Home > Articles > Cisco Network Technology > IP Communications/VoIP > Deploying IPv6 in WAN/Branch Networks

Deploying IPv6 in WAN/Branch Networks

Chapter Description

This chapter provides and overview of WAN/branch deployment and also covers WAN/branch IPv6 deployment considerations, WAN/branch deployment over native IPv6, and includes an example of WAN/branch implementation.

WAN/Branch Deployment over Native IPv6

At the time of this writing, it is rare for an enterprise to have full end-to-end reachability over native IPv6 from a branch site to a WAN head-end. As more and more service providers deploy IPv6 services to their customers, the enterprise can use IPv6 as the means of transporting encrypted IPv6 traffic between sites and leave behind the IPv6-in-IPv4 encrypted tunnel deployments that have been discussed in this chapter thus far.

Cisco supports the deployment of IPsec over IPv6 in Cisco IOS. The following section provides a basic configuration example of how to deploy IPsec over IPv6 on Cisco IOS between two routers.

Figure 8-6 shows a network topology of two routers connected to the Internet through IPv6. In this case, the routers are not running dual-stack (IPv4 and IPv6) but they could be; instead they are IPv6-only routers with IPv6-only devices attached.

Figure 8-6

Figure 8-6 IPsec VPN over IPv6 Internet

The configuration is straightforward and closely resembles that of a point-to-point IPsec configuration over IPv4. The differences are mostly with the addressing for the interfaces.

Example 8-13 shows the basic configuration on the HQ-1 router. The Internet security association and key management protocol (ISAKMP) and IPsec policy information is the same as what was used in the HBE discussed earlier. The difference comes in the tunnel configuration. The tunnel source and destination are now IPv6 addresses instead of IPv4, as shown previously. Also, the tunnel mode is now using IPsec over IPv6 transport. Finally, the serial interface has an IPv6 address that is used for the connection to the IPv6-enabled ISP. Unicast Reverse Path Forwarding (uRPF) is enabled to help with spoofing. In a production deployment, there would be a set of ACLs used to enable only certain protocols and source/destinations (between branch and HQ) ingress on the serial interface.

Example 8-13. HQ-1 Configuration

ipv6 unicast-routing
ipv6 cef
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key CISCO address ipv6 ::/0
!
crypto ipsec transform-set HUB esp-aes 256 esp-sha-hmac
!
crypto ipsec profile HUB
 set transform-set HUB
!
interface Tunnel2
 no ip address
 ipv6 address 2001:DB8:CAFE:900::1/64
 ipv6 eigrp 10
 tunnel source 2001:DB8:CAFE:202::2   #Source is now using IPv6
 tunnel mode ipsec ipv6             #IPSec over IPv6 tunnel mode
 tunnel destination 2001:DB8:CAFE:1000::2  #Dest. now using IPv6
 tunnel protection ipsec profile HUB
 !
interface GigabitEthernet1/0
 description LAN
 no ip address
 ipv6 address 2001:DB8:CAFE:201::1/64
 ipv6 eigrp 10
!
interface Serial2/0
 description to ISP
 no ip address
 ipv6 address 2001:DB8:CAFE:202::2/64     #v6 connection to ISP
 ipv6 verify unicast reverse-path                #uRPF for IPv6
!
ipv6 route ::/0 2001:DB8:CAFE:202::1             #Default to ISP
ipv6 router eigrp 10
 eigrp router-id 1.1.1.2

Example 8-14 shows the configuration for BRANCH-1. It is similar to the configuration for HQ-1, with the exception of addressing and the IPsec profile name.

Example 8-14. BRANCH-1 Configuration

ipv6 unicast-routing
ipv6 cef
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key CISCO address ipv6 ::/0
!
crypto ipsec transform-set SPOKE esp-aes 256 esp-sha-hmac
!
crypto ipsec profile SPOKE
 set transform-set SPOKE
!
interface Tunnel2
 no ip address
 ipv6 address 2001:DB8:CAFE:900::2/64
 ipv6 eigrp 10
 tunnel source 2001:DB8:CAFE:1000::2
 tunnel mode ipsec ipv6
 tunnel destination 2001:DB8:CAFE:202::2
 tunnel protection ipsec profile SPOKE
!
interface GigabitEthernet1/0
 description LAN
 no ip address
 ipv6 address 2001:DB8:CAFE:1001::1/64
 ipv6 eigrp 10
!
interface Serial2/0
 description to ISP
 no ip address
 ipv6 address 2001:DB8:CAFE:1000::2/64
 ipv6 verify unicast reverse-path
!
ipv6 route ::/0 2001:DB8:CAFE:1000::1
ipv6 router eigrp 10
 eigrp router-id 1.1.1.3

Example 8-15 shows the status of the ISAKMP peers and security association (SA) state.

Example 8-15. ISAKMP Peer and SA Output on HQ-1

HQ-1# show crypto isakmp peers
Peer: 2001:DB8:CAFE:1000::2 Port: 500 Local: 2001:DB8:CAFE:202::2
 Phase1 id: 2001:DB8:CAFE:1000::2

HQ-1# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status

IPv6 Crypto ISAKMP SA

 dst: 2001:DB8:CAFE:1000::2
 src: 2001:DB8:CAFE:202::2
 state: QM_IDLE         conn-id:   1002 status: ACTIVE

 dst: 2001:DB8:CAFE:202::2
 src: 2001:DB8:CAFE:1000::2
 state: QM_IDLE         conn-id:   1003 status: ACTIVE