cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7325
Views
0
Helpful
23
Replies

Possibilities for IPv4 oder IPv6

Kyle Lenderlof
Level 1
Level 1

Hello Community,

I found a lot of information to handle an IPv6 over IPv4 communication, but almost nothing about IPv4 over IPv6.

Which possibilities exists integrating IPv4 over IPv6 on a Cisco Router (e.g. 881, or perhaps a Layer 3 Switch)?

Are there tunnel modes like for 6over4 (ipv6ip, gre)?

I attached a little topology to show my thoughts.

Thank you!

Kyle

1 Accepted Solution

Accepted Solutions

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Kyle,

GRE IPv6 is what you're looking for.

Either:

tunnel mode gre multipoint ipv6

or

tunnel mode gre ipv6

You can do on top IPv6 GRE over IPsec with IPv4 payload.

On ASA on top exist the possibility to have IPv4 traffic natively in IPv6 when doing IPsec (limited support)

Marcin

View solution in original post

23 Replies 23

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Kyle,

GRE IPv6 is what you're looking for.

Either:

tunnel mode gre multipoint ipv6

or

tunnel mode gre ipv6

You can do on top IPv6 GRE over IPsec with IPv4 payload.

On ASA on top exist the possibility to have IPv4 traffic natively in IPv6 when doing IPsec (limited support)

Marcin

Thank you Marcin for your answer.

So an easy example could be a configration like this? But I didnt' run so far. Any mistakes? Have I overlooked anything?

Router_A

int fa0/0

ip add 10.1.1.1  255.255.255.0

no shut

s0/3/0

ipv6 en

ipv6 add 2001:2:2:2::1/64

no shut

int tunnel 0

ipv6 add 2001:1:1:1::1/64

tunnel source fa0/0

tunnel destination 2001:2:2:2::2

tunnel mode gre ipv6    (tunnel mode gre multipoint ipv6)

Router_B

int fa0/0

ip add 10.2.1.1  255.255.255.0

no shut

s0/3/0

ipv6 en

ipv6 add 2001:2:2:2::2/64

no shut

int tunnel 0

ipv6 add 2001:1:1:1::2/64

tunnel source fa0/0

tunnel destination 2001:2:2:2::1

tunnel mode gre ipv6    (tunnel mode gre multipoint ipv6)

Do you have documents for the ASA solution, too?

Kyle,

You need to source the tunnel from IPv6 enabled interface if you want to transport IPv4 over IPv6.

I.e.

tunnel source fa0/0 <--- should be your serial int IMHO. (Or you can just use IP addresses).

For ASA config- start here:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_site2site.html#wp1055829

Marcin

Thanks, now I have established a communication between two IPv4 Hosts over a IPv6 network!

But I couldn't manage to get ipsec running on Router_A and Router_B, so the gre tunnel is secure.

Router_A


int tunnel0

ip add 192.169.1.1 255.255.255.0

tunnel source s1/0

tunnel destination 2001:1:1:1::2

tunnel mode gre ipv6



Router_B

int tunnel0

ip add 192.169.1.2 255.255.255.0

tunnel source s1/0

tunnel destination 2001:1:1:1::1

tunnel mode gre ipv6

It's difficult because I have IPv6 addresses for source and destination and IPv4 for the tunnel.

With which commands can I establish IPv6 GRE over IPsec with IPv4 payload as Marcin described?

Kyle,

The's the beauty of GRE configuration ,you don't care what's inside. In can by IPX if you choose to :-)

I would suggest using tunnel protection configuration, it's by far the easiest.

cryp ipsec pro NAME_OF_PROFILE

set trans NAME_OF_TRANSFORM

int tu0

tunnel protection ipsec profile NAME_OF_PROFILE

This is of course assuming you have phase 1 IPsec etc configured.

An example is here, you can use it:

http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-ipsec.html#wp1094731

Remember that this works on recent versions of IOS 15.2 M&T - AFAIR.

Marcin

Is the use of GRE mandatory for that ?

Does pure IPsec can handle IPv4 over IPv6 in tunnel mode ?

Armand,

Not on IOS. So far only ASA can natively encapsulate IPv4 into IPv6 IPsec (and vice versa).

On IOS VTI modes/crypto map will not allow IPv6 ACL in IPv4 crypto map (and vice versa) nor IPv6 traffic in IPv4 VTI (and vice versa).  (There are enhancement requests to change that

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtu09251

)

That's why we need intermidiate GRE encapsulation.

Marcin

Thanks a lot for your answer..

But as far as I know the use of VTI is not mandatory for setting up an IPsec Vpn tunnel on a IOS router.. isn't it ?

What if we don't use VTI ?

I'm not recommending VTI, in fact VTI will fail because of the reasons mentioned above.

I'm suggesting to use tunnel protection with GRE IPv6.

Marcin

And if I use only crypto maps ? (no tunnel interfaces)

Armand

Armand,

When you try to applu IPv6 access-list to IPv4 crypto map:

CE2_GM_875(config)#crypto map MAP 100 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer

        and a valid access list have been configured.

*Nov 18 14:03:37.440: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

CE2_GM_875(config-crypto-map)#match address ?

  <100-199>    IP access-list number

  <2000-2699>  IP access-list number (expanded range)

  WORD         Access-list name

CE2_GM_875(config-crypto-map)#match address ACL6

Access-list type conflicts with prior definitionERROR: "ACL6" is either an invalid name or the

        list already exists but is the wrong type.               

when you try to apply IPv4 crytpo map to IPv6 acl.

CE2_GM_875(config)#crypto map ipv6 MAP6 100 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer

        and a valid access list have been configured.

CE2_GM_875(config-crypto-map)#match address ACL4

Access-list type conflicts with prior definitionERROR: "ACL4" is either an invalid name or the

        list already exists but is the wrong type.

ACL are defined:

CE2_GM_875(config-crypto-map)#do sh run | s access-list

ip access-list extended ACL4

permit ip any any

ipv6 access-list ACL6

permit ipv6 any any

M.

Everything is clear now, thanks a lot Marcin.

Thanks for the extra information, tried it myself today.

So to sum up, you can't apply a IPv6 Access-List to a IPv4 Crypto Map and also you can't apply a IPv4 Crypto Map to a IPv6 Access-List, by now.

In the next days I will try the "new requested IOS", if it will be released soon.

Is there a chance to get NAT-PT working for 4over6?

IPv4 Hosts on each side with NAT-PT for an outside IPv6 address?

I tried a few things to get this working, but no results yet.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco