Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1025
Views
0
Helpful
3
Replies

How to handle IPV6 on client internet side without IPV6 internally?

Go to solution
webabc123
Level 1
Level 1

‎09-13-2021 07:43 AM - edited ‎09-13-2021 07:46 AM

If you don’t use IPV6 on your corporation network, but users have IPV6 through their ISPs, what are the best ways to handle this when using AnyConnect VPN?

 

We currently use split tunnel AnyConnect set to drop all IPV6 traffic.  This works fine for most clients, but for some, it breaks their connectivity to Outlook Exchange email and some sometimes web browsing in general.

 

We now plan to switch from split tunnel to full tunnel.  Will users with IPV6 connectivity established have the same issues with a full tunnel VPN connection?  I assume so because, where is the IPV6 traffic that was enabled before VPN was established going to go after launching VPN if we don’t have IPV6 available through the tunnel?

 

We have been telling the users to just disable IPV6 on their computers, but sometimes it’s needed in Windows for things not related to VPN and is not a supported configuration from Microsoft.

 

What are the best solutions for handling IPV6 connectivity through AnyConnect VPN?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to webabc123

‎09-14-2021 11:13 PM

If you want to enable full tunnel, you'll have to enable IPv6 on your ASA/FTD (including IPv6 on outside, IPv6 pool, IPv6 routing and ACLs). This way, all of user traffic (both IPv4 and IPv6) will get tunneled back to your gateway and routed towards Internet from there. If you have another FW controlling your traffic, then your IPv4 and IPv6 routing needs to step in and to route traffic to that FW as next hop. If you want to forward traffic from VPN FW, then you'l need to configure U-turn on this FW.

While using split tunnel, you can configure one that I mentioned earlier:

group-policy TestGP attributes
 client-bypass-protocol enable

BR,

Milos

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni

‎09-13-2021 10:50 PM

Hi @webabc123,

If user has only IPv6 address, then you have no other way to support them, but for you too configure IPv6 on your Internet facing interface (as dual stack of course, as you want to support IPv4 users still). They would be able to establish VPN connectivity over IPv6, while there you could assign them only IPv4 pool, and route them to your internal network over IPv4 only.

If you have no other requiements apart from fixing IPv6 (such as security concerns), I would not enable full tunnel configuration for this. You could just ignore IPv6 connectivity for VPN, if you don't want to deal with it, by using something like:

group-policy TestGP attributes
 client-bypass-protocol enable

This would instruct client not to tunnel traffic for IPv6, if you haven't configured IPv6 pool. This way, IPv6 would be left out of tunnel, and everything else would work same as today, which should solve your problems with connectivity.

Another way could be to configure dual stack on your 'outside' interface, to configure IPv6 pool along with IPv4 pool, and to do split tunnel only to some of your IPv6 scopes. This way you would be achieving split-tunnel on both IPv4 and IPv6, which should again solve your issues.

BR,

Milos

 

 

0 Helpful

Go to solution
webabc123
Level 1
Level 1
In response to Milos_Jovanovic

‎09-14-2021 06:14 AM

The users have both IPv6 and IPv4 going at the same time or they would not have any ability to reach the VPN host since it has an IPv4 public address.

The purpose of the full tunnel is for security controls to prevent data exfiltration. So, we do not want a split tunnel if possible.

So, which one of the options would allow the existing IPv6 traffic to pass through the full tunnel back out to the internet? 

While we are still using split tunnel in the meantime, what options can we configure to enable only specified IPv4 traffic in the VPN tunnel and redirect all IPv6 traffic as well as unspecified IPv4 traffic back the end user’s internet connection?

We currently have the split tunnels configured to “drop all IPv6 traffic,” but this is a poor solution for those who were using both IPv6 and IPv4 when the spit tunnel was established.

0 Helpful

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to webabc123

‎09-14-2021 11:13 PM

If you want to enable full tunnel, you'll have to enable IPv6 on your ASA/FTD (including IPv6 on outside, IPv6 pool, IPv6 routing and ACLs). This way, all of user traffic (both IPv4 and IPv6) will get tunneled back to your gateway and routed towards Internet from there. If you have another FW controlling your traffic, then your IPv4 and IPv6 routing needs to step in and to route traffic to that FW as next hop. If you want to forward traffic from VPN FW, then you'l need to configure U-turn on this FW.

While using split tunnel, you can configure one that I mentioned earlier:

group-policy TestGP attributes
 client-bypass-protocol enable

BR,

Milos

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents