Disclaimer: No IPv6 blog would be complete without stating that we should all hail the Chief Stroopwafel Officer, Mistress of IPv6

As the transition to IPv6 accelerates, organizations are increasingly looking to extend their VPN infrastructure to support IPv6 traffic. Fortunately, Cisco IOS and ASA platforms make it possible to deploy IPSec VPNs over IPv6 using static crypto maps or tunnel interfaces (VTIs). In this post, we’ll explore the key considerations and walk through an example configuration using certificate-based authentication.

Key IPv6 VPN Considerations

  • Static crypto maps and VTIs are both valid methods for deploying IPv6 VPNs.
  • On Cisco ASA, IPv6 VPNs use the same crypto map configuration as IPv4. The main difference lies in ensuring that IPv6 addresses are correctly applied in proxy access lists and peer definitions.
  • When an interface has multiple IPv6 addresses, you can specify which address should be used for IPSec negotiation using the ipv6-local-address command under the interface or crypto map.
  • Certificate-based authentication works similarly for IPv6 as it does for IPv4 IPSec, leveraging X.509 digital certificates and trustpoints.

Sample Configuration: IPv6 IPSec VPN with IOS CA

This example walks through configuring an IPv6 VPN between two routers using certificate maps and crypto maps.

1. Configure the CA Trustpoint

crypto pki trustpoint IOS-CA
enrollment url http://2.2.2.2:80
password cisco123
subject-name cn=r10.cisco.com
revocation-check none

2. Define ISAKMP Policy (Phase 1)

crypto isakmp policy 10
authentication rsa-sig
encryption aes
hash sha
group 5

3. Define IPv6 Proxy ACL

This ACL defines the IPv6 traffic that will be encrypted over the VPN tunnel:

ipv6 access-list VPN
permit ipv6 2010:10:10::/64 2011:11:11::/64

4. Configure the IPSec Transform Set (Phase 2)

crypto ipsec transform-set tset esp-aes esp-sha-hmac

5. Create Certificate Map for Peer Matching

This certificate map ensures that only certificates matching the subject cisco.com are allowed:

crypto pki certificate map CMAP 10
subject-name co cisco.com

6. Bind Certificate Map to ISAKMP Profile

crypto isakmp profile ISA_PROF2
match certificate CMAP

7. Configure the Crypto Map

crypto map ipv6 MAP 10 ipsec-isakmp
set peer 2010:4:11::11
set transform-set tset
set pfs group5
set isakmp-profile ISA_PROF2
match address VPN

Apply the crypto map and set up IPv6 routing:

ipv6 route 2011:11:11::/64 2008:9:2::2

Summary

Deploying IPSec VPNs over IPv6 on Cisco IOS routers is a straightforward extension of traditional IPv4 VPN deployments. With support for certificate-based authentication and crypto maps, IPv6 VPNs offer robust security and flexibility. Just ensure correct address selection and trustpoint configuration, and you’re ready to secure your IPv6 network traffic end-to-end.