WAN/Branch Deployment over Native IPv6
At the time of this writing, it is rare for an enterprise to have full end-to-end reachability over native IPv6 from a branch site to a WAN head-end. As more and more service providers deploy IPv6 services to their customers, the enterprise can use IPv6 as the means of transporting encrypted IPv6 traffic between sites and leave behind the IPv6-in-IPv4 encrypted tunnel deployments that have been discussed in this chapter thus far.
Cisco supports the deployment of IPsec over IPv6 in Cisco IOS. The following section provides a basic configuration example of how to deploy IPsec over IPv6 on Cisco IOS between two routers.
Figure 8-6 shows a network topology of two routers connected to the Internet through IPv6. In this case, the routers are not running dual-stack (IPv4 and IPv6) but they could be; instead they are IPv6-only routers with IPv6-only devices attached.
Figure 8-6 IPsec VPN over IPv6 Internet
The configuration is straightforward and closely resembles that of a point-to-point IPsec configuration over IPv4. The differences are mostly with the addressing for the interfaces.
Example 8-13 shows the basic configuration on the HQ-1 router. The Internet security association and key management protocol (ISAKMP) and IPsec policy information is the same as what was used in the HBE discussed earlier. The difference comes in the tunnel configuration. The tunnel source and destination are now IPv6 addresses instead of IPv4, as shown previously. Also, the tunnel mode is now using IPsec over IPv6 transport. Finally, the serial interface has an IPv6 address that is used for the connection to the IPv6-enabled ISP. Unicast Reverse Path Forwarding (uRPF) is enabled to help with spoofing. In a production deployment, there would be a set of ACLs used to enable only certain protocols and source/destinations (between branch and HQ) ingress on the serial interface.
Example 8-13. HQ-1 Configuration
ipv6 unicast-routing ipv6 cef ! crypto isakmp policy 1 encr aes 256 authentication pre-share group 2 crypto isakmp key CISCO address ipv6 ::/0 ! crypto ipsec transform-set HUB esp-aes 256 esp-sha-hmac ! crypto ipsec profile HUB set transform-set HUB ! interface Tunnel2 no ip address ipv6 address 2001:DB8:CAFE:900::1/64 ipv6 eigrp 10 tunnel source 2001:DB8:CAFE:202::2 #Source is now using IPv6 tunnel mode ipsec ipv6 #IPSec over IPv6 tunnel mode tunnel destination 2001:DB8:CAFE:1000::2 #Dest. now using IPv6 tunnel protection ipsec profile HUB ! interface GigabitEthernet1/0 description LAN no ip address ipv6 address 2001:DB8:CAFE:201::1/64 ipv6 eigrp 10 ! interface Serial2/0 description to ISP no ip address ipv6 address 2001:DB8:CAFE:202::2/64 #v6 connection to ISP ipv6 verify unicast reverse-path #uRPF for IPv6 ! ipv6 route ::/0 2001:DB8:CAFE:202::1 #Default to ISP ipv6 router eigrp 10 eigrp router-id 1.1.1.2
Example 8-14 shows the configuration for BRANCH-1. It is similar to the configuration for HQ-1, with the exception of addressing and the IPsec profile name.
Example 8-14. BRANCH-1 Configuration
ipv6 unicast-routing ipv6 cef ! crypto isakmp policy 1 encr aes 256 authentication pre-share group 2 crypto isakmp key CISCO address ipv6 ::/0 ! crypto ipsec transform-set SPOKE esp-aes 256 esp-sha-hmac ! crypto ipsec profile SPOKE set transform-set SPOKE ! interface Tunnel2 no ip address ipv6 address 2001:DB8:CAFE:900::2/64 ipv6 eigrp 10 tunnel source 2001:DB8:CAFE:1000::2 tunnel mode ipsec ipv6 tunnel destination 2001:DB8:CAFE:202::2 tunnel protection ipsec profile SPOKE ! interface GigabitEthernet1/0 description LAN no ip address ipv6 address 2001:DB8:CAFE:1001::1/64 ipv6 eigrp 10 ! interface Serial2/0 description to ISP no ip address ipv6 address 2001:DB8:CAFE:1000::2/64 ipv6 verify unicast reverse-path ! ipv6 route ::/0 2001:DB8:CAFE:1000::1 ipv6 router eigrp 10 eigrp router-id 1.1.1.3
Example 8-15 shows the status of the ISAKMP peers and security association (SA) state.
Example 8-15. ISAKMP Peer and SA Output on HQ-1
HQ-1# show crypto isakmp peers Peer: 2001:DB8:CAFE:1000::2 Port: 500 Local: 2001:DB8:CAFE:202::2 Phase1 id: 2001:DB8:CAFE:1000::2 HQ-1# show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status IPv6 Crypto ISAKMP SA dst: 2001:DB8:CAFE:1000::2 src: 2001:DB8:CAFE:202::2 state: QM_IDLE conn-id: 1002 status: ACTIVE dst: 2001:DB8:CAFE:202::2 src: 2001:DB8:CAFE:1000::2 state: QM_IDLE conn-id: 1003 status: ACTIVE