Site to Site VPN for IPv4 and IPv6

Hey, guys. I've been trying to configure a IPSEC site to site VPN in a lab environment that would support both IPv4 and IPv6.

I have built a GRE tunnel and implemented IPSEC between both sites and have full reachability between end devices for both IPv4 and IPv6. The topology is basically R1 and R2 as the company's Edge Routers for each sites and are successfully passing OSPF routes to one another through Interface Tunnel 0.

R3 and R4 are acting as ISP routers and are running EIGRP between them and are only running IPv4.However, whilst IPv4 connections seem to passing across "the internet" encrypted, but I am unsure if the same is true for IPv6. So essentially the problem is I'm not quite sure if I am configuring it correctly and was hoping some of you more experienced members can help me verify if the tunnel is correctly configured to encrypt both IPv4 and IPv6?

Any help would be greatly appreciated!

​

TOPOLOGY GRAPHIC: https://imgur.com/phKT8X7

​

R1's SHOW RUN:

R1#show run

Building configuration...

​

Current configuration : 2489 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

no ip icmp rate-limit unreachable

ip cef

!

!

no ip domain lookup

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

ipv6 unicast-routing

!

!

ip tcp synwait-time 5

!

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

crypto isakmp key CISCO address 195.0.0.1

!

!

crypto ipsec transform-set TRANS esp-aes esp-sha-hmac

!

crypto map CMAP 1 ipsec-isakmp

set peer 195.0.0.1

set transform-set TRANS

match address IPSEC-TRAFFIC

!

​

interface Tunnel0

ip address 172.16.1.1 255.255.255.0

ip ospf mtu-ignore

ipv6 address 2001:DB8:AAAA:A::1/64

ipv6 enable

ipv6 ospf 1 area 0

tunnel source FastEthernet0/1

tunnel destination 195.0.0.1

tunnel path-mtu-discovery

crypto map CMAP

!

interface FastEthernet0/0

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

ipv6 address 2001:DB8:ACAD:A::1/64

ipv6 ospf 1 area 0

!

interface Serial0/0

no ip address

shutdown

clock rate 2000000

!

interface FastEthernet0/1

ip address 200.0.0.1 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map CMAP

!

interface Serial0/1

no ip address

shutdown

clock rate 2000000

!

interface FastEthernet1/0

no ip address

shutdown

duplex auto

speed auto

!

interface Serial2/0

no ip address

shutdown

serial restart-delay 0

!

interface Serial2/1

no ip address

shutdown

serial restart-delay 0

!

interface Serial2/2

no ip address

shutdown

serial restart-delay 0

!

interface Serial2/3

no ip address

shutdown

serial restart-delay 0

!

router ospf 1

log-adjacency-changes

network 172.16.1.0 0.0.0.255 area 0

network 192.168.1.0 0.0.0.255 area 0

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1

!

!

no ip http server

no ip http secure-server

ip nat inside source list 5 interface FastEthernet0/1 overload

!

ip access-list extended IPSEC-TRAFFIC

permit gre host 200.0.0.1 host 195.0.0.1

!

access-list 5 permit 192.168.1.0 0.0.0.255

no cdp log mismatch duplex

ipv6 router ospf 1

log-adjacency-changes

!

​

control-plane

!

​

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

login

!

!

end

​

********************************************************************

R2 SHOW RUN:

R2#show run

Building configuration...

​

Current configuration : 2480 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R2

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

no ip icmp rate-limit unreachable

ip cef

!

!

no ip domain lookup

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

ipv6 unicast-routing

!

!

ip tcp synwait-time 5

!

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

crypto isakmp key CISCO address 200.0.0.1

!

!

crypto ipsec transform-set TRANS esp-aes esp-sha-hmac

!

crypto map CMAP 1 ipsec-isakmp

set peer 200.0.0.1

set transform-set TRANS

match address IPSEC-TRAFFIC

!

!

interface Tunnel0

ip address 172.16.1.2 255.255.255.0

ip ospf mtu-ignore

ipv6 address 2001:DB8:AAAA:A::2/64

ipv6 enable

ipv6 ospf 1 area 0

tunnel source FastEthernet0/1

tunnel destination 200.0.0.1

tunnel path-mtu-discovery

crypto map CMAP

!

interface FastEthernet0/0

ip address 10.0.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

ipv6 address 2001:DB8:ACAD:F::1/64

ipv6 ospf 1 area 0

!

interface Serial0/0

no ip address

shutdown

clock rate 2000000

!

interface FastEthernet0/1

ip address 195.0.0.1 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map CMAP

!

interface Serial0/1

no ip address

shutdown

clock rate 2000000

!

interface FastEthernet1/0

no ip address

shutdown

duplex auto

speed auto

!

interface Serial2/0

no ip address

shutdown

serial restart-delay 0

!

interface Serial2/1

no ip address

shutdown

serial restart-delay 0

!

interface Serial2/2

no ip address

shutdown

serial restart-delay 0

!

interface Serial2/3

no ip address

shutdown

serial restart-delay 0

!

router ospf 1

log-adjacency-changes

network 10.0.0.0 0.0.0.255 area 0

network 172.16.1.0 0.0.0.255 area 0

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1

!

!

no ip http server

no ip http secure-server

ip nat inside source list 5 interface FastEthernet0/1 overload

!

ip access-list extended IPSEC-TRAFFIC

permit gre host 195.0.0.1 host 200.0.0.1

!

access-list 5 permit 10.0.0.0 0.0.0.255

no cdp log mismatch duplex

ipv6 router ospf 1

log-adjacency-changes

!

!

control-plane

!

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

login

!

!

end

​

*****************************************************************

​

R1#show crypto ipsec sa

​

interface: Tunnel0

Crypto map tag: CMAP, local addr 200.0.0.1

​

protected vrf: (none)

local ident (addr/mask/prot/port): (200.0.0.1/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (195.0.0.1/255.255.255.255/47/0)

current_peer 195.0.0.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 293, #pkts encrypt: 293, #pkts digest: 293

#pkts decaps: 294, #pkts decrypt: 294, #pkts verify: 294

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 7, #recv errors 0

​

local crypto endpt.: 200.0.0.1, remote crypto endpt.: 195.0.0.1

path mtu 1476, ip mtu 1476, ip mtu idb Tunnel0

current outbound spi: 0xE8072AF2(3892783858)

​

inbound esp sas:

spi: 0x32F9E53(53452371)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2001, flow_id: SW:1, crypto map: CMAP

sa timing: remaining key lifetime (k/sec): (4531964/2336)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

spi: 0x4F71895D(1332840797)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2003, flow_id: SW:3, crypto map: CMAP

sa timing: remaining key lifetime (k/sec): (4567854/2333)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

​

inbound ah sas:

​

inbound pcp sas:

​

outbound esp sas:

spi: 0xF8DDAF85(4175277957)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2002, flow_id: SW:2, crypto map: CMAP

sa timing: remaining key lifetime (k/sec): (4531964/2333)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

spi: 0xE8072AF2(3892783858)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2004, flow_id: SW:4, crypto map: CMAP

sa timing: remaining key lifetime (k/sec): (4567855/2332)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

​

outbound ah sas:

​

outbound pcp sas:

​

interface: FastEthernet0/1

Crypto map tag: CMAP, local addr 200.0.0.1

​

protected vrf: (none)

local ident (addr/mask/prot/port): (200.0.0.1/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (195.0.0.1/255.255.255.255/47/0)

current_peer 195.0.0.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 294, #pkts encrypt: 294, #pkts digest: 294

#pkts decaps: 295, #pkts decrypt: 295, #pkts verify: 295

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 7, #recv errors 0

​

local crypto endpt.: 200.0.0.1, remote crypto endpt.: 195.0.0.1

path mtu 1476, ip mtu 1476, ip mtu idb Tunnel0

current outbound spi: 0xE8072AF2(3892783858)

​

inbound esp sas:

spi: 0x32F9E53(53452371)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2001, flow_id: SW:1, crypto map: CMAP

sa timing: remaining key lifetime (k/sec): (4531964/2330)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

spi: 0x4F71895D(1332840797)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2003, flow_id: SW:3, crypto map: CMAP

sa timing: remaining key lifetime (k/sec): (4567854/2329)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

​

inbound ah sas:

​

inbound pcp sas:

​

outbound esp sas:

spi: 0xF8DDAF85(4175277957)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2002, flow_id: SW:2, crypto map: CMAP

sa timing: remaining key lifetime (k/sec): (4531964/2329)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

spi: 0xE8072AF2(3892783858)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2004, flow_id: SW:4, crypto map: CMAP

sa timing: remaining key lifetime (k/sec): (4567855/2329)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

​

outbound ah sas:

​

outbound pcp sas:

***************************************************************************

​

R2#show crypto ipsec sa

​

interface: Tunnel0

Crypto map tag: CMAP, local addr 195.0.0.1

​

protected vrf: (none)

local ident (addr/mask/prot/port): (195.0.0.1/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (200.0.0.1/255.255.255.255/47/0)

current_peer 200.0.0.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 308, #pkts encrypt: 308, #pkts digest: 308

#pkts decaps: 307, #pkts decrypt: 307, #pkts verify: 307

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 4, #recv errors 0

​

local crypto endpt.: 195.0.0.1, remote crypto endpt.: 200.0.0.1

path mtu 1476, ip mtu 1476, ip mtu idb Tunnel0

current outbound spi: 0x4F71895D(1332840797)

​

inbound esp sas:

spi: 0xF8DDAF85(4175277957)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2001, flow_id: SW:1, crypto map: CMAP

sa timing: remaining key lifetime (k/sec): (4504025/2265)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

spi: 0xE8072AF2(3892783858)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2003, flow_id: SW:3, crypto map: CMAP

sa timing: remaining key lifetime (k/sec): (4469928/2263)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

​

inbound ah sas:

​

inbound pcp sas:

​

outbound esp sas:

spi: 0x32F9E53(53452371)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2002, flow_id: SW:2, crypto map: CMAP

sa timing: remaining key lifetime (k/sec): (4504025/2263)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

spi: 0x4F71895D(1332840797)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2004, flow_id: SW:4, crypto map: CMAP

sa timing: remaining key lifetime (k/sec): (4469928/2262)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

​

outbound ah sas:

​

outbound pcp sas:

​

interface: FastEthernet0/1

Crypto map tag: CMAP, local addr 195.0.0.1

​

protected vrf: (none)

local ident (addr/mask/prot/port): (195.0.0.1/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (200.0.0.1/255.255.255.255/47/0)

current_peer 200.0.0.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 309, #pkts encrypt: 309, #pkts digest: 309

#pkts decaps: 308, #pkts decrypt: 308, #pkts verify: 308

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 4, #recv errors 0

​

local crypto endpt.: 195.0.0.1, remote crypto endpt.: 200.0.0.1

path mtu 1476, ip mtu 1476, ip mtu idb Tunnel0

current outbound spi: 0x4F71895D(1332840797)

​

inbound esp sas:

spi: 0xF8DDAF85(4175277957)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2001, flow_id: SW:1, crypto map: CMAP

sa timing: remaining key lifetime (k/sec): (4504025/2261)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

spi: 0xE8072AF2(3892783858)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2003, flow_id: SW:3, crypto map: CMAP

sa timing: remaining key lifetime (k/sec): (4469928/2259)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

​

inbound ah sas:

​

inbound pcp sas:

​

outbound esp sas:

spi: 0x32F9E53(53452371)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2002, flow_id: SW:2, crypto map: CMAP

sa timing: remaining key lifetime (k/sec): (4504025/2259)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

spi: 0x4F71895D(1332840797)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2004, flow_id: SW:4, crypto map: CMAP

sa timing: remaining key lifetime (k/sec): (4469928/2259)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

​

outbound ah sas:

​

outbound pcp sas:

​