Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSec and IPv6 configuration question

Hope I'm asking this in the right place.

I can get a transport-mode IPSec connection going just fine in IPv4. When using the same configuration (with addresses changed appropriately) in IPv6, phase 2 fails and the Cisco debug message is: IPSec policy invalidated proposal with error 8.

One problem may be that within the "crypto map" command, the "set peer" command won't take an IPv6 address.

Any ideas? Thanks.


Re: IPSec and IPv6 configuration question

IP Security, or IPSec, is a framework of open standards developed by the Internet Engineering Task Force (IETF) that provide security for transmission of sensitive information over unprotected networks such as the Internet. IPSec acts at the network layer, protecting and authenticating IP packets between participating IPSec devices (peers), such as Cisco routers. IPSec provides the following optional network security services. In general, local security policy will dictate the use of one or more of these services:

"Data confidentialityThe IPSec sender can encrypt packets before sending them across a network.

"Data integrityThe IPSec receiver can authenticate packets sent by the IPSec sender to ensure that the data has not been altered during transmission.

"Data origin authenticationThe IPSec receiver can authenticate the source of the IPSec packets sent. This service depends upon the data integrity service.

"AntireplayThe IPSec receiver can detect and reject replayed packets.

With IPSec, data can be sent across a public network without observation, modification, or spoofing. IPSec functionality is similar in both IPv6 and IPv4; however, site-to-site tunnel mode only is supported in IPv6.

In IPv6, IPSec is implemented using the AH authentication header and the ESP extension header. The authentication header provides integrity and authentication of the source. It also provides optional protection against replayed packets. The authentication header protects the integrity of most of the IP header fields and authenticates the source through a signature-based algorithm. The ESP header provides confidentiality, authentication of the source, connectionless integrity of the inner packet, antireplay, and limited traffic flow confidentiality.

The Internet Key Exchange (IKE) protocol is a key management protocol standard that is used in conjunction with IPSec. IPSec can be configured without IKE, but IKE enhances IPSec by providing additional features, flexibility, and ease of configuration for the IPSec standard.

IKE is a hybrid protocol that implements the Oakley key exchange and Skeme key exchange inside the Internet Security Association Key Management Protocol (ISAKMP) framework. (ISAKMP, Oakley, and Skeme are security protocols implemented by IKE.)