10-29-2011 02:15 AM - edited 03-01-2019 05:30 PM
Hello Community,
I found a lot of information to handle an IPv6 over IPv4 communication, but almost nothing about IPv4 over IPv6.
Which possibilities exists integrating IPv4 over IPv6 on a Cisco Router (e.g. 881, or perhaps a Layer 3 Switch)?
Are there tunnel modes like for 6over4 (ipv6ip, gre)?
I attached a little topology to show my thoughts.
Thank you!
Kyle
Solved! Go to Solution.
10-29-2011 04:00 AM
Kyle,
GRE IPv6 is what you're looking for.
Either:
tunnel mode gre multipoint ipv6
or
tunnel mode gre ipv6
You can do on top IPv6 GRE over IPsec with IPv4 payload.
On ASA on top exist the possibility to have IPv4 traffic natively in IPv6 when doing IPsec (limited support)
Marcin
10-29-2011 04:00 AM
Kyle,
GRE IPv6 is what you're looking for.
Either:
tunnel mode gre multipoint ipv6
or
tunnel mode gre ipv6
You can do on top IPv6 GRE over IPsec with IPv4 payload.
On ASA on top exist the possibility to have IPv4 traffic natively in IPv6 when doing IPsec (limited support)
Marcin
10-29-2011 06:07 AM
Thank you Marcin for your answer.
So an easy example could be a configration like this? But I didnt' run so far. Any mistakes? Have I overlooked anything?
Router_A
int fa0/0
ip add 10.1.1.1 255.255.255.0
no shut
s0/3/0
ipv6 en
ipv6 add 2001:2:2:2::1/64
no shut
int tunnel 0
ipv6 add 2001:1:1:1::1/64
tunnel source fa0/0
tunnel destination 2001:2:2:2::2
tunnel mode gre ipv6 (tunnel mode gre multipoint ipv6)
Router_B
int fa0/0
ip add 10.2.1.1 255.255.255.0
no shut
s0/3/0
ipv6 en
ipv6 add 2001:2:2:2::2/64
no shut
int tunnel 0
ipv6 add 2001:1:1:1::2/64
tunnel source fa0/0
tunnel destination 2001:2:2:2::1
tunnel mode gre ipv6 (tunnel mode gre multipoint ipv6)
Do you have documents for the ASA solution, too?
10-29-2011 10:55 AM
Kyle,
You need to source the tunnel from IPv6 enabled interface if you want to transport IPv4 over IPv6.
I.e.
tunnel source fa0/0 <--- should be your serial int IMHO. (Or you can just use IP addresses).
For ASA config- start here:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_site2site.html#wp1055829
Marcin
11-16-2011 06:18 AM
Thanks, now I have established a communication between two IPv4 Hosts over a IPv6 network!
But I couldn't manage to get ipsec running on Router_A and Router_B, so the gre tunnel is secure.
Router_A
int tunnel0
ip add 192.169.1.1 255.255.255.0
tunnel source s1/0
tunnel destination 2001:1:1:1::2
tunnel mode gre ipv6
Router_B
int tunnel0
ip add 192.169.1.2 255.255.255.0
tunnel source s1/0
tunnel destination 2001:1:1:1::1
tunnel mode gre ipv6
It's difficult because I have IPv6 addresses for source and destination and IPv4 for the tunnel.
With which commands can I establish IPv6 GRE over IPsec with IPv4 payload as Marcin described?
11-16-2011 08:14 AM
Kyle,
The's the beauty of GRE configuration ,you don't care what's inside. In can by IPX if you choose to :-)
I would suggest using tunnel protection configuration, it's by far the easiest.
cryp ipsec pro NAME_OF_PROFILE
set trans NAME_OF_TRANSFORM
int tu0
tunnel protection ipsec profile NAME_OF_PROFILE
This is of course assuming you have phase 1 IPsec etc configured.
An example is here, you can use it:
http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-ipsec.html#wp1094731
Remember that this works on recent versions of IOS 15.2 M&T - AFAIR.
Marcin
11-17-2011 01:44 AM
Is the use of GRE mandatory for that ?
Does pure IPsec can handle IPv4 over IPv6 in tunnel mode ?
11-17-2011 02:22 AM
Armand,
Not on IOS. So far only ASA can natively encapsulate IPv4 into IPv6 IPsec (and vice versa).
On IOS VTI modes/crypto map will not allow IPv6 ACL in IPv4 crypto map (and vice versa) nor IPv6 traffic in IPv4 VTI (and vice versa). (There are enhancement requests to change that
)
That's why we need intermidiate GRE encapsulation.
Marcin
11-17-2011 02:51 AM
Thanks a lot for your answer..
But as far as I know the use of VTI is not mandatory for setting up an IPsec Vpn tunnel on a IOS router.. isn't it ?
What if we don't use VTI ?
11-17-2011 03:49 AM
I'm not recommending VTI, in fact VTI will fail because of the reasons mentioned above.
I'm suggesting to use tunnel protection with GRE IPv6.
Marcin
11-18-2011 05:38 AM
And if I use only crypto maps ? (no tunnel interfaces)
Armand
11-18-2011 06:05 AM
Armand,
When you try to applu IPv6 access-list to IPv4 crypto map:
CE2_GM_875(config)#crypto map MAP 100 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
*Nov 18 14:03:37.440: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
CE2_GM_875(config-crypto-map)#match address ?
<100-199> IP access-list number
<2000-2699> IP access-list number (expanded range)
WORD Access-list name
CE2_GM_875(config-crypto-map)#match address ACL6
Access-list type conflicts with prior definitionERROR: "ACL6" is either an invalid name or the
list already exists but is the wrong type.
when you try to apply IPv4 crytpo map to IPv6 acl.
CE2_GM_875(config)#crypto map ipv6 MAP6 100 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
CE2_GM_875(config-crypto-map)#match address ACL4
Access-list type conflicts with prior definitionERROR: "ACL4" is either an invalid name or the
list already exists but is the wrong type.
ACL are defined:
CE2_GM_875(config-crypto-map)#do sh run | s access-list
ip access-list extended ACL4
permit ip any any
ipv6 access-list ACL6
permit ipv6 any any
M.
11-18-2011 06:10 AM
Everything is clear now, thanks a lot Marcin.
11-23-2011 10:54 AM
Thanks for the extra information, tried it myself today.
So to sum up, you can't apply a IPv6 Access-List to a IPv4 Crypto Map and also you can't apply a IPv4 Crypto Map to a IPv6 Access-List, by now.
In the next days I will try the "new requested IOS", if it will be released soon.
11-24-2011 06:58 AM
Is there a chance to get NAT-PT working for 4over6?
IPv4 Hosts on each side with NAT-PT for an outside IPv6 address?
I tried a few things to get this working, but no results yet.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide