Cisco IPSec VPN Client IPv6 support

Answered Question
Sep 15th, 2011

Hi,

Does the Cisco IPSec VPN Client support IPv6 ?

Thanks

I have this problem too.
0 votes
Correct Answer by Phillip Remaker about 2 years 6 months ago

The IPSEC client can only form tunnels between IPv4 endpoints, and will only transport IPv4 packets inside the tunnel.

If you are using something that will tunnel IPv6 inside IPv4 (ISATAP, 6in4), the IPv6 will be transported but only because it looks like an IPv4 packet at the driver layer.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Phillip Remaker Fri, 09/16/2011 - 13:39

The classic Cisco VPN client only carries IPv6 over IPSEC if the IPv6 is tunneled inside IPv4.

For native IPv6 transport, look at using Cisco AnyConnect VPN client

Kooopobol Sun, 09/18/2011 - 23:16

Thanks for your answer.

And if it is "IPv4 inside IPv6", does it work ? I mean : The tunnel is established with IPv6 (Client and remote site have an IPv6 public address) but the VPN stay in full IPv4 (Internal network) :VPN concentrator's DHCP give a private IPv4 to the client.

Does the Cisco Anyconnect VPN Client support IPv6 over IPSec ?

Armand

Phillip Remaker Tue, 09/20/2011 - 09:31

The Anyconnect VPN client will not specifically tunnel IPv4 inside IPv6, the client is dual-stack by design.  However, if you have add on software that tunnels the IPv4 inside IPv6, the IPv6 traffic should just be treated as any other IPv6 traffic.

As far as I can tell, the Anyconnect client only tunnels IPv6 inside SSL/DTLS.  I don't specifically see an IPv6 over IPSEC option.

Kooopobol Wed, 09/21/2011 - 01:36

Ok, thanks.

So, does the Cisco IPSec VPN Client is compatible with the network design I described ? That's I have to know..

Best regards,

Armand

Phillip Remaker Wed, 09/21/2011 - 08:05

You said  "IPv4 inside IPv6."  Since the VPN client does not support IPv6, that will not work.

However, if you tunnel the IPv6 inside IPv4 (using, for example, ISATAP) then the VPN client will carry that IPv4 traffic just like any other IPv4 traffic.

Hote that using tunneling protocols like ISATAP with the IPv6 capable AnyConnect client produces unpredictable results, since the AnyConnect client does its own IPv6 to IPv4 conversion.  I have hjad mixed results with ISATAP + AnyConnect, and the official message I got from development was "not supported."  If you want to run IPv6 over AnyConnect, you are best off using the built in AnytConnect IPv6 facilities.

Kooopobol Wed, 09/21/2011 - 09:07

Thanks for your answer.

When you say that Cisco IPSec Client does not support IPv6 : You mean that we can't assign an IPv6 address to the client once the connection is established (by the ASA DHCP pool for example) ? Or that we can't establish the tunnel over the IPv6 Internet (both endpoints are IPv6) ?

Correct Answer
Phillip Remaker Fri, 09/30/2011 - 10:43

The IPSEC client can only form tunnels between IPv4 endpoints, and will only transport IPv4 packets inside the tunnel.

If you are using something that will tunnel IPv6 inside IPv4 (ISATAP, 6in4), the IPv6 will be transported but only because it looks like an IPv4 packet at the driver layer.

Actions

Login or Register to take actions

This Discussion

Posted September 15, 2011 at 2:55 AM
Stats:
Replies:8 Avg. Rating:5
Views:3596 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard