Possibilities for IPv4 oder IPv6

Answered Question
Oct 29th, 2011

Hello Community,

I found a lot of information to handle an IPv6 over IPv4 communication, but almost nothing about IPv4 over IPv6.

Which possibilities exists integrating IPv4 over IPv6 on a Cisco Router (e.g. 881, or perhaps a Layer 3 Switch)?

Are there tunnel modes like for 6over4 (ipv6ip, gre)?

I attached a little topology to show my thoughts.

Thank you!

Kyle

I have this problem too.
0 votes
Correct Answer by Marcin Latosiewicz about 2 years 5 months ago

Kyle,

GRE IPv6 is what you're looking for.

Either:

tunnel mode gre multipoint ipv6

or

tunnel mode gre ipv6

You can do on top IPv6 GRE over IPsec with IPv4 payload.

On ASA on top exist the possibility to have IPv4 traffic natively in IPv6 when doing IPsec (limited support)

Marcin

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Correct Answer
Marcin Latosiewicz Sat, 10/29/2011 - 04:00

Kyle,

GRE IPv6 is what you're looking for.

Either:

tunnel mode gre multipoint ipv6

or

tunnel mode gre ipv6

You can do on top IPv6 GRE over IPsec with IPv4 payload.

On ASA on top exist the possibility to have IPv4 traffic natively in IPv6 when doing IPsec (limited support)

Marcin

123Kyle321 Sat, 10/29/2011 - 06:07

Thank you Marcin for your answer.

So an easy example could be a configration like this? But I didnt' run so far. Any mistakes? Have I overlooked anything?

Router_A

int fa0/0

ip add 10.1.1.1  255.255.255.0

no shut

s0/3/0

ipv6 en

ipv6 add 2001:2:2:2::1/64

no shut

int tunnel 0

ipv6 add 2001:1:1:1::1/64

tunnel source fa0/0

tunnel destination 2001:2:2:2::2

tunnel mode gre ipv6    (tunnel mode gre multipoint ipv6)

Router_B

int fa0/0

ip add 10.2.1.1  255.255.255.0

no shut

s0/3/0

ipv6 en

ipv6 add 2001:2:2:2::2/64

no shut

int tunnel 0

ipv6 add 2001:1:1:1::2/64

tunnel source fa0/0

tunnel destination 2001:2:2:2::1

tunnel mode gre ipv6    (tunnel mode gre multipoint ipv6)

Do you have documents for the ASA solution, too?

123Kyle321 Wed, 11/16/2011 - 06:18

Thanks, now I have established a communication between two IPv4 Hosts over a IPv6 network!

But I couldn't manage to get ipsec running on Router_A and Router_B, so the gre tunnel is secure.

Router_A


int tunnel0

ip add 192.169.1.1 255.255.255.0

tunnel source s1/0

tunnel destination 2001:1:1:1::2

tunnel mode gre ipv6



Router_B

int tunnel0

ip add 192.169.1.2 255.255.255.0

tunnel source s1/0

tunnel destination 2001:1:1:1::1

tunnel mode gre ipv6

It's difficult because I have IPv6 addresses for source and destination and IPv4 for the tunnel.

With which commands can I establish IPv6 GRE over IPsec with IPv4 payload as Marcin described?

Marcin Latosiewicz Wed, 11/16/2011 - 08:14

Kyle,

The's the beauty of GRE configuration ,you don't care what's inside. In can by IPX if you choose to :-)

I would suggest using tunnel protection configuration, it's by far the easiest.

cryp ipsec pro NAME_OF_PROFILE

set trans NAME_OF_TRANSFORM

int tu0

tunnel protection ipsec profile NAME_OF_PROFILE

This is of course assuming you have phase 1 IPsec etc configured.

An example is here, you can use it:

http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-ipsec.html#wp1094731

Remember that this works on recent versions of IOS 15.2 M&T - AFAIR.

Marcin

Kooopobol Thu, 11/17/2011 - 01:44

Is the use of GRE mandatory for that ?

Does pure IPsec can handle IPv4 over IPv6 in tunnel mode ?

Marcin Latosiewicz Thu, 11/17/2011 - 02:22

Armand,

Not on IOS. So far only ASA can natively encapsulate IPv4 into IPv6 IPsec (and vice versa).

On IOS VTI modes/crypto map will not allow IPv6 ACL in IPv4 crypto map (and vice versa) nor IPv6 traffic in IPv4 VTI (and vice versa).  (There are enhancement requests to change that

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtu09251

)

That's why we need intermidiate GRE encapsulation.

Marcin

Kooopobol Thu, 11/17/2011 - 02:51

Thanks a lot for your answer..

But as far as I know the use of VTI is not mandatory for setting up an IPsec Vpn tunnel on a IOS router.. isn't it ?

What if we don't use VTI ?

Marcin Latosiewicz Thu, 11/17/2011 - 03:49

I'm not recommending VTI, in fact VTI will fail because of the reasons mentioned above.

I'm suggesting to use tunnel protection with GRE IPv6.

Marcin

Kooopobol Fri, 11/18/2011 - 05:38

And if I use only crypto maps ? (no tunnel interfaces)

Armand

Marcin Latosiewicz Fri, 11/18/2011 - 06:05

Armand,

When you try to applu IPv6 access-list to IPv4 crypto map:

CE2_GM_875(config)#crypto map MAP 100 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer

        and a valid access list have been configured.

*Nov 18 14:03:37.440: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

CE2_GM_875(config-crypto-map)#match address ?

  <100-199>    IP access-list number

  <2000-2699>  IP access-list number (expanded range)

  WORD         Access-list name

CE2_GM_875(config-crypto-map)#match address ACL6

Access-list type conflicts with prior definitionERROR: "ACL6" is either an invalid name or the

        list already exists but is the wrong type.               

when you try to apply IPv4 crytpo map to IPv6 acl.

CE2_GM_875(config)#crypto map ipv6 MAP6 100 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer

        and a valid access list have been configured.

CE2_GM_875(config-crypto-map)#match address ACL4

Access-list type conflicts with prior definitionERROR: "ACL4" is either an invalid name or the

        list already exists but is the wrong type.

ACL are defined:

CE2_GM_875(config-crypto-map)#do sh run | s access-list

ip access-list extended ACL4

permit ip any any

ipv6 access-list ACL6

permit ipv6 any any

M.

123Kyle321 Wed, 11/23/2011 - 10:54

Thanks for the extra information, tried it myself today.

So to sum up, you can't apply a IPv6 Access-List to a IPv4 Crypto Map and also you can't apply a IPv4 Crypto Map to a IPv6 Access-List, by now.

In the next days I will try the "new requested IOS", if it will be released soon.

123Kyle321 Thu, 11/24/2011 - 06:58

Is there a chance to get NAT-PT working for 4over6?

IPv4 Hosts on each side with NAT-PT for an outside IPv6 address?

I tried a few things to get this working, but no results yet.

Marcin Latosiewicz Fri, 11/25/2011 - 00:54

Kyle,

My suggestion is to keep away from NAT-PT (unless it's just for fun).

NAT64 and all similar are what the industry is trying to do recently.

M.

123Kyle321 Fri, 11/25/2011 - 02:37

Yeah that is what I want to test now.

I only try to show up all possibilities to establish a (secure) connection between IPv4 networks over IPv6 internet.

Would "NAT64/46?" on one network and ""NAT64/46?" on the other network work for this scenario, theoretically

and/or practically?

123Kyle321 Mon, 12/05/2011 - 07:33

To come back to the gre-tunnel.

For the tunnel ip addresses I need public ip addresses on both sites for the gre-tunnel to do 4over6?

int tunnel0

ip add 192.169.1.1 255.255.255.0 ???

tunnel source s1/0

tunnel destination 2001:1:1:1::2

tunnel mode gre ipv6

Because in a traceroute (testlab) it give me the 192.169.1.1 back, instead of the destination address 2001:1:1:1::1?

Did I do something wrong? Because it won't work in a productive system if I have a native IPv6 ISP connection.

Marcin Latosiewicz Tue, 12/06/2011 - 05:29

Kyle,

It's expected that IPv4 traceroute will produce IPv4 addresses while IPv6 traceroute should produce IPv6 addresses (I guess this is what you were doing?).

You are free to assign a uniqe IPv6 address on tunnel 0.

Tunnel IP can be public or private, rfc1918 is more common since you will not waste any IP address space.

edit: Just to add, since this GRE tunnel is a "pipe" between your routers, you should not IP addresses of tunnel source and destination if you traceroute through it.

Marcin

123Kyle321 Wed, 12/07/2011 - 00:58

Yes, thats what I'm done

Nevertheless, if there would be no possibility to use private IP addresses for the tunnel, it would be kind of useless for this scenario.

edit: Just to add, since this GRE tunnel is a "pipe" between your routers, you should not see? IP addresses of tunnel source and destination if you traceroute through it.

Thanks again!

edit: Do you know any specific date for the "new" IOS, yet?

edit2: The MTU for this configuration is 1456 (shown on router).

I guess thats, 4 for the gre header and 2x 20 for the ipv4 header.

But isn't the packet transported with an ipv6 header? So there would be 4(gre header)+20(ipv4 header)+40(ipv6 header)

Marcin Latosiewicz Fri, 12/09/2011 - 06:08

Kyle,

You can in fact use any addressing you want in case of addressing the tunnel itself, it's almost nnever used by anything bu transit.

What "new" IOS do you refer to?

There should be a difference of:

- IPv4 MTU (ip mtu command)

- IPv6 MTU (ipv6 mtu command)

- IPsec MTU (seen show crypto ipsec sa)

Now a GRE IPv6 header overhead should be 44 bytes +  20 bytes of IPv4 inside (we're not calculating IPsec overhead which could be  tunnel or transport mode)

M.

Marcin Latosiewicz Fri, 12/16/2011 - 01:54

Armand,

It's an enhancement request. To have it resolved you need to contact your SE and they should create a business case.

Normally those things do not get resolved by themselves (not in a decent timeline).

Marcin

Actions

Login or Register to take actions

This Discussion

Posted October 29, 2011 at 2:15 AM
Stats:
Replies:23 Avg. Rating:5
Views:2548 Votes:0
Shares:0
Tags: ipv6
+

Related Content

Discussions Leaderboard