I have been setting up l2l VPNs for a customer using ASA 5505s. Recently we needed to setup a system through an ipv6 zone. The customer did not want to run dual stack on the inside so we configured ipv4 l2l with ipv6 peers on the outside. I really thought this would be a simple thing, but it has proven otherwise. Both ASAs can ping each other's ipv6 peer IP. At first I could not even get any ike traffic. The ASA reported it could not determine egress interface for outbound ipv4 traffic. It seemed that it wanted a route (or some trigger) to get the traffic into the tunnel. I added a default ipv4 route to an ipv4 address I set on the outside interface. This actually got the tunnel to come up, but I still could not ping all the way through. I cannot seem to find any examples or anything for doing ipv4 l2l over ipv6 backbone. Any help or example would be greatly appreciated.
I worked on this more today to no avail. Adding the static outbound routes to the ipv4 ip of the outside interface seemed to do the trick for getting outbound traffic to hit the cryptomap, but it was not hitting the RX map on the other end. I tried to do a static ipv6 route to the link local address of the inside but it gave an error about not allowing route to yourself. Funny that that it let me do this for ipv4. Both ASA show TX packets and zero RX.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...