Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
IPv6 Support for the IPsec VSPA
Downloads: This chapterpdf (PDF - 238.0KB) The complete bookPDF (PDF - 13.93MB) | Feedback

Table of Contents

IPv6 Support for the IPsec VSPA

Overview

Restrictions for the IPV6 Support on the VSPA

Configuring IPv6 Support for IPsec VSPA

Summary Steps

Detailed Steps

Configuration Examples

Verifying IPv6 Support for IPsec VSPA

IPv6 Support for the IPsec VSPA

This chapter provides information about configuring IPv6 support for WS-IPSEC-3 IPsec VPN Service Port Adapter (VSPA) on the Cisco 7600 series router. It includes the following sections:

Overview

IP security (IPsec) is a framework of open standards developed by the Internet Engineering Task Force (IETF). It provides security for transmission of sensitive information over unprotected networks such as the Internet. IPsec acts at the network layer, protecting and authenticating IP packets between participating IPsec devices, such as Cisco routers. IPsec is a mandatory component of the IPv6 specification. Currently IPsec SPAs on Cisco 7600 series router does not support IPv6 encryption and decryption.

Effective with Cisco IOS release 15.2(2)S for Cisco 7600 series router, IPv6 encryption and decryption is supported on the WS-IPSEC-3 IPsec VSPA. The IPsec protection of IPv6 traffic is implemented using static Virtual Tunnel Interfaces (VTIs). The IPsec VTI allows IPv6 routers to work as security gateways, establish IPsec tunnels between other security gateway routers, and provide IPsec protection for traffic from internal networks when it is sent across the public IPv6 internet.

The Internet Key Exchange (IKE) protocol is a key management protocol that is used in conjunction with IPsec to configure IPv6 for WS-IPSEC-3 IPsec VSPA. IKE automatically negotiates IPsec Security Associations (SAs) and enables IPsec secure communications. When the IPsec tunnel is configured, IKE and IPsec SAs are negotiated and set up before the line protocol for the tunnel interface is up.

For more information on IKE, see the following URL:

http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/7600series/76cfvpn2.html#wp2498693

Restrictions for the IPV6 Support on the VSPA

Follow these restrictions while configuring IPv6 for IPsec VSPA:

  • IPv6 encryption is supported only in tunnel mode.
  • Authentication Header (AH) encapsulation is not supported. Only Encapsulating Security Payload (ESP) encapsulation is supported.
  • Crypto connect mode is not supported.
  • Upto 256 SVTI IPv6 tunnels are supported.
  • Maximum supported IPv6 MTU value is 9216 bytes.
  • Multicast is not supported.
  • OSPFv3 with authentication is not supported.
  • Only blade to blade fail over is supported.
  • IPv6 over IPv4 Generic Routing Encapsulation (GRE) tunnel is not supported.
  • QoS and ACLs are not supported on the IPv6 sVTI tunnels.
  • NAT is not supported.
  • Nested transform sets are not supported.
  • Crypto certificates are not supported.
  • Policy Based Routing (PBR) is not supported.

Configuring IPv6 Support for IPsec VSPA

Perform the following steps to configure IPv6 for IPsec VSPA. The configuration consists of three tasks. First task is to define an IKE policy and a preshared key in IPv6. Second task is to define an IPsec transform set and IPsec profile. The third and final task is to configure IPv6 IPsec VTI.

Summary Steps

1. enable

2. configure terminal

3. crypto engine mode vrf

4. ipv6 unicast-routing

5. crypto isakmp policy priority

6. authentication {rsa-sig | rsa-encr | pre-share}

7. hash {sha | md5}

8. group {1 | 2 | 5}

9. lifetime seconds

10. encryption {des | 3des | aes | aes 192 | aes 256}

11. exit

12. crypto isakmp key password-type keystring {address peer-address [ mask ] | ipv6 { ipv6-address/ipv6-prefix } | hostname hostname } [no-xauth]

13. crypto keyring keyring-name [vrf vrf-name ]

14. pre-shared-key {address address [mask] | hostname hostname | ipv6 { ipv6-address | ipv6-prefix }} key key

15. exit

16. crypto ipsec transform-set transform-set-name transform1 [ transform2 ] [ transform3 ] [ transform4 ]

17. crypto ipsec profile name

18. set transform-set transform-set-name [ transform-set-name2 .. .transform-set-name6 ]

19. exit

20. crypto isakmp profile profile-name [accounting aaalist ]

21. self-identity {[address | address ipv6] | fqdn | user-fqdn user-fqdn}

22. match identity {group group-name | address { address [ mask ] [ fvrf ] | ipv6 ipv6-address } | host host-name | host domain domain-name | user user-fqdn | user domain domain-name }

23. interface tunnel tunnel-number

24. ipv6 address ipv6-address/prefix

25. ipv6 enable

26. tunnel source { ip-address | ipv6-address | interface-type interface-number }

27. tunnel destination { host-name | ip-address | ipv6-address }

28. tunnel mode {aurp | cayman | dvmrp | eon | gre | gre multipoint | gre ipv6 | ipip [decapsulate-any] | ipsec ipv4 | iptalk | ipv6 | ipsec ipv6 | mpls | nos | rbscp}

29. tunnel protection ipsec profile name [shared]

30. crypto engine slot slot/subslot inside

31. interface type slot/subslot

32. ipv6 address ipv6-address/prefix

33. crypto engine slot slot/subslot outside

34. exit

Detailed Steps

Command
Purpose

Step 1

enable

 

 

Router# enable

Enables privileged EXEC mode. If prompted, enter your password.

Step 2

configure terminal

 

Router# configure terminal

Enters global configuration mode.

Step 3

crypto engine mode vrf

 

 

Router(config)# crypto engine mode vrf

Enables VRF mode for the IPsec VSPA.

Step 4

ipv6 unicast-routing

 

 

Router(config)# ipv6 unicast-routing

Enables IPv6 unicast routing. You need to enable IPv6 unicast routing only once, irrespective of how many interface tunnels you want to configure.

Step 5

crypto isakmp policy priority

 

 

 

Router(config)# crypto isakmp policy 15

Defines an IKE policy and enters Internet Security Association and Key Management Protocol (ISAKMP) policy configuration mode.

priority - Identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 10000, with 1 being the highest priority and 10000 the lowest.

Step 6

authentication pre-share

 

 

Router(config-isakmp-policy)# authentication pre-share

Specifies the authentication method within an IKE policy as a preshared key.

Step 7

hash {sha | md5}

 

 

Router(config-isakmp-policy)# hash md5

Specifies the hash algorithm to use within an IKE policy.

Step 8

group {1 | 2 | 5}

 

 

Router(config-isakmp-policy)# group 2

Specifies the group identifier within an IKE policy.

Step 9

encryption {des | 3des | aes | aes 192 | aes 256}

 

 

Router(config-isakmp-policy)# encryption 3des

Specifies the encryption algorithm within an IKE policy.

 

Step 10

lifetime seconds

 

 

Router(config-isakmp-policy)# lifetime 43200

 

Specifies the lifetime of an IKE security association (SA). Setting the IKE lifetime value is optional.

seconds —Number of seconds each SA should exist before expiring. Use an integer from 60 to 86,400 seconds. The default is 86,400.

Step 11

exit

 

 

Router(config-isakmp-policy)# exit

Exits the ISAKMP policy configuration mode and enters global configuration mode.

Step 12

crypto isakmp key password-type keystring keystring { address peer-address | ipv6 {ipv6-address/ipv6-prefix} | hostname hostname }

 

 

Router(config)# crypto isakmp key 0 my-preshare-key-0 address ipv6 3ffe:1001::2/128

 

Configures a preshared authentication key.

Step 13

crypto keyring keyring-name

 

 

Router(config)# crypto keyring keyring1

 

Defines a crypto keyring to be used during IKE authentication and enters keyring configuration mode.

Step 14

pre-shared-key ipv6 { ipv6-address | ipv6-prefix } key key

 

 

Router (config-keyring)# pre-shared-key ipv6

3FFE:2002::A8BB:CCFF:FE01:2C02/128 key cisco

 

Defines a preshared key to be used for IKE authentication.

Step 15

exit

 

 

Router(config-keyring)# exit

 

Exits the key-ring configuration mode.

Step 16

crypto ipsec transform-set transform-set-name transform1

 

 

Router(config)# crypto ipsec transform-set myset0 ah-sha-hmac esp-3des

Defines a transform set, and enters crypto transform configuration mode.

Step 17

crypto ipsec profile name

 

 

Router(config)# crypto ipsec profile profile0

Defines the IPsec parameters to be used for IPsec encryption between two IPsec routers.

Step 18

set transform-set transform-set-name

 

 

Router (config-crypto-transform)# set-transform-set myset0

Specifies which transform sets can be used with the crypto map entry.

Step 19

exit

 

 

Router (config-crypto-transform)#exit

Exits the crypto transform configuration mode.

Step 20

crypto isakmp profile profile-name [accounting aaalist ]

 

 

Router(config)# crypto isakmp profile profile1

Defines an ISAKMP profile, and audits IPsec user session and enters ISAKMP profile configuration mode.

profile-name —Name of the ISAKMP profile.

Step 21

self-identity {[address | address ipv6]}

 

 

Router(config-isakmp-profile)# self-identity address ipv6

Defines the identity that the local IKE uses to identify itself to the remote peer.

Step 22

match identity address ipv6 ipv6-address

 

 

Router(config-isakmp-profile)# match identity address ipv6 3FFE:2002::A8BB:CCFF:FE01:2C02/128

Matches an identity from a remote peer in an ISAKMP profile.

Step 23

ipv6 unicast-routing

 

 

Router(config)# ipv6 unicast-routing

Specifies a tunnel interface and number, and enters interface configuration mode

Step 24

interface tunnel tunnel-number

 

 

Router(config)# interface tunnel 0

Specifies a tunnel interface and number, and enters interface configuration mode

tunnel-number — Name assigned to the tunnel interface.

Step 25

ipv6 address ipv6-address/prefix

 

 

Router(config-if)# ipv6 address 3FFE:C000:0:7::/64 eui-64

Provides an IPv6 address to this tunnel interface so that IPv6 traffic can be routed to this tunnel.

Step 26

ipv6 enable

 

 

Router(config-if)# ipv6 enable

Enables IPv6 on this tunnel interface.

Step 27

tunnel source { ip-address | ipv6-address | interface-type interface-number }

 

 

Router(config-if)# tunnel source ethernet 0

Sets the source address for a tunnel interface.

Step 28

tunnel destination ipv6-address

 

 

Router(config-if)# tunnel destination 2001:DB8:1111:2222::1

Specifies the destination for a tunnel interface.

Step 29

tunnel mode ipsec ipv6

 

 

Router(config-if)# tunnel mode ipsec ipv6

Sets the encapsulation mode for the tunnel interface. For IPsec, only the ipsec ipv6 mode is supported.

Step 30

tunnel protection ipsec profile name

 

 

Router(config-if)# tunnel protection ipsec profile profile1

Associates a tunnel interface with an IPsec profile. IPv6 does not support the shared keyword.

Step 31

crypto engine slot slot/subslot inside

 

 

Router(config-if)# crypto engine

Assigns the specified crypto engine to the interface.

slot/subslot —The slot where the IPsec VSPA is located.

Step 32

interface type slot/subslot
 

 

Router(config-if)# interface GigabitEthernet 1/2

 

Specifies the interface type.

Step 33

ipv6 address ipv6-address/prefix
 
 
Router(config-if)# ipv6 address 3FFE:2002::A8BB:CCFF:FE01:2C01/112

Assigns an IPv6 address to the interface.

Step 34

crypto engine slot slot/subslot outside
 

 

Router(config-if)# crypto engine slot 4/0 outside

Assigns the specified crypto engine to the interface.

slot/subslot —The slot where the IPsec VPN SPA is located

Step 35

exit
 
 
Router(config-if)# exit

Exits the interface configuration mode.

Configuration Examples

This example shows how to configure IPv6 for IPsec using IPsec VSPA. In this example, router 1 is configured as the hub and router 2 is configured as the spoke.

Router1# enable
Router1# configure terminal
Router1(config)# crypto engine mode vrf
Router1(config)# ipv6 unicast-routing
Router1(config)# crypto isakmp policy 15

Router(config-isakmp-policy)# authentication pre-share

Router1(config-isakmp-policy)# encr des

Router1(config-isakmp-policy)# hash md5

Router1(config-isakmp-policy)# group 2

Router1(config-isakmp-policy)# lifetime 7200

Router1(config-isakmp-policy)# exit

Router1(conf)# crypto isakmp key 0 my-preshare-key-0 address ipv6 3ffe:1001::2/128
Router1(config-keyring)# crypto keyring keyring1
Router1(config)# pre-shared-key address ipv6 3FFE:2002::A8BB:CCFF:FE01:2C02/128 key cisco
Router1(config)# crypto ipsec transform-set ts esp-3des
Router1(config-crypto-trans)# crypto ipsec profile ipsec_profile_bulk
Router1(ipsec-profile)# set transform-set ts
Router1(ipsec-profile)# exit
Router1(config)# crypto isakmp profile tunnel_isakmp_prof_bulk
Router1(config)# self-identity address ipv6
Router1(config)# match identity address ipv6 3FFE:2002::A8BB:CCFF:FE01:2C02/128
Router1(config)# interface tunnel 1
Router1(conf-if)# ipv6 address 3FFE:C000:0:7:1/64
Router1(conf-if)# ipv6 enable
Router1(conf-if)# tunnel source GigabitEthernet 1/2
Router1(conf-if)#tunnel destination 3FFE:2002::A8BB:CCFF:FE01:2C02
Router1(conf-if)# tunnel mode ipsec ipv6
Router1(conf-if)# tunnel protection ipsec profile ipsec_profile_bulk
Router1(conf-if)# crypto engine slot 4/0 inside
Router1(conf-if)# interface GigabitEthernet 1/2
Router1(conf-if)# ipv6 address 3FFE:2002::A8BB:CCFF:FE01:2C01/112
Router1(conf-if)# crypto engine slot 4/0 outside
Router1(conf-if)# exit

 

Router2# enable
Router2# configure terminal
Router2(conf)# crypto engine mode vrf
Router2(conf)# ipv6 unicast-routing
Router2(conf)# crypto isakmp policy 15

Router2(config-isakmp-policy)# authentication pre-share

Router2(config-isakmp-policy)# encr des

Router2(config-isakmp-policy)# hash md5

Router2(config-isakmp-policy)# group 2

Router2(config-isakmp-policy)# lifetime 7200

Router2(config-isakmp-policy)# exit

Router2(config)# crypto isakmp key 0 my-preshare-key-0 address ipv6 3ffe:1001::2/128
Router2(config-keyring)# crypto keyring keyring1
Router2(config)# pre-shared-key address ipv6 3FFE:2002::A8BB:CCFF:FE01:2C02/128 key cisco
Router2(config)# crypto ipsec transform-set ts esp-3des
Router2(cfg-crypto-trans)# crypto ipsec profile ipsec_profile_bulk
Router2(ipsec-profile)# set transform-set ts
Router2(ipsec-profile)# exit
Router2(conf)# crypto isakmp profile tunnel_isakmp_prof_bulk
Router2(conf)# self-identity address ipv6
Router2(conf)# match identity address ipv6 3FFE:2002::A8BB:CCFF:FE01:2C01/128
Router2(conf)# interface tunnel 1
Router2(conf-if)# ipv6 address 3FFE:C000:0:7::2/64
Router2(conf-if)# ipv6 enable
Router2(conf-if)# tunnel source GigabitEthernet 1/2
Router2(conf-if)#tunnel destination 3FFE:2002::A8BB:CCFF:FE01:2C01
Router2(conf-if)# tunnel mode ipsec ipv6
Router2(conf-if)# tunnel protection ipsec profile ipsec_profile_bulk
Router2(conf-if)# crypto engine slot 4/0 inside
Router2(conf-if)# interface GigabitEthernet 1/2
Router2(conf-if)# ipv6 address 3FFE:2002::A8BB:CCFF:FE01:2C01/112
Router2(conf-if)# crypto engine slot 4/0 outside
Router1(conf-if)# exit

Verifying IPv6 Support for IPsec VSPA

Use these commands to verify the IPv6 configuration for IPsec VSPA:

Command
Purpose

show crypto ipsec sa [ ipv6 ] [ interface-type interface-number ]

Displays the current SA settings in IPv6.

show crypto isakmp policy

Displays the parameters for each IKE policy.

show crypto isakmp profile [ tag profilename | vrf vrfname ]

Displays all the ISAKMP profiles that are defined.