VPN over IPv6

Unanswered Question
Sep 23rd, 2010
User Badges:

I've been trying to create a VPN between my 5505 and 5520 over IPv6.

I think I have everything set up correctly, but when I reboot the 5505, it will ping the 5520 over IPv6 (and get a reply), but nothing else happens.

Has anyone else tried this?

I"m running 8.3.2 on both end points


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marcin Latosiewicz Thu, 09/23/2010 - 15:23
User Badges:
  • Cisco Employee,

I've tried this before 8.3.1 in lab setup.

It should work flowlessly - can you share logs on informational level and configurations?

Service Spring Fri, 09/24/2010 - 05:16
User Badges:

Sure...I'll attach them to this reply.

I tried to give you all the lines relvant to this...If I've left one out, let me know and I'll track it down.

Marcin Latosiewicz Fri, 09/24/2010 - 07:01
User Badges:
  • Cisco Employee,


- Are you sure those HOST addresses are valid?

I mean I would expect a host not to have all zeros at the end unless you configured them exlicitly like this.

- why do you configure trustpoint under tunnel-groups with you're using PSK?

- You don't need to allow traffic TO the box on access-list

Hard to say sometiing more without

- ipv6 routing table

- interface configuration (do you use multiple addresses?)

- logging/debugs - logging on informational level + debug crypto isa 100 and debug crypto ipsec 100.

To see if traffic is being allowed and initiated.

Service Spring Fri, 09/24/2010 - 07:30
User Badges:

1) Yep, I'm sure the host addresses are correct.  The DMZ subnet is 2001:470:c27d:e000/64

2)  I was just trying to make it work   I had tried the pre-shared key route first, and when it didn't work, went to trustpoint

Addresses are attached

I ran the two debug commands you listed, but nothing happened...I even rebooted the 5505

ciscoasa# debug crypto ipsec 100
ciscoasa# debug crypto isa 100

All that shows in the ASDM log viewer are pings (see attached)

I'm a hardware guy that's trying to make this work, so I wouldn't assume much

Marcin Latosiewicz Fri, 09/24/2010 - 08:21
User Badges:
  • Cisco Employee,

*headache on*

There's something just not adding up.

the ASDM ping you've shown me is all destined to all nodes from a host that is not in mentioned in crypto ACL...

which is:
ipv6 access-list Outside_cryptomap_3 permit ip host PREFIX_32:c27d:e000:: host PREFIX_32:c1f0:4::

if traffic is not matching the ACL it wll not go over the tunnel.


Marcin Latosiewicz Fri, 09/24/2010 - 12:19
User Badges:
  • Cisco Employee,

Here's an example setup I did with ASAs 8.3.2:

bsns-asa5520-10# sh cry isa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 2001:db8:1:0:21b:d4ff:fe26:3881
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

bsns-asa5520-10# sh run crypto
crypto ipsec transform-set TRA esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

crypto map CRYPTOMAP 20 match address CMAP_20
crypto map CRYPTOMAP 20 set peer 2001:db8:1:0:21b:d4ff:fe26:3881
crypto map CRYPTOMAP 20 set transform-set TRA
crypto map CRYPTOMAP interface outside

crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

bsns-asa5520-10# sh access-l CMAP_20
ipv6 access-list CMAP_20; 1 elements; name hash: 0x810fa635
ipv6 access-list CMAP_20 line 1 permit ip 2001:db8:12::/64 2001:db8:11::/64 (hitcnt=32) 0x71d914d0

bsns-asa5520-10# sh run tunnel-g
tunnel-group 2001:db8:1:0:21b:d4ff:fe26:3881 type ipsec-l2l
tunnel-group 2001:db8:1:0:21b:d4ff:fe26:3881 ipsec-attributes
pre-shared-key *****

bsns-asa5520-10# sh ipv6 route

IPv6 Routing Table - 8 entries
Codes: C - Connected, L - Local, S - Static
L   2001:db8:1:0:219:6ff:fe65:3eda/128 [0/0]
     via ::, outside
C   2001:db8:1::/64 [0/0]
     via ::, outside
S   2001:db8:11::/64 [0/0]
     via 2001:db8:1:0:21b:d4ff:fe26:3881, outside
L   2001:db8:12:0:219:6ff:fe65:3edb/128 [0/0]
     via ::, inside
C   2001:db8:12::/64 [0/0]
     via ::, inside
L   fe80::/10 [0/0]
     via ::, outside
     via ::, inside
L   ff00::/8 [0/0]
     via ::, outside
     via ::, inside
S   ::/0 [0/0]
     via 2001:db8:1:0:21b:d4ff:fe26:3881, outside

Service Spring Mon, 09/27/2010 - 10:16
User Badges:

I'm assuming part of my problem is the crypto stuff

How would I go about entering those commands?

Most of them make sense, but I don't know how to define the CMAP_20


Marcin Latosiewicz Mon, 09/27/2010 - 12:54
User Badges:
  • Cisco Employee,

Goooood evening,

CMAP_20 is just an ipv6 access-list defined, specyfying which IPv6 subnets we're going to encrypt.

In you case you've called it:

ipv6 access-list outside_cryptomap permit ip host PREFIX_32:c1f0:4:: host PREFIX_32:c27d:e000::

in my case I've defined whole subnet:

ipv6 access-list CMAP_20 line 1 permit ip 2001:db8:12::/64 2001:db8:11::/64



Strangely enough IPv6 material for ASA is not well published :{

Service Spring Tue, 09/28/2010 - 06:37
User Badges:

Well, I've changed the config to reflect your comment about the ping coming from a network that wasn't listed, and it didn't help.

For the most part, my setup seems like it's pretty close to what you posted.

Marcin Latosiewicz Tue, 09/28/2010 - 09:03
User Badges:
  • Cisco Employee,

OK, the tunnel does not come up because the crypto map (*in your case) is not getting any hits.

So I would advise to do a capture on inside interface of the ASA to check if you do receive packets sourced by host on your end.

I would also monitor logs for any packets being dropped from the host.

Do you want me to ellaborate on something or are you familar with capture and logging capabilites of ASA?


Service Spring Thu, 09/30/2010 - 05:19
User Badges:

I tried that when I was troubleshooting right after I created (well tried) the VPN setup and I did not see any traffic from the other IPv6 subnet

Marcin Latosiewicz Thu, 09/30/2010 - 05:52
User Badges:
  • Cisco Employee,

Just to make sure we're talking about same thing.

Subnet_1 -------- inside_1 ASA1 outside_1 ------outside_2 ASA2 inside_2 ----- Subnet_2

You're saying that capture and logs on ASA1, inside1 are saying no traffic is arriving from Subnet_1 destined to Subnet_2?


Service Spring Thu, 09/30/2010 - 13:18
User Badges:

Yep, your diagram looks correct.

If I filter traffic on both ends (on ASA2 looking for traffic from ASA1 and vice versa) I see traffic flowing and I can get my data (web pages over ipv6 at this point)

However, the litte VPN light on the ASA doesn't come on to tell me that there's a connection established

Service Spring Thu, 09/30/2010 - 13:24
User Badges:

Well, let me be more clear on the diagram

I don't have native IPv6 access so everything is going over a tunnel.  Both tunnel servers are on the outside interface of my ASA's

I need it to work this way:

protected subnet - ASA -Tunnel server -internet     =============  internet - tunnel server - ASA - protected subnet

Hope that makes sense

Marcin Latosiewicz Thu, 09/30/2010 - 13:53
User Badges:
  • Cisco Employee,

If you see the traffic and routing is pushing it out the right interface, there has to be something trivial missing... like isakmp enabled on "outsi

de" interfaces or routing poiting out the interface where crypto map is not applied.

This one is very odd. What are your timelines to get this working, maybe it's worth to open a TAC case so someone can go over the setup and troubleshoot it live?


Service Spring Mon, 10/04/2010 - 10:44
User Badges:

I could open a tac case...I have a support contract on my 5520, but not the 5505...do you think this would matter?

Marcin Latosiewicz Mon, 10/04/2010 - 10:54
User Badges:
  • Cisco Employee,

You need only one working and covered serial number to open a TAC case ;-)


This Discussion