Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

IPv6 L2L with the Cisco ASA

Hello Everyone,

Today I will briefly cover what needs to be done in order to create a Lan to Lan VPN tunnel on an ASA firewall with IPv6 addressing.

First let's begin with the fundamentals:

-IPv6 L2L VPN support was added in the latest version available of the ASA 8.3 track

-The ASA will be able to build a VPN site to site tunnel running IPv6 ONLY with another ASA.

Information taken from Cisco.com

For LAN-to-LAN connections using mixed IPv4 and IPv6 addressing, or all IPv6 addressing, the security appliance supports VPN tunnels if both peers are Cisco ASA 5500 series security appliances, and if both inside networks have matching addressing schemes (both IPv4 or both IPv6).

Specifically, the following topologies are supported when both peers are Cisco ASA 5500 series adaptive security appliances:

•The adaptive security appliances have IPv4 inside networks and the outside network is IPv6 (IPv4 addresses on the inside interfaces and IPv6 addresses on the outside interfaces).

•The adaptive security appliances have IPv6 inside networks and the outside network is IPv4 (IPv6 addresses on the inside interface and IPv4 addresses on the outside interfaces).

•The adaptive security appliances have IPv6 inside networks and the outside network is IPv6 (IPv6 addresses on the inside and outside interfaces)

If we want to run a VPN tunnel with a third-party unit or another Cisco router then we must go with the IPv4 address scheme only.

Now, let's take a look at the Scenario,

IPv6 L2L Scenario.png

Our main goal here is to create a VPN tunnel using IPSec between Company A and Company B across an IPv6 network. IPv6 addressing and routing has been configured previously.

So now, let's begin with the IPsec configuration,

1- Specify as usual the phase 1 and phase 2 configuration

Site A:

crypto ikev1 policy 10

authentication pre-share

encryption aes

hash sha

group 2

crypto ikev1 enable outside

crypto ipsec ikev1 transform-set cisco esp-aes esp-sha-hmac

Site B:

crypto ikev1 policy 10

authentication pre-share

encryption aes

hash sha

group 2

crypto ikev1 enable outside

crypto ipsec ikev1 transform-set cisco esp-aes esp-sha-hmac

So far.. No differences at all.. Easy stuff.

2) Now let's move forward to the Interesting traffic configuration:

Site A Inside Subnet 2001:AAAA::/64

Site B Inside Subnet 2001:DDDD::/64

On Site A:

ipv6 access-list IPv6-Lab permit ip 2001:AAAA::/64 2001:DDDD::/64

On Site B:

ipv6 access-list VPN-Traffic permit ip 2001:dddd::/64 2001:aaaa::/64

So the Crypto ACL is the same thing, just that now we use Hex notation instead of Decimal notation

3) Crypto-Map Setup

Site A outside IPv6 address is 2001:BBBB::1

Site B outside IPv6 address is 2001:CCCC::2

So let's go to the Firewall on Site A

Site A:

crypto map IPv6-L2L 1 match address IPv6-Lab

crypto map IPv6-L2L 1 set peer 2001:cccc::2

crypto map IPv6-L2L 1 set ikev1 transform-set cisco

crypto map IPv6-L2L  interface outside

Site B:

crypto map IPv6-Lab 1 match address VPN-Traffic

crypto map IPv6-Lab 1 set peer 2001:bbbb::1

crypto map IPv6-Lab 1 set ikev1 transform-set cisco

crypto map IPv6-Lab  interface outside

Any difference on this part?

Hmm....well no.. Same thing as well

So how much time do we have to keep reading this??

We are almost there do not worry.. In fact let's configure the final part. Is the Tunnel-group setup ( I bet you already knew it ).

Site A:

tunnel-group 2001:CCCC::2 type ipsec-l2l

tunnel-group 2001:CCCC::2 ipsec-attributes

       ikev1 pre-shared-key cisco123

Site B:

tunnel-group 2001:BBBB::1 type ipsec-l2l

tunnel-group 2001:BBBB::1 ipsec-attributes

      ikev1 pre-shared-key cisco123

So, everything is the same.. I bet you thought there were a lot of differences.. but wait a minute we are missing something right?

Where is the NAT setup?

On IPv6 we do not have to use NAT in order to be routable over the internet so unless specific desing requirements we will not need to use NAT so we can forget about the NAT Exemption setup in our VPN cases.

Now let's ping from Client A to Client B and see if the tunnel gets established:

SiteA-Client#ping 2001:DDDD::2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2001:DDDD::1, timeout is 2 seconds:

.!!!!

Great, now let's check the tunnel

On Site A

SiteA(config)# sh crypto ikev1 sa

IKEv1 SAs:

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: 2001:cccc::2

    Type    : L2L             Role    : initiator

    Rekey   : no              State   : MM_ACTIVE

On Site B:

SiteB(config)# sh crypto ikev1 sa

IKEv1 SAs:

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: 2001:bbbb::1

    Type    : L2L             Role    : responder

    Rekey   : no              State   : MM_ACTIVE

SiteB(config)#

Final notes:


-Configuration is the same, except for the fact that now we write down the IPs in Hex format ( That's what IPv6 uses )

-There is no need for NAT Exemption anymore

-Debugs,Packet-tracers are the same ( For troubleshooting purposes ). If you plan to use CAPTURES, remember that in IPv6 you cannot use the match keyword, you must match the capture with an IPv6 ACL.


-Discussing about IPv6 ACL's: Before 9.0(1) you must create a dedicated IPv6 access-list for IPv6 traffic as shown in this example but starting on 9.0(1) and higher versions now we can use the regular syntax for IPv6 access-list as well.

So we can use IPv6 and IPv4 on the same ACL, no need to create a dedicated IPv6 access-list. In fact the ASA will not allow you to do that.

Bottom line: IPv6 is here to make our lifes easier

Any questions you are more than welcome to contact me,

Regards,

Julio Carvajal

jcarvaja@cisco.com

julio17carvajal@hotmail.com

Version history
Revision #:
1 of 1
Last update:
‎03-17-2013 05:31 PM
Updated by:
 
Labels (1)
Everyone's tags (8)
Comments

Well done Julio!! Keep it up

Hello Portu,

Really appreciate it man,