ASA: Parallel IPv4 and IPv6 IPsec tunnels over IPv4

Blog

Mar 3, 2012 5:44 AM
Mar 3rd, 2012

Disclaimer

Please note that while the below scenario should work for most setups, it is to be considered a hack/workaround/kludge.

There is an upcoming enhancement to IPsec code in ASA release codenamed Arsenal, which will be out later this year. 

Background

A few days ago Greg opened a case with TAC where he was looking for documentation on how to achieve parallel IPsec tunnels over IPv4 for both IPv4 and IPv6 traffic.

His actual topology were multiple devices all around the world connecting to a central hub location in Australia.

Not all the devices had IPv6 addressing so as an interim solution he wanted to tunnel IPv6 over IPv4 in a secure way.

The documentaion is quite scarce on this topic, so we had to go to the lab an test this out.


Topology diagram

Diagram1.png

Solution

The solution that worked for us was based on ASA 8.4.3 on all sites.

We run a parallel IKEv2 for IPv4 over IPv4 IPsec tunnel and IPv6 over IPv4 IKEv1 based tunnel.

Configuration

Basic configuration.

Site without IPv6 internet access

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 10.48.67.5 255.255.254.0

ipv6 enable

ipv6 nd suppress-ra

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

ipv6 address 2001:db8:11::1/64

crypto ipsec ikev1 transform-set TRA1 esp-aes esp-sha-hmac

crypto ipsec ikev2 ipsec-proposal TRA2

protocol esp encryption aes-192 aes

protocol esp integrity sha-1

crypto map MAP 10 match address V4

crypto map MAP 10 set peer 10.48.67.11

crypto map MAP 10 set ikev2 ipsec-proposal TRA2

crypto map MAP 20 match address V6

crypto map MAP 20 set peer 10.48.67.11

crypto map MAP 20 set ikev1 transform-set TRA1

crypto map MAP interface outside

crypto ikev2 policy 10

encryption aes-192 aes

integrity sha256 sha

group 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

tunnel-group 10.48.67.11 type ipsec-l2l

tunnel-group 10.48.67.11 ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

access-list V4 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

ipv6 route outside ::/0 fe80::1111

ipv6 access-list V6 permit ip 2001:db8:11::/64 2001:db8:22::/64

Site with IPv6 internet.

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 10.48.67.11 255.255.254.0

ipv6 address 2001:db8::2/64

ipv6 nd suppress-ra

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.2.1 255.255.255.0

ipv6 address 2001:db8:22::1/64

access-list V4 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

ipv6 route outside ::/0 2001:db8::1

ipv6 access-list V6 permit ip 2001:db8:22::/64 2001:db8:11::/64

crypto ipsec ikev1 transform-set TRA1 esp-aes esp-sha-hmac

crypto ipsec ikev2 ipsec-proposal TRA2

protocol esp encryption aes-192 aes

protocol esp integrity sha-1

crypto map MAP 10 match address V4

crypto map MAP 10 set peer 10.48.67.5

crypto map MAP 10 set ikev2 ipsec-proposal TRA2

crypto map MAP 20 match address V6

crypto map MAP 20 set peer 10.48.67.5

crypto map MAP 20 set ikev1 transform-set TRA1

crypto map MAP interface outside

crypto ikev2 policy 10

encryption aes-192 aes

integrity sha256 sha

group 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

tunnel-group 10.48.67.5 type ipsec-l2l

tunnel-group 10.48.67.5 ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

Result

After applying this configuration all remote sites were able to reach IPv6 internet.

Note that all IPv6 addresses need to be routable and typically assigned from same /48 or /56 pool as headquarters.

Verification

Let's check if both IKEv1 and IKEv2 are up.

bsns-asa5540-3# sh cry isa sa

IKEv1 SAs:

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: 10.48.67.5

    Type    : L2L             Role    : initiator

    Rekey   : no              State   : MM_ACTIVE

IKEv2 SAs:

Session-id:3, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role

  1002325       10.48.67.11/500        10.48.67.5/500      READY    INITIATOR

      Encr: AES-CBC, keysize: 192, Hash: SHA256, DH Grp:2, Auth sign: PSK, Auth verify: PSK

      Life/Active Time: 86400/17 sec

Child sa: local selector  192.168.2.0/0 - 192.168.2.255/65535

          remote selector 192.168.1.0/0 - 192.168.1.255/65535

          ESP spi in/out: 0x390ef9d2/0xcfee516

References

RFC 4306  - IKEv2

http://www.ietf.org/rfc/rfc4306.txt

RFC 2409 - IKEv1

http://www.ietf.org/rfc/rfc2409.txt

ASA product references:

http://www.cisco.com/en/US/products/ps6120/products_installation_and_configuration_guides_list.html

Comments? Feedback?

Leave a comment under this post.

Average Rating: 5 (2 ratings)

Comments

jamiero54 Thu, 04/05/2012 - 22:26

Ive never seen a website using IPv6 although it has been around since quite long

Marcin Latosiewicz Wed, 12/12/2012 - 06:59 (reply to jamiero54)

Jamie,

The objective is rather to enable rapid testing of IPv6 accross the board rather than IPv6 only internet :-)

This solution give you an option of using both IP stacks.

M.

padmabhushan-sawant Wed, 12/12/2012 - 06:38

Thanks for the configuaration.

But what abt the NAT part?

Do we need to bypass NAT where the interesting traffic is IPv6?

munurewan1 Sun, 12/16/2012 - 02:26

hello macin,

i am trying to run the similar setup asa ---cloud---thirdparty, ipsec tunnel is up, seems like when i initiate the ping from behind  ASA, its dropping and packet trace shows the "drop by comfigured rule". i dont have inside to outside any rule (100-->0 no rule need). debug crypto ipsec sa seems that packets are encrypted. when i initate theping from other end, asa says 'descarding the esp packet'.

asa 8.4.2

thanks.

rewant

Marcin Latosiewicz Sun, 12/16/2012 - 02:33 (reply to munurewan1)

Rewant,

We're missing quite a few information.

Open up a TAC case, this setup has worked for a few people flawlessly, so most likely it's just a quesion of finding out what's different on your side.

M.

munurewan1 Sun, 12/16/2012 - 05:42 (reply to Marcin Latosiewicz)

hello Marcini,

here is the config and detailed output:

interface GigabitEthernet0

nameif OUT

security-level 0

ip address 10.10.10.10 255.255.255.0

ipv6 enable

ipv6 nd suppress-ra

!

interface GigabitEthernet1

nameif inside

security-level 100

no ip address

ipv6 address 2001::1/64

!

crypto ipsec ikev1 transform-set t-set esp-aes esp-sha-hmac

crypto map mymap 10 match address 101

crypto map mymap 10 set peer 192.168.1.3

crypto map mymap 10 set ikev1 transform-set t-set

crypto map mymap interface OUT

crypto ikev1 enable OUT

crypto ikev1 policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

!

tunnel-group 192.168.1.3 type ipsec-l2l

tunnel-group 192.168.1.3 ipsec-attributes

ikev1 pre-shared-key *****

!

! just a route is need for the ipv6 traffic.

ipv6 route OUT ::/0 fe80::1111

ipv6 access-list 101 permit ip host 2001::2 host 2002::2

route OUT 0.0.0.0 0.0.0.0 10.10.10.1 1

!

****output

Here is the icmp teardown log msg in asa-------------when initated ping from host 2001::2 to 2002::2

ciscoasa# %ASA-7-609001: Built local-host inside:2001::2

%ASA-7-609001: Built local-host OUT:2002::2

%ASA-6-302020: Built outbound ICMP connection for faddr 2002::2/0(LOCAL\192.168.1.3) gaddr 2001::2/816 laddr 2001::2/816

ciscoasa# %ASA-7-609001: Built local-host inside:fe80::c801:6ff:fe28:8

%ASA-7-609001: Built local-host identity:2001::1

%ASA-6-302020: Built inbound ICMP connection for faddr fe80::c801:6ff:fe28:8/0 gaddr 2001::1/0 laddr 2001::1/0

%ASA-6-302020: Built outbound ICMP connection for faddr fe80::c801:6ff:fe28:8/0 gaddr 2001::1/0 laddr 2001::1/0

ciscoasa#  logge%ASA-6-302021: Teardown ICMP connection for faddr fe80::c801:6ff:fe28:8/0 gaddr 2001::1/0 laddr 2001::1/0

%ASA-6-302021: Teardown ICMP connection for faddr fe80::c801:6ff:fe28:8/0 gaddr 2001::1/0 laddr 2001::1/0

%ASA-7-609002: Teardown local-host identity:2001::1 duration 0:00:02

%ASA-7-609002: Teardown local-host inside:fe80::c801:6ff:fe28:8 duration 0:00:

ciscoasa# no%ASA-7-609001: Built local-host identity:fe80::2aa:ff:fec1:ab01

%ASA-7-609001: Built local-host inside:fe80::c801:6ff:fe28:8

%ASA-6-302020: Built outbound ICMP connection for faddr fe80::c801:6ff:fe28:8/0 gaddr fe80::2aa:ff:fec1:ab01/0 laddr fe80::2aa:ff:fec1:ab01/0

%ASA-6-302021: Teardown ICMP connection for faddr 2002::2/0(LOCAL\192.168.1.3) gaddr 2001::2/816 laddr 2001::2/816

%ASA-7-609002: Teardown local-host inside:2001::2 duration 0:00:09

%ASA-7-609002: Teardown local-host OUT:2002::2 duration 0:00:09

%ASA-6-302020: Built inbound ICMP connection for faddr fe80::c801:6ff:fe28:8/0 gaddr fe80::2aa:ff:fec1:ab01/0 laddr fe80::2aa:ff:fec1:ab01/0

Flow Trace--

ciscoasa# packet-tracer input inside icmp 2001::2 8 0 2002::2 detailed

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xbc36db70, priority=1, domain=permit, deny=false

        hits=35, user_data=0x0, cs_id=0x0, l3_type=0xdd86

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

        input_ifc=inside, output_ifc=any

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   ::              ::              OUT

Phase: 3

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xbc371408, priority=66, domain=inspect-icmp-error, deny=false

        hits=32, user_data=0xbc370820, cs_id=0x0, use_real_addr, flags=0x0, protocol=58

        src ip/id=::/0, icmp-type=0

        dst ip/id=::/0, icmp-code=0

        input_ifc=inside, output_ifc=any

Phase: 4

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xbc42fbb8, priority=70, domain=encrypt, deny=false

        hits=2, user_data=0x2d94, cs_id=0xbc2ad6e8, reverse, flags=0x0, protocol=0

        src ip/id=2001::2/128, port=0

        dst ip/id=2002::2/128, port=0

        input_ifc=any, output_ifc=OUT

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: OUT

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

ciscoasa# show crypto ipsec sa

interface: OUT

    Crypto map tag: mymap, seq num: 10, local addr: 10.10.10.10

      access-list 101 extended permit ip host 2001::2 host 2002::2

      local ident (addr/mask/prot/port): (2001::2/128/0/0)

      remote ident (addr/mask/prot/port): (2002::2/128/0/0)

      current_peer: 192.168.1.3

      #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.10.10.10/0, remote crypto endpt.: 192.168.1.3/0

      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: 54B3E3D8

      current inbound spi : E0E61926

As the packet seems to hit by implicit firewall rule, though the packets seem to encrypted as per 'show crypto ispec sa'. no firewall policy from inside to outside(100-->0).  flow trace route lookup is ok?

Hope this helps.

thanks,

rewant

Actions

Login or Register to take actions

This Blog

Posted March 3, 2012 at 5:44 AM
Stats:
Comments:9 Avg. Rating:5
Views:5149   
Shares:0
Categories: ASA
+

Related Content

Blogs Leaderboard