[ipv6hackers] IPv6 implications on IPv4 nets: IPv6 RAs, IPv4, and VPN "evasion"

Jim Small jim.small at cdw.com
Mon Oct 15 04:04:23 CEST 2012


Hi Fernando,

> On 09/05/2012 11:39 PM, Jim Small wrote:
> >> I can confirm the same with F5 BigIP Edge Gateway SSL VPN software,
> >> and Cisco VPN.
> >
> > So to clarify, the End of Life Cisco VPN Client (the older
> > IPsec/IKEv1 client) is oblivious to IPv6.  Even if you have a full
> > tunnel setup, it only works for IPv4.  IPv6 traffic completely
> > bypasses the VPN.  This could be good or bad depending on your point
> > of view.
> >
> > With the current VPN Client, AnyConnect (SSL/DTLS/IPsec+IKEv2), this
> > is not true.  AnyConnect is IPv6 aware since v2.5 (released in early
> > 2010).  AnyConnect fully supports IPv4/IPv6 including
> > full/split-tunneling, filtering, or firewalling either one.
> 
> Key question: what's the default setting?
> 

>From a quick test of the current version of AnyConnect v3.1 (Cisco's current VPN client) on an ASA running 8.4.4.1 (Current version) with no explicit IPv6 configuration it looks like it blocks all IPv6 traffic (Global and Link-Local).

--Jim




More information about the Ipv6hackers mailing list