[ipv6hackers] IPv6 implications on IPv4 nets: IPv6 RAs, IPv4, and VPN "evasion"

Jónatan Þór Jónasson jonatan at sensa.is
Thu Oct 18 03:29:15 CEST 2012


Regarding the AnyConnect client and IPv6, currently it *will* break all native IPv6 connectivity.
Cisco ties this behaviour to the fact that we didn't have IPv6 split-tunneling. ("CSCtb74535 ", viewable in the bug-toolkit)
It did not matter whether the VPN connection as such is using IPv6 or not, "tunnel-all" is forced and therefore breaks native connectivity.

According to the release-notes for AnyConnect 3.1 this has been fixed in two ways:
1. Split Tunneling for IPv6 network traffic is now an option.
2. Client Protocol Bypass, described as follows: " For example, assume that the ASA assigns only an IPv4 address to an AnyConnect connection and the endpoint is dual stacked. When the endpoint attempts to reach an IPv6 address, if Client Bypass Protocol is disabled, the IPv6 traffic is dropped; however, if Client Bypass Protocol is enabled, the IPv6 traffic is sent from the client in the clear. "

However, some of the new IPv6 features in the AnyConnect 3.1, including those two mentioned here above, are tied to the upcoming version of ASA 9.x, which is "scheduled" in Q42012 (again, according to release notes).

With regards,

-----Original Message-----
From: ipv6hackers-bounces at lists.si6networks.com [mailto:ipv6hackers-bounces at lists.si6networks.com] On Behalf Of Jim Small
Sent: 15. október 2012 02:04
To: Fernando Gont; IPv6 Hackers Mailing List
Subject: Re: [ipv6hackers] IPv6 implications on IPv4 nets: IPv6 RAs, IPv4, and VPN "evasion"

Hi Fernando,

> On 09/05/2012 11:39 PM, Jim Small wrote:
> >> I can confirm the same with F5 BigIP Edge Gateway SSL VPN software, 
> >> and Cisco VPN.
> >
> > So to clarify, the End of Life Cisco VPN Client (the older
> > IPsec/IKEv1 client) is oblivious to IPv6.  Even if you have a full 
> > tunnel setup, it only works for IPv4.  IPv6 traffic completely 
> > bypasses the VPN.  This could be good or bad depending on your point 
> > of view.
> >
> > With the current VPN Client, AnyConnect (SSL/DTLS/IPsec+IKEv2), this 
> > is not true.  AnyConnect is IPv6 aware since v2.5 (released in early 
> > 2010).  AnyConnect fully supports IPv4/IPv6 including 
> > full/split-tunneling, filtering, or firewalling either one.
> Key question: what's the default setting?

>From a quick test of the current version of AnyConnect v3.1 (Cisco's current VPN client) on an ASA running (Current version) with no explicit IPv6 configuration it looks like it blocks all IPv6 traffic (Global and Link-Local).


Ipv6hackers mailing list
Ipv6hackers at lists.si6networks.com

More information about the Ipv6hackers mailing list