid?

I mean I would expect a host not to have all zeros at the end unless you configured them exlicitly like this.

- why do you configure trustpoint under tunnel-groups with you're using PSK?

- You don't need to allow traffic TO the box on access-list

Hard to say sometiing more without

- ipv6 routing table

- interface configuration (do you use multiple addresses?)

- logging/debugs - logging on informational level + debug crypto isa 100 and debug crypto ipsec 100.

To see if traffic is being allowed and initiated.

1) Yep, I'm sure the host addresses are correct.  The DMZ subnet is 2001:470:c27d:e000/64

2)  I was just trying to make it work   I had tried the pre-shared key route first, and when it didn't work, went to trustpoint

Addresses are attached

I ran the two debug commands you listed, but nothing happened...I even rebooted the 5505

ciscoasa# debug crypto ipsec 100
ciscoasa# debug crypto isa 100
ciscoasa#

All that shows in the ASDM log viewer are pings (see attached)

I'm a hardware guy that's trying to make this work, so I wouldn't assume much

*headache on*

There's something just not adding up.

the ASDM ping you've shown me is all destined to all nodes from a host that is not in mentioned in crypto ACL...

which is:
ipv6 access-list Outside_cryptomap_3 permit ip host PREFIX_32:c27d:e000:: host PREFIX_32:c1f0:4::

if traffic is not matching the ACL it wll not go over the tunnel.

Marcin

Here's an example setup I did with ASAs 8.3.2:

bsns-asa5520-10# sh cry isa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 2001:db8:1:0:21b:d4ff:fe26:3881
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

bsns-asa5520-10# sh run crypto
crypto ipsec transform-set TRA esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

crypto map CRYPTOMAP 20 match address CMAP_20
crypto map CRYPTOMAP 20 set peer 2001:db8:1:0:21b:d4ff:fe26:3881
crypto map CRYPTOMAP 20 set transform-set TRA
crypto map CRYPTOMAP interface outside

crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

bsns-asa5520-10# sh access-l CMAP_20
ipv6 access-list CMAP_20; 1 elements; name hash: 0x810fa635
ipv6 access-list CMAP_20 line 1 permit ip 2001:db8:12::/64 2001:db8:11::/64 (hitcnt=32) 0x71d914d0

bsns-asa5520-10# sh run tunnel-g
tunnel-group 2001:db8:1:0:21b:d4ff:fe26:3881 type ipsec-l2l
tunnel-group 2001:db8:1:0:21b:d4ff:fe26:3881 ipsec-attributes
pre-shared-key *****

bsns-asa5520-10# sh ipv6 route

IPv6 Routing Table - 8 entries
Codes: C - Connected, L - Local, S - Static
L   2001:db8:1:0:219:6ff:fe65:3eda/128 [0/0]
     via ::, outside
C   2001:db8:1::/64 [0/0]
     via ::, outside
S   2001:db8:11::/64 [0/0]
     via 2001:db8:1:0:21b:d4ff:fe26:3881, outside
L   2001:db8:12:0:219:6ff:fe65:3edb/128 [0/0]
     via ::, inside
C   2001:db8:12::/64 [0/0]
     via ::, inside
L   fe80::/10 [0/0]
     via ::, outside
     via ::, inside
L   ff00::/8 [0/0]
     via ::, outside
     via ::, inside
S   ::/0 [0/0]
     via 2001:db8:1:0:21b:d4ff:fe26:3881, outside

I'm assuming part of my problem is the crypto stuff

How would I go about entering those commands?

Most of them make sense, but I don't know how to define the CMAP_20

Thanks

Goooood evening,

CMAP_20 is just an ipv6 access-list defined, specyfying which IPv6 subnets we're going to encrypt.

In you case you've called it:

ipv6 access-list outside_cryptomap permit ip host PREFIX_32:c1f0:4:: host PREFIX_32:c27d:e000::

in my case I've defined whole subnet:

ipv6 access-list CMAP_20 line 1 permit ip 2001:db8:12::/64 2001:db8:11::/64

Marcin

P.S.

Strangely enough IPv6 material for ASA is not well published :{

Well, I've changed the config to reflect your comment about the ping coming from a network that wasn't listed, and it didn't help.

For the most part, my setup seems like it's pretty close to what you posted.

OK, the tunnel does not come up because the crypto map (*in your case) is not getting any hits.

So I would advise to do a capture on inside interface of the ASA to check if you do receive packets sourced by host on your end.

I would also monitor logs for any packets being dropped from the host.

Do you want me to ellaborate on something or are you familar with capture and logging capabilites of ASA?

Marcin

I tried that when I was troubleshooting right after I created (well tried) the VPN setup and I did not see any traffic from the other IPv6 subnet

Just to make sure we're talking about same thing.

Subnet_1 -------- inside_1 ASA1 outside_1 ------outside_2 ASA2 inside_2 ----- Subnet_2

You're saying that capture and logs on ASA1, inside1 are saying no traffic is arriving from Subnet_1 destined to Subnet_2?

Marcin

Yep, your diagram looks correct.

If I filter traffic on both ends (on ASA2 looking for traffic from ASA1 and vice versa) I see traffic flowing and I can get my data (web pages over ipv6 at this point)

However, the litte VPN light on the ASA doesn't come on to tell me that there's a connection established

Well, let me be more clear on the diagram

I don't have native IPv6 access so everything is going over a tunnel.  Both tunnel servers are on the outside interface of my ASA's

I need it to work this way:

protected subnet - ASA -Tunnel server -internet     =============  internet - tunnel server - ASA - protected subnet

Hope that makes sense