Hello Everyone,
Today I will briefly cover what needs to be done in order to create a Lan to Lan VPN tunnel on an ASA firewall with IPv6 addressing.
First let's begin with the fundamentals:
-IPv6 L2L VPN support was added in the latest version available of the ASA 8.3 track
-The ASA will be able to build a VPN site to site tunnel running IPv6 ONLY with another ASA.
Information taken from Cisco.com
For LAN-to-LAN connections using mixed IPv4 and IPv6 addressing, or all IPv6 addressing, the security appliance supports VPN tunnels if both peers are Cisco ASA 5500 series security appliances, and if both inside networks have matching addressing schemes (both IPv4 or both IPv6).
Specifically, the following topologies are supported when both peers are Cisco ASA 5500 series adaptive security appliances:
•The adaptive security appliances have IPv4 inside networks and the outside network is IPv6 (IPv4 addresses on the inside interfaces and IPv6 addresses on the outside interfaces).
•The adaptive security appliances have IPv6 inside networks and the outside network is IPv4 (IPv6 addresses on the inside interface and IPv4 addresses on the outside interfaces).
•The adaptive security appliances have IPv6 inside networks and the outside network is IPv6 (IPv6 addresses on the inside and outside interfaces)
If we want to run a VPN tunnel with a third-party unit or another Cisco router then we must go with the IPv4 address scheme only.
Now, let's take a look at the Scenario,
Our main goal here is to create a VPN tunnel using IPSec between Company A and Company B across an IPv6 network. IPv6 addressing and routing has been configured previously.
So now, let's begin with the IPsec configuration,
1- Specify as usual the phase 1 and phase 2 configuration
Site A:
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
crypto ikev1 enable outside
crypto ipsec ikev1 transform-set cisco esp-aes esp-sha-hmac
Site B:
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
crypto ikev1 enable outside
crypto ipsec ikev1 transform-set cisco esp-aes esp-sha-hmac
So far.. No differences at all.. Easy stuff.
2) Now let's move forward to the Interesting traffic configuration:
Site A Inside Subnet 2001:AAAA::/64
Site B Inside Subnet 2001:DDDD::/64
On Site A:
ipv6 access-list IPv6-Lab permit ip 2001:AAAA::/64 2001:DDDD::/64
On Site B:
ipv6 access-list VPN-Traffic permit ip 2001:dddd::/64 2001:aaaa::/64
So the Crypto ACL is the same thing, just that now we use Hex notation instead of Decimal notation
3) Crypto-Map Setup
Site A outside IPv6 address is 2001:BBBB::1
Site B outside IPv6 address is 2001:CCCC::2
So let's go to the Firewall on Site A
Site A:
crypto map IPv6-L2L 1 match address IPv6-Lab
crypto map IPv6-L2L 1 set peer 2001:cccc::2
crypto map IPv6-L2L 1 set ikev1 transform-set cisco
crypto map IPv6-L2L interface outside
Site B:
crypto map IPv6-Lab 1 match address VPN-Traffic
crypto map IPv6-Lab 1 set peer 2001:bbbb::1
crypto map IPv6-Lab 1 set ikev1 transform-set cisco
crypto map IPv6-Lab interface outside
Any difference on this part?
Hmm....well no.. Same thing as well
So how much time do we have to keep reading this??
We are almost there do not worry.. In fact let's configure the final part. Is the Tunnel-group setup ( I bet you already knew it ).
Site A:
tunnel-group 2001:CCCC::2 type ipsec-l2l
tunnel-group 2001:CCCC::2 ipsec-attributes
ikev1 pre-shared-key cisco123
Site B:
tunnel-group 2001:BBBB::1 type ipsec-l2l
tunnel-group 2001:BBBB::1 ipsec-attributes
ikev1 pre-shared-key cisco123
So, everything is the same.. I bet you thought there were a lot of differences.. but wait a minute we are missing something right?
Where is the NAT setup?
On IPv6 we do not have to use NAT in order to be routable over the internet so unless specific desing requirements we will not need to use NAT so we can forget about the NAT Exemption setup in our VPN cases.
Now let's ping from Client A to Client B and see if the tunnel gets established:
SiteA-Client#ping 2001:DDDD::2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:DDDD::1, timeout is 2 seconds:
.!!!!
Great, now let's check the tunnel
On Site A
SiteA(config)# sh crypto ikev1 sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 2001:cccc::2
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
On Site B:
SiteB(config)# sh crypto ikev1 sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 2001:bbbb::1
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
SiteB(config)#
Final notes:
-Configuration is the same, except for the fact that now we write down the IPs in Hex format ( That's what IPv6 uses )
-There is no need for NAT Exemption anymore
-Debugs,Packet-tracers are the same ( For troubleshooting purposes ). If you plan to use CAPTURES, remember that in IPv6 you cannot use the match keyword, you must match the capture with an IPv6 ACL.
-Discussing about IPv6 ACL's: Before 9.0(1) you must create a dedicated IPv6 access-list for IPv6 traffic as shown in this example but starting on 9.0(1) and higher versions now we can use the regular syntax for IPv6 access-list as well.
So we can use IPv6 and IPv4 on the same ACL, no need to create a dedicated IPv6 access-list. In fact the ASA will not allow you to do that.
Bottom line: IPv6 is here to make our lifes easier
Any questions you are more than welcome to contact me,
Regards,
Julio Carvajal
