[ipv6hackers] IPv6 implications on IPv4 nets: IPv6 RAs, IPv4, and VPN "evasion"

Jim Small jim.small at cdw.com
Thu Sep 6 04:39:52 CEST 2012

> >> Where this is not the case or where there is a bug, this however would
> >> be a problem. (I remember somone tellimg me that the Cisco VPN client
> >> has or had this bug, that IPv6 was still possible while IPv4
> >> connectivity was filtered for non-tunnel destinations.)
> >
> >
> > It was like this with the Juniper SSL VPN at my previous job.  The VPN
> software didn't do anything with IPv6 so  anything over IPv6 went through
> my default gateway.
> I can confirm the same with F5 BigIP Edge Gateway SSL VPN software, and
> Cisco VPN.

So to clarify, the End of Life Cisco VPN Client (the older IPsec/IKEv1 client) is oblivious to IPv6.  Even if you have a full tunnel setup, it only works for IPv4.  IPv6 traffic completely bypasses the VPN.  This could be good or bad depending on your point of view.

With the current VPN Client, AnyConnect (SSL/DTLS/IPsec+IKEv2), this is not true.  AnyConnect is IPv6 aware since v2.5 (released in early 2010).  AnyConnect fully supports IPv4/IPv6 including full/split-tunneling, filtering, or firewalling either one.

> I consider it a feature, being able to lookup other stuff while testing things  ;-)

My friend Bob said it greatly increases his productivity.  :-)


More information about the Ipv6hackers mailing list