Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
486
Views
0
Helpful
2
Replies

Site-to-Site 4in6 VPN

shelby.lindsey
Level 1
Level 1

‎10-22-2013 07:03 PM

I have been setting up l2l VPNs for a customer using ASA 5505s.  Recently we needed to setup a system through an ipv6 zone.  The customer did not want to run dual stack on the inside so we configured ipv4 l2l with ipv6 peers on the outside.  I really thought this would be a simple thing, but it has proven otherwise.  Both ASAs can ping each other's ipv6 peer IP.  At first I could not even get any ike traffic.  The ASA reported it could not determine egress interface for outbound ipv4 traffic.  It seemed that it wanted a route (or some trigger) to get the traffic into the tunnel.  I added a default ipv4 route to an ipv4 address I set on the outside interface.  This actually got the tunnel to come up, but I still could not ping all the way through.  I cannot seem to find any examples or anything for doing ipv4 l2l over ipv6 backbone.  Any help or example would be greatly appreciated.

Shelby

Labels:
0 Helpful
2 Replies 2

shelby.lindsey
Level 1
Level 1

‎10-23-2013 02:32 PM

bump.

0 Helpful

shelby.lindsey
Level 1
Level 1

‎10-23-2013 03:41 PM

I worked on this more today to no avail.  Adding the static outbound routes to the ipv4 ip of the outside interface seemed to do the trick for getting outbound traffic to hit the cryptomap, but it was not hitting the RX map on the other end.  I tried to do a static ipv6 route to the link local address of the inside but it gave an error about not allowing route to yourself.  Funny that that it let me do this for ipv4.  Both ASA show TX packets and zero RX.

0 Helpful
Customers Also Viewed These Support Documents