The usual claim that “IPv6 has better security because it includes mandatory IPsec support” is evidently creating some confusion, at least based on a set of questions I received from one of my readers.
Can IPv6 work without IPsec?
Absolutely. Most IPv6 deployments don’t use IPsec (unless you’re building IPsec-based VPNs over IPv6 transport infrastructure).
When we want to connect to a server with IPsec over IPv6, shall we have certificates on the clients or will it be like HTTPS?
There’s no difference between IPsec running on top of IPv4 or IPv6. The first step in every IPsec session setup is key exchange; default key management protocol specified in RFC 6434 is IKEv2. IKEv2 can use preshared keys or certificates.
Is it mandatory to have a Cisco IOS image that includes IPsec support to deploy IPv6?
No. For example, IP Base technology package on ISR G2 includes IPv6 support. However, you should use the feature navigator to confirm which images support IPv6 on your specific platform/release.
To get an overview of IPv6 deployment requirements, watch the Enterprise IPv6 – the First Steps webinar (or its Service Provider equivalent). Core and access network design guidelines and router configurations are explained in the Building Large IPv6 Service Provider Networks webinar (which is equally applicable in large enterprise environments). All three webinars are available as IPv6 Trilogy jumbo pack or as part of the yearly subscription.