Options
IPv6IP tunnel meshed with IPsec tunnel. Is it possible and how?
jorgeeospina
Registered Users Posts: 6 ■□□□□□□□□□
in CCIE
Is it possible to set up an IPsec Tunnel over an IPv6 tunnel through an IPv4 network?
Here's a typical configuration for a manual IPv6 over IPv4 tunnel.
interface Tunnel0
no ip address
ipv6 address 3000::1/112
ipv6 rip 6bone enable
tunnel source Serial0/0
tunnel destination 192.34.1.4
tunnel mode ipv6ip
Here is a typical IPsec configuration
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key cisco123 address 95.95.95.2
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
crypto map rtp 1 ipsec-isakmp
set peer 95.95.95.2
set transform-set rtpset
match address 115
!
interface Ethernet0/0
ip address 98.98.98.1 255.255.255.0
!
interface Ethernet0/1
ip address 99.99.99.2 255.255.255.0
crypto map rtp
ip route 0.0.0.0 0.0.0.0 99.99.99.1
access-list 115 permit ip 98.98.98.0 0.0.0.255 10.103.1.0 0.0.0.255
access-list 115 deny ip 98.98.98.0 0.0.0.255 any
My questions are, If so, how would you do it? Are there any special techniques to accomplish this? What would the configuration look like?
Thank you very much.
Here's a typical configuration for a manual IPv6 over IPv4 tunnel.
interface Tunnel0
no ip address
ipv6 address 3000::1/112
ipv6 rip 6bone enable
tunnel source Serial0/0
tunnel destination 192.34.1.4
tunnel mode ipv6ip
Here is a typical IPsec configuration
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key cisco123 address 95.95.95.2
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
crypto map rtp 1 ipsec-isakmp
set peer 95.95.95.2
set transform-set rtpset
match address 115
!
interface Ethernet0/0
ip address 98.98.98.1 255.255.255.0
!
interface Ethernet0/1
ip address 99.99.99.2 255.255.255.0
crypto map rtp
ip route 0.0.0.0 0.0.0.0 99.99.99.1
access-list 115 permit ip 98.98.98.0 0.0.0.255 10.103.1.0 0.0.0.255
access-list 115 deny ip 98.98.98.0 0.0.0.255 any
My questions are, If so, how would you do it? Are there any special techniques to accomplish this? What would the configuration look like?
Thank you very much.
Comments
-
Options
Forsaken_GA
Member Posts: 4,024
What exactly are you trying to do? Both machines would need to be dual-stacked in order to make this happen in the first place, so why not just establish the IPSEC tunnel over v4?
With that being said, I can't see it being a problem, though I think you'd need to use a GRE tunnel instead of a 6 in 4 one to make it happen. Is there something that's actually driving this need, or is it just an academic exercise born of curiosity? -
Optionsjorgeeospina
Registered Users Posts: 6 ■□□□□□□□□□
It's an academic exercise born of curiosity.
So you're saying it could work with a GRE Tunnel? In that case, the source and destination of the GRE tunnel would be IPv4 addresses, the ip address of the tunnel interface would be IPv6, and the GRE/IPsec tunnel would be set up as a normal IPv4 GRE/IPsec Tunnel? -
OptionsForsaken_GA
Member Posts: 4,024
jorgeeospina wrote: »It's an academic exercise born of curiosity.
So you're saying it could work with a GRE Tunnel? In that case, the source and destination of the GRE tunnel would be IPv4 addresses, the ip address of the tunnel interface would be IPv6, and the GRE/IPsec tunnel would be set up as a normal IPv4 GRE/IPsec Tunnel?
If you're tunnelling ipv6 over ipv4 infrastructure, your tunnel source and destination are going to be ipv4 regardless. If you want IPSEC over your ipv6 tunnel, it seems to me the easiest way to do it is to just set the tunnel up as GRE, and then setup an IPSEC profile, and use the tunnel protection command to encrypt anything that goes into the tunnel, regardless of whether it's ipv6 or ipv4.