Unexpected case IPv4 tunnel over IPv6 ?

Unanswered Question
Apr 12th, 2012

hi,

I wonder if there is one use case one can think of that is not possible with Cisco IOS:

Establish a IPsec tunnel over an IPv6 network tranporting both IPv4 and Ipv6 traffic. Even IPsec tunnel over an IPv6 network transporting IPv4 only does not work.

I tried several things in my lab but couldn't get it running.

I tried to search the net for my use case but I only find the other way round.

Question: is it possible to achieve connectivity of the following IPv4 addresses over an IIPsec tunnel over Ipv6 network?

Ultimately, the same tunnel should be capable transporting both. A dedicated Tunnel for IPv4 and IPv6 tunnel on the same routers would also be OK.

                          ,_

     Svr A                (  )                Svr B

    +----+             , `,( .)              +----+

    |    |   +----+   ( .(  ...)    +----+   |    |

    |    |---| R1 |---`    .....)---| R2 |---|    |

    |    |   +----+    ( ......)    +----+   |    |

    +----+                                   +----+

10.0.23.1/24          IPv6 only          10.0.42.1/24

                        network

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4 (1 ratings)
Phillip Remaker Thu, 04/12/2012 - 15:49

http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-ipsec.html is a good place to start.

Just use an IPv6 source and destination for a GRE tunnel, and activate IPv4 on the tunnel interface to carry IPv4 over IPv6.  Then, use IPsec to secure the GRE packets.

You will need to be sure you have a version of software and license that support the requisite IPv6 features.

Kooopobol Thu, 05/24/2012 - 04:09

Is it possible to do this with full IPSec instead of GRE ?

Thanks.

wzhang Thu, 05/24/2012 - 22:05

Hi,

Today on IOS we don't support mixed mode with native IPSec encapsulation (IPv6 over IPv4 or vice versa), so you can only achieve this by using GRE and then run it over an IPSec tunnel.

Thanks,

Wen

alexander.koeppe Thu, 05/31/2012 - 15:41

One more question in regard to Nexus: Will it be possible with NX-OS or there a limitation in one RFC?

Alex

michaelshire Thu, 07/25/2013 - 09:16

Same/similar question but the case is instead of Site to Site VPN, it would be using the Cisco VPN Client.  The host on the left side is connected to an IPv6-only network.  They need to communicate with IPv4 devices across the Internet (behind a Cisco ASA).

Is this possible?

Cisco VPN Client         (  )                Cisco ASA

    +----+             , `,( .)              +----+

    |    |   +----+   ( .(  ...)    +----+   |    |

    |    |---| R1 |---`    .....)---| R2 |---|    |----IPv4 network

    |    |   +----+    ( ......)    +----+   |    |

    +----+                                   +----+

IPv6-only HOST        IPv6 Network         has IPv6 Interface on public side

alexander.koeppe wrote:

hi,

I wonder if there is one use case one can think of that is not possible with Cisco IOS:

Establish a IPsec tunnel over an IPv6 network tranporting both IPv4 and Ipv6 traffic. Even IPsec tunnel over an IPv6 network transporting IPv4 only does not work.

I tried several things in my lab but couldn't get it running.

I tried to search the net for my use case but I only find the other way round.

Question: is it possible to achieve connectivity of the following IPv4 addresses over an IIPsec tunnel over Ipv6 network?

Ultimately, the same tunnel should be capable transporting both. A dedicated Tunnel for IPv4 and IPv6 tunnel on the same routers would also be OK.

                          ,_

     Svr A                (  )                Svr B

    +----+             , `,( .)              +----+

    |    |   +----+   ( .(  ...)    +----+   |    |

    |    |---| R1 |---`    .....)---| R2 |---|    |

    |    |   +----+    ( ......)    +----+   |    |

    +----+                                   +----+

10.0.23.1/24          IPv6 only          10.0.42.1/24

                        network

Harold Ritter Thu, 07/25/2013 - 17:57

Hi Michael,

This scenario is not possible as the Cisco VPN client does not support IPv6.

Regards

michaelshire Fri, 07/26/2013 - 06:06

Thanks Harold, I've been doing some more digging and found some stuff that might contradict your statement.  Granted, it's been a while since I've had to work with this client VPN stuff, maybe I have the terminology wrong (VPN Client vs AnyConnect Client).

There's this link:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html#wp43546

that talks about enabling IPv6 for the AnyConnect client.  The link mentions:

You can configure the ASA to assign an IPv4 address, an IPv6 address, or both an IPv4 and an IPv6 address to an AnyConnect client

So in the case where an AnyConnect client (using IKE/IPSec) connects to the ASA using IPv6, could the ASA assign an IPv4 address?

There is a reference in the link above to this link:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html#wp43623

The row third from the bottom looks to meet my design criteria.

I'm looking at this from quite a high level.  Ae there issues in the details of this configuration?  Or maybe I'm not understanding something correctly?

Thanks!

Harold Ritter Fri, 07/26/2013 - 06:59

Hi Michael,

I thought you were referring to the legacy Cisco VPN client, which does not support ipv6, other than tunneled over ipv4. Anyconnect handles both ipv4 and ipv6 natively. The third row from the bottom refers to dual stack between on the ASA but you stated that the connection from the client to the ASA would need to be IPv6 only, right?

Regards

michaelshire Fri, 07/26/2013 - 08:47

OK awesome.  Thanks for the clarifications.  So with the AnyConnect, the solution is possible?

AnyConnect VPN Client user would be IPv6 only (but with the IPv4 stack installed on the computer)

Cisco ASA public facing interface would be IPv4 and IPv6 (Dual Stack)

Cisco ASA internal interfaces would be IPv4, and addresses assigned to the client would be IPv4.  Client would be accessing internal systems using IPv4.

Harold Ritter Fri, 07/26/2013 - 15:23

Hi Michael,

As far as I know Anyconnect does not offer any kind of service to tunnel ipv4 in ipv6. If the requirement is for ipv6 only traffic coming from the remote client to access ipv4 destination, maybe nat64 on the ASA would help in reaching that goal.

Regards

Phillip Remaker Mon, 07/29/2013 - 12:45

I would recommend asking this question in a NEW topic over in the Anyconnect or Firewall discussion boards to be sure.

This thread is all mixed up (in general, you should start a new thread for a new topic). 

If I understand, you have an IPv6 only VPN client (Is it required to be IPv6 only?) which needs to talk to an IPv4 device.

Is the client onl an IPv6 network, or will it be IPv6 only in the tunnel interface?

There is nothing stopping a host on an IPv6 only network from running a dual stack tunnel interface.

It would help to start with the desired objective and constraints rather than the proposed design.

Actions

Login or Register to take actions

This Discussion

Posted April 12, 2012 at 2:48 PM
Stats:
Replies:12 Avg. Rating:4
Views:3245 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard