cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9126
Views
4
Helpful
12
Replies

Unexpected case IPv4 tunnel over IPv6 ?

hi,

I wonder if there is one use case one can think of that is not possible with Cisco IOS:

Establish a IPsec tunnel over an IPv6 network tranporting both IPv4 and Ipv6 traffic. Even IPsec tunnel over an IPv6 network transporting IPv4 only does not work.

I tried several things in my lab but couldn't get it running.

I tried to search the net for my use case but I only find the other way round.

Question: is it possible to achieve connectivity of the following IPv4 addresses over an IIPsec tunnel over Ipv6 network?

Ultimately, the same tunnel should be capable transporting both. A dedicated Tunnel for IPv4 and IPv6 tunnel on the same routers would also be OK.

                          ,_

     Svr A                (  )                Svr B

    +----+             , `,( .)              +----+

    |    |   +----+   ( .(  ...)    +----+   |    |

    |    |---| R1 |---`    .....)---| R2 |---|    |

    |    |   +----+    ( ......)    +----+   |    |

    +----+                                   +----+

10.0.23.1/24          IPv6 only          10.0.42.1/24

                        network

12 Replies 12

Phillip Remaker
Cisco Employee
Cisco Employee

http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-ipsec.html is a good place to start.

Just use an IPv6 source and destination for a GRE tunnel, and activate IPv4 on the tunnel interface to carry IPv4 over IPv6.  Then, use IPsec to secure the GRE packets.

You will need to be sure you have a version of software and license that support the requisite IPv6 features.

Thanks Remaker,

that was the missing peace.

Now it's perfectly working.

Cheers

Is it possible to do this with full IPSec instead of GRE ?

Thanks.

Hi,

Today on IOS we don't support mixed mode with native IPSec encapsulation (IPv6 over IPv4 or vice versa), so you can only achieve this by using GRE and then run it over an IPSec tunnel.

Thanks,

Wen

One more question in regard to Nexus: Will it be possible with NX-OS or there a limitation in one RFC?

Alex

michaelshire
Level 1
Level 1

Same/similar question but the case is instead of Site to Site VPN, it would be using the Cisco VPN Client.  The host on the left side is connected to an IPv6-only network.  They need to communicate with IPv4 devices across the Internet (behind a Cisco ASA).

Is this possible?

Cisco VPN Client         (  )                Cisco ASA

    +----+             , `,( .)              +----+

    |    |   +----+   ( .(  ...)    +----+   |    |

    |    |---| R1 |---`    .....)---| R2 |---|    |----IPv4 network

    |    |   +----+    ( ......)    +----+   |    |

    +----+                                   +----+

IPv6-only HOST        IPv6 Network         has IPv6 Interface on public side

alexander.koeppe wrote:

hi,

I wonder if there is one use case one can think of that is not possible with Cisco IOS:

Establish a IPsec tunnel over an IPv6 network tranporting both IPv4 and Ipv6 traffic. Even IPsec tunnel over an IPv6 network transporting IPv4 only does not work.

I tried several things in my lab but couldn't get it running.

I tried to search the net for my use case but I only find the other way round.

Question: is it possible to achieve connectivity of the following IPv4 addresses over an IIPsec tunnel over Ipv6 network?

Ultimately, the same tunnel should be capable transporting both. A dedicated Tunnel for IPv4 and IPv6 tunnel on the same routers would also be OK.

                          ,_

     Svr A                (  )                Svr B

    +----+             , `,( .)              +----+

    |    |   +----+   ( .(  ...)    +----+   |    |

    |    |---| R1 |---`    .....)---| R2 |---|    |

    |    |   +----+    ( ......)    +----+   |    |

    +----+                                   +----+

10.0.23.1/24          IPv6 only          10.0.42.1/24

                        network

Hi Michael,

This scenario is not possible as the Cisco VPN client does not support IPv6.

Regards

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Thanks Harold, I've been doing some more digging and found some stuff that might contradict your statement.  Granted, it's been a while since I've had to work with this client VPN stuff, maybe I have the terminology wrong (VPN Client vs AnyConnect Client).

There's this link:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html#wp43546

that talks about enabling IPv6 for the AnyConnect client.  The link mentions:

You can configure the ASA to assign an IPv4 address, an IPv6 address, or both an IPv4 and an IPv6 address to an AnyConnect client

So in the case where an AnyConnect client (using IKE/IPSec) connects to the ASA using IPv6, could the ASA assign an IPv4 address?

There is a reference in the link above to this link:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html#wp43623

The row third from the bottom looks to meet my design criteria.

I'm looking at this from quite a high level.  Ae there issues in the details of this configuration?  Or maybe I'm not understanding something correctly?

Thanks!

Hi Michael,

I thought you were referring to the legacy Cisco VPN client, which does not support ipv6, other than tunneled over ipv4. Anyconnect handles both ipv4 and ipv6 natively. The third row from the bottom refers to dual stack between on the ASA but you stated that the connection from the client to the ASA would need to be IPv6 only, right?

Regards

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

OK awesome.  Thanks for the clarifications.  So with the AnyConnect, the solution is possible?

AnyConnect VPN Client user would be IPv6 only (but with the IPv4 stack installed on the computer)

Cisco ASA public facing interface would be IPv4 and IPv6 (Dual Stack)

Cisco ASA internal interfaces would be IPv4, and addresses assigned to the client would be IPv4.  Client would be accessing internal systems using IPv4.

Hi Michael,

As far as I know Anyconnect does not offer any kind of service to tunnel ipv4 in ipv6. If the requirement is for ipv6 only traffic coming from the remote client to access ipv4 destination, maybe nat64 on the ASA would help in reaching that goal.

Regards

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

I would recommend asking this question in a NEW topic over in the Anyconnect or Firewall discussion boards to be sure.

This thread is all mixed up (in general, you should start a new thread for a new topic). 

If I understand, you have an IPv6 only VPN client (Is it required to be IPv6 only?) which needs to talk to an IPv4 device.

Is the client onl an IPv6 network, or will it be IPv6 only in the tunnel interface?

There is nothing stopping a host on an IPv6 only network from running a dual stack tunnel interface.

It would help to start with the desired objective and constraints rather than the proposed design.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco