https://lms.onnocenter.or.id/wiki/index.php?action=history&feed=atom&title=IPSec%3A_IPv6_Site_to_Site_di_Cisco 2026-04-25T20:43:37Z Revision history for this page on the wiki MediaWiki 1.45.1 https://lms.onnocenter.or.id/wiki/index.php?title=IPSec:_IPv6_Site_to_Site_di_Cisco&diff=67234&oldid=prev 2022-12-13T02:05:41Z

<p>Created page with &quot;Sumber: https://community.cisco.com/t5/networking-knowledge-base/configuration-example-site-to-site-vpn-for-ipv6-ipsec/ta-p/3134857 Step 1: Configure IKE Policy and Pre-share...&quot;</p> <p><b>New page</b></p><div>Sumber: https://community.cisco.com/t5/networking-knowledge-base/configuration-example-site-to-site-vpn-for-ipv6-ipsec/ta-p/3134857<br /> <br /> Step 1: Configure IKE Policy and Pre-shared Key:<br /> Step 2: Configuring an IPsec Transform Set and IPsec Profile:<br /> Step 3: Configure an ISAKMP Profile in IPv6:<br /> <br /> <br /> Introduction:<br /> This document discuss about IPv6 IPsec Site-to-Site VPN Using Virtual Tunnel Interface with configuration example.<br /> <br /> Cisco IOS IPsec functionality provides network data encryption at the IP packet level, offering a robust, standards-based security solution. IPsec provides data authentication and anti-replay services in addition to data confidentiality services. With IPsec, data can be sent across a public network without observation, modification, or spoofing.<br /> General usage scenarios for IPv6 IPSec:<br /> 1) Site-to-site VPN – protect all IPv6 traffic between two trusted networks<br /> 2) Configured Secure Tunnel – protect IPv6 traffic being tunneled over an non trusted IPv4 network.<br /> 3) IPSec can also be used to protect control plane functions, such as IPSec to protect OSPFv3.<br /> <br /> <br /> <br /> Background:<br /> In following example IPSec-protected tunnel is set up between CE1 and CE2 to communicate over public network. The routers ISP_IR1 and ISP_IR2 have global IPv6 address and does not have knowledge about private subnets present on CE1 and CE2.<br /> <br /> Topology diagram:<br /> <br /> Ipv6Ipvsec.jpg<br /> <br /> Configuration overview:<br /> <br /> <br /> Site-to-site VPN is configure on router as follows:<br /> <br /> <br /> <br /> Step 1: Configure IKE Policy and Pre-shared Key:<br /> <br /> <br /> Configure same ISAKMP policy on the routers CE1 and CE2<br /> <br /> CE1#conf t<br /> Enter configuration commands, one per line. End with CNTL/Z.<br /> CE1(config)#crypto isakmp policy 10<br /> CE1(config-isakmp)#encryption 3des<br /> CE1(config-isakmp)#group 2<br /> CE1(config-isakmp)#authentication pre-share<br /> CE1(config-isakmp)#exit<br /> <br /> <br /> <br /> Each router must be configured with the same key, but the configuration statement should designate the address of the appropriate interface on the peer router.<br /> <br /> <br /> <br /> CE1:<br /> <br /> CE1(config)#crypto isakmp key 0 ipsecvpn address ipv6 2002::1/128<br /> <br /> <br /> <br /> CE2:<br /> <br /> CE2(config)#crypto isakmp key 0 ipsecvpn address ipv6 2001::1/128<br /> <br /> <br /> <br /> These keys are default ISAKMP keyring. We can use multiple named keyrings used when the router is hosting remote client VPNs for multiple different groups of clients.<br /> <br /> crypto keyring keyring-name ……………(to specify keyring)<br /> <br /> <br /> <br /> Step 2: Configuring an IPsec Transform Set and IPsec Profile:<br /> Configure same IPsec Transform Set and IPsec Profile on the routers CE1 and CE2:<br /> <br /> CE1(config)#crypto ipsec transform-set ipv6_tran esp-3des esp-sha-hmac<br /> CE1(cfg-crypto-trans)#mode tunnel<br /> CE1(cfg-crypto-trans)#exit<br /> CE1(config)#crypto ipsec profile ipv6_ipsec_pro ……(This transform set need to bind in VTI step4)<br /> CE1(ipsec-profile)#set transform-set ipv6_tran<br /> CE1(ipsec-profile)#exit<br /> CE1(config)#<br /> <br /> <br /> <br /> Step 3: Configure an ISAKMP Profile in IPv6:<br /> ISAKMP profile is configured in the routers CE1 and CE2 and ensure that configuration statement must designate the identity address of the appropriate interface on the peer router.<br /> <br /> CE1(config)#crypto isakmp profile 3des<br /> % A profile is deemed incomplete until it has match identity statements<br /> CE1(conf-isa-prof)#self-identity address ipv6<br /> CE1(conf-isa-prof)#match identity address ipv6 2002::1/128<br /> CE1(conf-isa-prof)#keyring default<br /> CE1(conf-isa-prof)# exit<br /> CE1(config)#<br /> <br /> <br /> <br /> Step 4: Configure ipsec IPv6 VTI :<br /> <br /> Configuring IPv6 IPsec VTI on router is pretty simple<br /> <br /> CE1(config)#int tunnel 1<br /> CE1(config-if)#ipv6 enable<br /> CE1(config-if)#ipv6 address 2012::1/64<br /> CE1(config-if)#tunnel source 2001::1<br /> CE1(config-if)#tunnel destination 2002::1<br /> CE1(config-if)#tunnel mode ipsec ipv6<br /> CE1(config-if)#tunnel protection ipsec profile ipv6_ipsec_pro<br /> *Mar 1 01:32:30.907: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON<br /> CE1(config-if)#exit<br /> <br /> <br /> <br /> CE2(config)#int tunnel 1<br /> CE2(config-if)#ipv6 enable<br /> CE2(config-if)#ipv6 address 2012::2/64<br /> CE2(config-if)#tunnel source 2002::1<br /> CE2(config-if)#tunnel destination 2001::1<br /> CE2(config-if)#tunnel mode ipsec ipv6<br /> CE2(config-if)#tunnel protection ipsec profile ipv6_ipsec_pro<br /> *Mar 1 01:32:30.907: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON<br /> CE2(config-if)#exit<br /> <br /> <br /> <br /> To make the tunnel as best path for the remote site network, you must configure static routes in the routers CE1 and CE2.<br /> <br /> <br /> CE1:<br /> <br /> CE1(config)#ipv6 route FC01::/64 2012::2<br /> <br /> <br /> <br /> CE2:<br /> <br /> CE2(config)#ipv6 route FC00::/64 2012::1<br /> <br /> <br /> <br /> Verification commands:<br /> 1) This command displays the active ISAKMP sessions on the router<br /> <br /> CE1#show crypto isakmp sa<br /> IPv4 Crypto ISAKMP SA<br /> dst src state conn-id slot status<br /> <br /> <br /> <br /> IPv6 Crypto ISAKMP SA<br /> <br /> <br /> <br /> dst: 2002::1<br /> src: 2001::1<br /> state: QM_IDLE conn-id: 1007 slot: 0 status: ACTIVE<br /> <br /> <br /> <br /> To displays a summary of the configuration information for the crypto engines.<br /> <br /> CE1#show crypto engine connection active<br /> Crypto Engine Connections<br /> <br /> <br /> <br /> ID Interface Type Algorithm Encrypt Decrypt IP-Address<br /> 1 Tu1 IPsec 3DES+SHA 0 95 2001::1<br /> 2 Tu1 IPsec 3DES+SHA 128 0 2001::1<br /> 1007 Tu1 IKE SHA+3DES 0 0 2001::1<br /> <br /> <br /> <br /> CE1#ping fc01::1 source fc00::1<br /> <br /> <br /> <br /> Type escape sequence to abort.<br /> Sending 5, 100-byte ICMP Echos to FC01::1, timeout is 2 seconds:<br /> Packet sent with a source address of FC00::1<br /> !!!!!<br /> Success rate is 100 percent (5/5), round-trip min/avg/max = 36/187/388 ms<br /> <br /> <br /> CE1#traceroute<br /> Protocol [ip]: ipv6<br /> Target IPv6 address: fc01::1<br /> Source address: fc00::1<br /> Insert source routing header? [no]:<br /> Numeric display? [no]:<br /> Timeout in seconds [3]:<br /> Probe count [3]:<br /> Minimum Time to Live [1]:<br /> Maximum Time to Live [30]:<br /> Priority [0]:<br /> Port Number [33434]:<br /> Type escape sequence to abort.<br /> Tracing the route to FC01::1<br /> <br /> <br /> <br /> 1 FC01::1 304 msec 184 msec 160 msec<br /> <br /> <br /> <br /> <br /> <br /> Related Information:<br /> http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/15-2mt/ip6-ipsec.html<br /> <br /> <br /> <br /> http://tools.ietf.org/html/rfc4294#page-10<br /> <br /> <br /> <br /> <br /> <br /> Base Initial configuration:<br /> <br /> <br /> <br /> IPv6 Configuration<br /> :configurationconfiguration_exampleexampleipsecipv6site-to-sitesite-to-site_vpnvpn<br /> 135431-CE2.txt.zip<br /> 135429-ISR_IR2.txt.zip<br /> 135432-CE1.txt.zip<br /> 135430-ISR_IR1.txt.zip<br /> <br /> <br /> <br /> <br /> ==Referensi==<br /> <br /> * https://community.cisco.com/t5/networking-knowledge-base/configuration-example-site-to-site-vpn-for-ipv6-ipsec/ta-p/3134857</div>

Unknown user