This document describes how to implement the Dynamic Multipoint VPN for IPv6 feature, which allows users to better scale large and small IPsec Virtual Private Networks (VPNs) by combining generic routing encapsulation (GRE) tunnels, IP security (IPsec) encryption, and the Next Hop Resolution Protocol (NHRP). In Dynamic Multipoint Virtual Private Network (DMVPN) for IPv6, the public network (the Internet) is a pure IPv4 network, and the private network (the intranet) is IPv6 capable.
IPv6 support on DMVPN was extended to the public network (the Internet) facing the Internet service provider (ISP). The IPv6 transport for DMVPN feature builds IPv6 WAN-side capability into NHRP tunnels and the underlying IPsec encryption, and enables IPv6 to transport payloads on the Internet.
The IPv6 transport for DMVPN feature is enabled by default. You need not upgrade your private internal network to IPv6 for the IPv6 transport for DMVPN feature to function. You can have either IPv4 or IPv6 addresses on your local networks.
Note
Security threats, as well as the cryptographic technologies to help protect against them, are constantly changing. For more information about the latest Cisco cryptographic recommendations, see the
Next Generation Encryption (NGE) white paper.
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see
Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to
www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for IPv6 over DMVPN
One of the following protocols must be enabled for DMVPN for IPv6 to work: Border Gateway Protocol (BGP), Enhanced Interior Gateway Routing Protocol (EIGRP), On-Demand Routing (ODR), Open Shortest Path First (OSPF), and Routing Information Protocol (RIP).
Every IPv6 NHRP interface is configured with one IPv6 unicast address. This address can be a globally reachable or unique local address.
Every IPv6 NHRP interface is configured with one IPv6 link-local address that is unique across all DMVPN hosts in the DMVPN cloud (that is, the hubs and spokes).
Restrictions for IPv6 over DMVPN
IPv6 can be configured only on a protected network.
IPv6 VRFs are not fully supported by IPv6 routing protocols such as EIGRP or OSPF. Therefore, DMVPN for IPv6 does not support IPv6 VRFs.
The DMVPN feature combines NHRP routing, multipoint generic routing encapsulation (mGRE) tunnels, and IPsec encryption to provide users ease of configuration via crypto profiles--which override the requirement for defining static crypto maps--and dynamic discovery of tunnel endpoints.
This feature relies on the following Cisco enhanced standard technologies:
NHRP--A client and server protocol where the hub is the server and the spokes are the clients. The hub maintains an NHRP database of the public interface addresses of each spoke. Each spoke registers its real address when it boots and queries the NHRP database for real addresses of the destination spokes to build direct tunnels.
mGRE tunnel interface--An mGRE tunnel interface allows a single GRE interface to support multiple IPsec tunnels and simplifies the size and complexity of the configuration.
IPsec encryption--An IPsec tunnel interface facilitates for the protection of site-to-site IPv6 traffic with native encapsulation.
In DMVPN for IPv6, the public network (the Internet) is a pure IPv4 network, and the private network (the intranet) is IPv6 capable. The intranets could be a mix of IPv4 or IPv6 clouds connected to each other using DMVPN technologies, with the underlying carrier being a traditional IPv4 network.
The NHRP protocol resolves a given intranet address (IPv4 or IPv6) to an Internet address (IPv4 nonbroadcast multiaccess [NBMA] address).
In the figure below, the intranets that are connected over the DMVPN network are IPv6 clouds, and the Internet is a pure IPv4 cloud. Spokes S1 and S2 are connected to Hub H over the Internet using a statically configured tunnel. The address of the tunnel itself is the IPv6 domain, because it is another node on the intranet. The source and destinations address of the tunnel (the mGRE endpoints), however, are always in IPv4, in the Internet domain. The mGRE tunnel is aware of the IPv6 network because the GRE passenger protocol is an IPv6 packet, and the GRE transport (or carrier) protocol is an IPv4 packet.
Figure 1
IPv6 Topology That Triggers NHRP
When an IPv6 host in LAN L1 sends a packet destined to an IPv6 host in LAN L2, the packet is first routed to the gateway (which is Spoke S1) in LAN L1. Spoke S1 is a dual-stack router, which means both IPv4 and IPv6 are configured on it. The IPv6 routing table in S1 points to a next hop, which is the IPv6 address of the tunnel on Spoke S2. This is a VPN address that must be mapped to an NBMA address, triggering NHRP.
When IPv6 NHRP redirect is enabled, NHRP examines every data packet in the output feature path. If the data packet enters and leaves on the same logical network, NHRP sends an NHRP traffic indication message to the source of the data packet. In NHRP, a logical network is identified by the NHRP network ID, which groups multiple physical interfaces into a single logical network.
When IPv6 NHRP shortcut is enabled, NHRP intercepts every data packet in the output feature path. It checks to see if there is an NHRP cache entry to the destination of the data packet and, if yes, it replaces the current output adjacency with the one present in the NHRP cache. The data packet is therefore switched out using the new adjacency provided by NHRP.
IPv6 Routing
NHRP is automatically invoked for mGRE tunnels carrying the IPv6 passenger protocol. When a packet is routed and sent to the switching path, NHRP looks up the given next hop and, if required, initiates an NHRP resolution query. If the resolution is successful, NHRP populates the tunnel endpoint database, which in turn populates the Cisco Express Forwarding adjacency table. The subsequent packets are Cisco Express Forwarding switched if Cisco Express Forwarding is enabled.
IPv6 Addressing and Restrictions
IPv6 allows multiple unicast addresses on a given IPv6 interface. IPv6 also allows special address types, such as anycast, multicast, link-local addresses, and unicast addresses.
DMVPN for IPv6 has the following addressing restrictions:
Every IPv6 NHRP interface is configured with one IPv6 unicast address. This address can be a globally reachable or unique local address.
Every IPv6 NHRP interface is configured with one IPv6 link-local address that is unique across all DMVPN hosts in the DMVPN cloud (that is, the hubs and spokes).
If no other tunnels on the router are using the same tunnel source, then the tunnel source address can be embedded into an IPv6 address.
If the router has only one DMVPN IPv6 tunnel, then manual configuration of the IPv6 link-local address is not required. Instead, use the ipv6enable command to autogenerate a link-local address.
If the router has more than one DMVPN IPv6 tunnel, then the link-local address must be manually configured using the ipv6addressfe80::2001link-local command.
Security threats, as well as the cryptographic technologies to help protect against them, are constantly changing. For more information about the latest Cisco cryptographic recommendations, see the
Next Generation Encryption (NGE) white paper.
The IPsec profile shares most commands with the crypto map configuration, but only a subset of the commands are valid in an IPsec profile. Only commands that pertain to an IPsec policy can be issued under an IPsec profile; you cannot specify the IPsec peer address or the access control list (ACL) to match the packets that are to be encrypted.
Before You Begin
Before configuring an IPsec profile, you must do the following:
Define a transform set by using the
cryptoipsectransform-set command.
Make sure that the Internet Security Association Key Management Protocol (ISAKMP) profile is configured with default ISAKMP settings.
(Optional) Specifies that IPsec should ask for perfect forward secrecy (PFS) when requesting new security associations for this IPsec profile. If this command is not specified, the default Diffie-Hellman (DH) group,
group1 will be enabled.
1--768-bit DH (No longer recommended.)
2--1024-bit DH (No longer recommended)
5--1536-bit DH (No longer recommended)
14--Specifies the 2048-bit DH group.
15--Specifies the 3072-bit DH group.
16--Specifies the 4096-bit DH group.
19--Specifies the 256-bit elliptic curve DH (ECDH) group.
20--Specifies the 384-bit ECDH group.
24--Specifies the 2048-bit DH/DSA group.
Step 10
end
Example:
Device(config-crypto-map)# end
Exits crypto map configuration mode and returns to privileged EXEC mode.
Configuring the Hub for IPv6 over DMVPN
Perform this task to configure the hub router for IPv6 over DMVPN for mGRE and IPsec integration (that is, associate the tunnel with the IPsec profile configured in the previous procedure).
Configures a tunnel interface and enters interface configuration mode.
The number argument specifies the number of the tunnel interfaces that you want to create or configure. There is no limit on the number of tunnel interfaces you can create.
Sets the current bandwidth value for an interface to higher-level protocols.
The bandwidth-size argument specifies the bandwidth in kilobits per second. The default value is 9. The recommended bandwidth value is 1000 or greater.
Step 14
ipv6nhrpholdtimeseconds
Example:
Router(config-if)# ipv6 nhrp holdtime 3600
Changes the number of seconds that NHRP NBMA addresses are advertised as valid in authoritative NHRP responses.
Step 15
end
Example:
Router(config-if)# end
Exits interface configuration mode and returns to privileged EXEC mode.
Configuring the NHRP Redirect and Shortcut Features on the Hub
Configures a tunnel interface and enters interface configuration mode.
The number argument specifies the number of the tunnel interfaces that you want to create or configure. There is no limit on the number of tunnel interfaces you can create.
15.bandwidth {interzone | total | session} {default | zonezone-name} bandwidth-size
16.ipv6nhrpholdtimeseconds
17.
end
DETAILED STEPS
Command or Action
Purpose
Step 1
enable
Example:
Router> enable
Enables privileged EXEC mode.
Enter your password if prompted.
Step 2
configureterminal
Example:
Router# configure terminal
Enters global configuration mode.
Step 3
interfacetunnelnumber
Example:
Router(config)# interface tunnel 5
Configures a tunnel interface and enters interface configuration mode.
The number argument specifies the number of the tunnel interfaces that you want to create or configure. There is no limit on the number of tunnel interfaces you can create.
Associates a tunnel interface with an IPsec profile.
The name argument specifies the name of the IPsec profile; this value must match the name specified in the cryptoipsecprofilename command.
Step 15
bandwidth {interzone | total | session} {default | zonezone-name} bandwidth-size
Example:
Router(config-if)# bandwidth total 1200
Sets the current bandwidth value for an interface to higher-level protocols.
The bandwidth-size argument specifies the bandwidth in kilobits per second. The default value is 9. The recommended bandwidth value is 1000 or greater.
The bandwidth setting for the spoke need not equal the bandwidth setting for the DMVPN hub. It is usually easier if all of the spokes use the same or similar value.
Step 16
ipv6nhrpholdtimeseconds
Example:
Router(config-if)# ipv6 nhrp holdtime 3600
Changes the number of seconds that NHRP NBMA addresses are advertised as valid in authoritative NHRP responses.
Step 17
end
Example:
Router(config-if)# end
Exits interface configuration mode and returns to privileged EXEC mode.
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to
www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1
Feature Information for IPv6 over DMVPN
Feature Name
Releases
Feature Information
IPv6 over DMVPN
12.4(20)T
The DMVPN feature allows users to better scale large and small IPsec Virtual Private Networks (VPNs) by combining generic routing encapsulation (GRE) tunnels, IP security (IPsec) encryption, and the Next Hop Resolution Protocol (NHRP). In Dynamic Multipoint Virtual Private Network (DMVPN) for IPv6, the public network (the Internet) is a pure IPv4 network, and the private network (the intranet) is IPv6 capable.
The following commands were introduced or modified:
clear dmvpn session,
clear ipv6 nhrp,
crypto ipsec profile,
debug dmvpn,
debug dmvpn condition,
debug nhrp condition,
debug nhrp error,
ipv6 nhrp authentication,
ipv6 nhrp holdtime,
ipv6 nhrp interest,
ipv6 nhrp map,
ipv6 nhrp map multicast,
ipv6 nhrp map multicast dynamic,
ipv6 nhrp max-send,
ipv6 nhrp network-id,
ipv6 nhrp nhs,
ipv6 nhrp record,
ipv6 nhrp redirect,
ipv6 nhrp registration,
ipv6 nhrp responder,
ipv6 nhrp server-only,
ipv6 nhrp shortcut,
ipv6 nhrp trigger-svc,
ipv6 nhrp use,
set pfs,
set security-association lifetime,
set transform-set,
show dmvpn,
show ipv6 nhrp,
show ipv6 nhrp multicast,
show ipv6 nhrp nhs,
show ipv6 nhrp summary,
show ipv6 nhrp traffic.
IPv6 Transport for DMVPN
15.2(1)T
The IPv6 transport for DMVPN feature builds IPv6 WAN-side capability into NHRP tunnels and the underlying IPsec encryption, and enables IPv6 to transport payloads on the Internet.
The IPv6 transport for DMVPN feature is enabled by default.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:
www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.