The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The IPv6 over IPv4 GRE Tunnel Protection feature allows both IPv6 unicast and multicast traffic to pass through a protected generic routing encapsulation (GRE) tunnel.
To enable this feature, you must configure IPsec tunnel protection on an IPv4 GRE tunnel.
To enable IPv6 multicast, you must configure IPv6 multicast routing.
The IPv6 over IPv4 GRE Tunnel Protection feature supports IPv6 over IPv4 point-to-point GRE tunnel protection and not IPv6 over IPv4 mGRE tunnel protection.
Generic routing encapsulation (GRE) tunnels sometimes are combined with IPSec, because IPSec does not support IPv6 multicast packets. This function prevents dynamic routing protocols from running successfully over an IPSec VPN network. Because GRE tunnels do support IPv6 multicast , a dynamic routing protocol can be run over a GRE tunnel. Once a dynamic routing protocol is configured over a GRE tunnel, you can encrypt the GRE IPv6 multicast packets using IPSec.
IPSec can encrypt GRE packets using a crypto map or tunnel protection. Both methods specify that IPSec encryption is performed after GRE encapsulation is configured. When a crypto map is used, encryption is applied to the outbound physical interfaces for the GRE tunnel packets. When tunnel protection is used, encryption is configured on the GRE tunnel interface.
The following figure shows encrypted packets that enter a router through a GRE tunnel interface using a crypto map on the physical interface. Once the packets are decrypted and decapsulated, they continue to their IP destination as clear text.
The following figure shows encryption using tunnel protection command on the GRE tunnel interface. The encrypted packets enter the router through the tunnel interface and are decrypted and decapsulated before they continue to their destination as clear text.
There are two key differences in using the crypto map and tunnel protection methods:
The IPSec crypto map is tied to the physical interface and is checked as packets are forwarded out through the physical interface. At this point, the GRE tunnel has already encapsulated the packet.
Tunnel protection ties the encryption functionality to the GRE tunnel and is checked after the packet is GRE encapsulated but before the packet is handed to the physical interface.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
Enables privileged EXEC mode.
|
|
Step 2 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 3 |
ipv6 multicast-routing Example: |
Enables multicast routing using Protocol Independent Multicast (PIM) and Multicast Listener Discovery (MLD) on all IPv6-enabled interfaces of the router and enables multicast forwarding.
|
|
Step 4 |
ipv6 unicast-routing Example: |
Enables the forwarding of IPv6 unicast datagrams. |
|
Step 5 |
interface type number Example: |
Specifies a tunnel interface and number, and enters interface configuration mode. |
|
Step 6 |
ipv6 address {ipv6-address/prefix-length | prefix-name sub-bits/prefix-length} Example: |
Configures an IPv6 address based on an IPv6 general prefix and enables IPv6 processing on an interface. |
|
Step 7 |
tunnel mode {aurp | cayman | dvmrp | eon | gre | gre multipoint | gre ip | gre ipv6 | ipip [decapsulate-any] | ipsec ipv4 | iptalk | ipv6 | ipsec ipv6 | mpls | nos | rbscp} Example: |
Sets the encapsulation mode for the tunnel interface. |
|
Step 8 |
tunnel source {ip-address | ipv6-address | interface-typeinterface-number} Example: |
Sets the source address for a tunnel interface. |
|
Step 9 |
tunnel destination {hostname | ip-address | ipv6-address} Example: |
Specifies the destination for a tunnel interface. |
|
Step 10 |
exit Example: |
Exits interface configuration mode and returns to global configuration mode. |
|
Step 11 |
crypto isakmp policy priority Example: |
Defines an Internet Key Exchange (IKE) policy, and enters ISAKMP policy configuration mode.
|
|
Step 12 |
authentication {rsa-sig | rsa-encr | pre-share} Example: |
Specifies the authentication method within an IKE policy.
|
|
Step 13 |
hash {sha | md5} Example: |
Specifies the hash algorithm within an IKE policy. |
|
Step 14 |
group {1 | 2 | 5} Example: |
Specifies the Diffie-Hellman group identifier within an IKE policy. |
|
Step 15 |
encryption {des | 3des | aes 192 | aes 256} Example: |
Specifies the encryption algorithm within an IKE policy. |
|
Step 16 |
exit Example: |
Exits ISAKMP policy configuration mode and enters global configuration mode. |
|
Step 17 |
crypto isakmp key enc-type-digit keystring {address peer-address [mask] | ipv6 {ipv6-address/ipv6-prefix} | hostname hostname} [no-xauth] Example: |
Configures a preshared authentication key. |
|
Step 18 |
crypto ipsec transform-set transform-set-name transform1 [transform2] [transform3] [transform4] Example: |
Defines a transform set. |
|
Step 19 |
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [time-range time-range-name] [fragments] [log [word] | log-input [word]] Example: |
Defines an extended IP access list. |
|
Step 20 |
crypto map [ipv6] map-name seq-num [ipsec-isakmp [dynamic dynamic-map-name | discover | profile profile-name]] Example: |
Creates a new crypto map entry or profile and enters crypto map configuration mode. |
|
Step 21 |
set peer {hostname [dynamic] [default] | ip-address [default]} Example: |
Specifies an IP Security (IPsec) peer in a crypto map entry. |
|
Step 22 |
set transform-set transform-set-name [transform-set-name2...transform-set-name6] Example: |
Specifies the transform set that can be used with the crypto map entry. |
|
Step 23 |
match address [access-list-id | name] Example: |
Specifies an extended access list for a crypto map entry. |
|
Step 24 |
exit Example: |
Exits crypto map configuration mode and returns to global configuration mode. |
|
Step 25 |
interface type number Example: |
Specifies an interface and number and enters interface configuration mode. |
|
Step 26 |
crypto map map-name [redundancy standby-group-name [stateful]] Example: |
Applies a previously defined crypto map set to an outbound interface. |
|
Step 27 |
end Example: |
Exits interface configuration mode and returns to privileged EXEC mode. |
| Command or Action | Purpose | |||
|---|---|---|---|---|
|
Step 1 |
enable Example: |
Enables privileged EXEC mode.
|
||
|
Step 2 |
configure terminal Example: |
Enters global configuration mode. |
||
|
Step 3 |
ipv6 multicast-routing Example: |
Enables multicast routing using Protocol Independent Multicast (PIM) and Multicast Listener Discovery (MLD) on all IPv6-enabled interfaces of the router and enables multicast forwarding.
|
||
|
Step 4 |
ipv6 unicast-routing Example: |
Enables the forwarding of IPv6 unicast datagrams. |
||
|
Step 5 |
crypto isakmp policy priority Example: |
Defines an IKE policy, and enters ISAKMP policy configuration mode. Policy number 1 indicates the policy with the highest priority. The lower the priority argument value, the higher the priority. |
||
|
Step 6 |
authentication {rsa-sig | rsa-encr | pre-share} Example: |
Specifies the authentication method within an Internet Key Exchange (IKE) policy.
|
||
|
Step 7 |
hash {sha | md5} Example: |
Specifies the hash algorithm within an IKE policy. |
||
|
Step 8 |
group {1 | 2 | 5} Example: |
Specifies the Diffie-Hellman group identifier within an IKE policy. |
||
|
Step 9 |
encryption {des | 3des | aes | aes 192 | aes 256} Example: |
Specifies the encryption algorithm within an IKE policy. |
||
|
Step 10 |
exit Example: |
Exits ISAKMP policy configuration mode and returns to global configuration mode. |
||
|
Step 11 |
crypto isakmp key enc-type-digit keystring {address peer-address [mask] | ipv6 {ipv6-address/ipv6-prefix} | hostname hostname} [no-xauth] Example: |
Configures a preshared authentication key. |
||
|
Step 12 |
crypto ipsec transform-set transform-set-name transform1 [transform2 ] [transform3 ] [transform4 ] Example: |
Defines a transform set, and places the router in crypto transform configuration mode. |
||
|
Step 13 |
crypto ipsec profile profile-name Example: |
Defines the IPsec parameters that are to be used for IPsec encryption between two IPsec routers and enters IPsec profile configuration mode. |
||
|
Step 14 |
set transform-set transform-set-name [transform-set-name2...transform-set-name6] Example: |
Specifies the transform set that can be used with the crypto map entry. |
||
|
Step 15 |
exit Example: |
Exits IPsec profile configuration mode and returns to global configuration mode. |
||
|
Step 16 |
interface type number Example: |
Specifies a tunnel interface and number and enters interface configuration mode. |
||
|
Step 17 |
ipv6 address {ipv6-address / prefix-length | prefix-name sub-bits /prefix-length } Example: |
Specifies the IPv6 network assigned to the interface and enables IPv6 processing on the interface. |
||
|
Step 18 |
tunnel mode {aurp | cayman | dvmrp | eon | gre | gre multipoint | gre ip | gre ipv6 | ipip[decapsulate-any] | ipsec ipv4 | iptalk | ipv6 | ipsec ipv6 | mpls | nos | rbscp} Example: |
Specifies a GRE IPv6 tunnel. |
||
|
Step 19 |
tunnel source {ip-address | ipv6-address | interface-type interface-number } Example: |
Specifies the source address or the source interface type and number for the tunnel interface. |
||
|
Step 20 |
tunnel destination {hostname | ip-address | ipv6-address} Example: |
Specifies the destination address or hostname for the tunnel interface. |
||
|
Step 21 |
tunnel protection ipsec profile name [shared] Example: |
Associates a tunnel interface with an IPsec profile.
|
||
|
Step 22 |
end Example: |
Exits interface configuration mode and returns to privileged EXEC mode. |
Router> enable
Router# configure terminal
Router(config)# ipv6 multicast-routing
Router(config)# ipv6 unicast-routing
Router(config)# interface tunnel 10
Router(config-if)# ipv6 address my-prefix 0:0:0:7272::72/64
Router(config-if)# tunnel mode gre ip
Router(config-if)# tunnel source ethernet0
Router(config-if)# tunnel destination 172.16.0.12
Router(config-if)# exit
Router(config)# crypto isakmp policy 15
Router(config-isakmp-policy)# authentication pre-share
Router(config-isakmp-policy)# hash md5
Router(config-isakmp-policy)# group 2
Router(config-isakmp-policy)# encryption 3des
Router(config-isakmp-policy)# exit
Router(config)# crypto isakmp key cisco-10 address 172.16.0.12 255.240.0.0
Router(config)# crypto ipsec transform-set myset0 ah-sha-hmac esp-3des
Router(config)# access-list 110 permit gre host 192.168.0.16 host 172.16.0.12
Router(config)# crypto map mymap 10 ipsec-isakmp
Router(config-crypto-map)# set peer 10.0.0.1
Router(config-crypto-map)# set transform-set myset0
Router(config-crypto-map)# match address 102
Router(config-crypto-map)# exit
Router(config)# interface ethernet1
Router(config-if)# crypto map mymap
Router(config-if)# endRouter> enable
Router# configure terminal
Router(config)# ipv6 multicast-routing
Router(config)# ipv6 unicast-routing
Router(config)# crypto isakmp policy 15
Router(config-isakmp-policy)# authentication pre-share
Router(config-isakmp-policy)# hash md5
Router(config-isakmp-policy)# group 2
Router(config-isakmp-policy)# encryption 3des
Router(config-isakmp-policy)# exit
Router(config)# crypto isakmp key cisco-10 address 172.16.0.12 255.240.0.0
Router(config)# crypto ipsec transform-set myset0 ah-sha-hmac esp-3des
Router(config)# crypto ipsec profile ipsecprof
Router(ipsec-profile)# set transform-set myset0
Router(ipsec-profile)# exit
Router(config)# interface tunnel 1
Router(config-if)# ipv6 address 3ffe:b00:c18:1::3/127
Router(config-if)# tunnel mode gre ip
Router(config-if)# tunnel source 10.0.0.1
Router(config-if)# tunnel destination 172.16.0.12
Router(config-if)# tunnel protection ipsec profile ipsecprof
Router(config-if)# end|
Related Topic |
Document Title |
|---|---|
|
IPv6 Multicast Routing |
|
|
Cisco IOS commands |
|
|
Security commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples |
|
|
Description |
Link |
|---|---|
|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feedback