• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Dual IPv4 and IPv6 remote access VPN?

Started by nosebreaker, February 02, 2011, 05:42:22 PM

Previous topic - Next topic

nosebreaker

I'm trying to use a Cisco ASA 5520 so that it will give both an IPv4 private IP and a IPv6 private IP to remote users that login using the webvpn.  We have some internal servers that are IPv6-only and I want to make it so they can connect to them from home.  Is this possible?  I cannot seem to figure out how to do it.

antillie

This can be done with the AnyConnect VPN client. If you already have AnyConnect and basic IPv6 connectivity up and running you only need the following two commands:

ipv6 local pool ipv6pool 2001:470:X:X::1/64 100

tunnel-group <your existing tunnel group name here> general-attributes
ipv6-address-pool ipv6pool

This will make the ASA assign connected AnyConnect clients an IPv6 address *if* the client's OS supports IPv6. (Installed by default in Win Vista/7, must be installed manually in WinXP, Linux varies but its generally installed by default.)

If you use a public /64 range from the /48 HE gave you as your IP pool and add the following to the firewall:

same-security-traffic permit intra-interface

Then connected clients will be able to access the IPv6 internet via firewall's internet connection over the VPN.

Unfortunately although you can apply these commands to a tunnel group used for IPSec VPN clients they will have no effect on the IPSec VPN client, it just ignores them and goes about its IPv4 business as usual. (Personally I use the same tunnel group for AnyConnect and IPSec clients and IPv4 tunneling works perfectly in both clients, but IPv6 tunneling is AnyConnect only.) Another thing to note is that there is no split tunneling for IPv6 yet. All IPv6 traffic from the client PC will be sent across the tunnel.

The only real drawback to this is Cisco's obscene licensing prices for concurrent AnyConnect sessions. Seriously, they are highway robbery. Honestly, unless you have large piles of money you don't need just lying around I'd look for an open source solution of some sort before deploying AnyConnect on any kind of large scale. However, every ASA comes with 2 allowed concurrent AnyConnect sessions built in so you should be able to at least test it out.