Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco IPSec VPN Client IPv6 support

Hi,

Does the Cisco IPSec VPN Client support IPv6 ?

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Cisco IPSec VPN Client IPv6 support

The IPSEC client can only form tunnels between IPv4 endpoints, and will only transport IPv4 packets inside the tunnel.

If you are using something that will tunnel IPv6 inside IPv4 (ISATAP, 6in4), the IPv6 will be transported but only because it looks like an IPv4 packet at the driver layer.

8 REPLIES
Cisco Employee

Cisco IPSec VPN Client IPv6 support

The classic Cisco VPN client only carries IPv6 over IPSEC if the IPv6 is tunneled inside IPv4.

For native IPv6 transport, look at using Cisco AnyConnect VPN client

New Member

Re: Cisco IPSec VPN Client IPv6 support

Thanks for your answer.

And if it is "IPv4 inside IPv6", does it work ? I mean : The tunnel is established with IPv6 (Client and remote site have an IPv6 public address) but the VPN stay in full IPv4 (Internal network) :VPN concentrator's DHCP give a private IPv4 to the client.

Does the Cisco Anyconnect VPN Client support IPv6 over IPSec ?

Armand

Cisco Employee

Cisco IPSec VPN Client IPv6 support

The Anyconnect VPN client will not specifically tunnel IPv4 inside IPv6, the client is dual-stack by design.  However, if you have add on software that tunnels the IPv4 inside IPv6, the IPv6 traffic should just be treated as any other IPv6 traffic.

As far as I can tell, the Anyconnect client only tunnels IPv6 inside SSL/DTLS.  I don't specifically see an IPv6 over IPSEC option.

New Member

Cisco IPSec VPN Client IPv6 support

Ok, thanks.

So, does the Cisco IPSec VPN Client is compatible with the network design I described ? That's I have to know..

Best regards,

Armand

Cisco Employee

Re: Cisco IPSec VPN Client IPv6 support

You said  "IPv4 inside IPv6."  Since the VPN client does not support IPv6, that will not work.

However, if you tunnel the IPv6 inside IPv4 (using, for example, ISATAP) then the VPN client will carry that IPv4 traffic just like any other IPv4 traffic.

Hote that using tunneling protocols like ISATAP with the IPv6 capable AnyConnect client produces unpredictable results, since the AnyConnect client does its own IPv6 to IPv4 conversion.  I have hjad mixed results with ISATAP + AnyConnect, and the official message I got from development was "not supported."  If you want to run IPv6 over AnyConnect, you are best off using the built in AnytConnect IPv6 facilities.

New Member

Re: Cisco IPSec VPN Client IPv6 support

Thanks for your answer.

When you say that Cisco IPSec Client does not support IPv6 : You mean that we can't assign an IPv6 address to the client once the connection is established (by the ASA DHCP pool for example) ? Or that we can't establish the tunnel over the IPv6 Internet (both endpoints are IPv6) ?

New Member

Re: Cisco IPSec VPN Client IPv6 support

Can someone answer me ? (last post)

Cisco Employee

Re: Cisco IPSec VPN Client IPv6 support

The IPSEC client can only form tunnels between IPv4 endpoints, and will only transport IPv4 packets inside the tunnel.

If you are using something that will tunnel IPv6 inside IPv4 (ISATAP, 6in4), the IPv6 will be transported but only because it looks like an IPv4 packet at the driver layer.

4482
Views
0
Helpful
8
Replies