09-15-2011 02:55 AM - edited 03-01-2019 05:29 PM
09-30-2011 10:43 AM
The IPSEC client can only form tunnels between IPv4 endpoints, and will only transport IPv4 packets inside the tunnel.
If you are using something that will tunnel IPv6 inside IPv4 (ISATAP, 6in4), the IPv6 will be transported but only because it looks like an IPv4 packet at the driver layer.
09-16-2011 01:39 PM
The classic Cisco VPN client only carries IPv6 over IPSEC if the IPv6 is tunneled inside IPv4.
For native IPv6 transport, look at using Cisco AnyConnect VPN client
09-18-2011 11:16 PM
Thanks for your answer.
And if it is "IPv4 inside IPv6", does it work ? I mean : The tunnel is established with IPv6 (Client and remote site have an IPv6 public address) but the VPN stay in full IPv4 (Internal network) :VPN concentrator's DHCP give a private IPv4 to the client.
Does the Cisco Anyconnect VPN Client support IPv6 over IPSec ?
Armand
09-20-2011 09:31 AM
The Anyconnect VPN client will not specifically tunnel IPv4 inside IPv6, the client is dual-stack by design. However, if you have add on software that tunnels the IPv4 inside IPv6, the IPv6 traffic should just be treated as any other IPv6 traffic.
As far as I can tell, the Anyconnect client only tunnels IPv6 inside SSL/DTLS. I don't specifically see an IPv6 over IPSEC option.
09-21-2011 01:36 AM
Ok, thanks.
So, does the Cisco IPSec VPN Client is compatible with the network design I described ? That's I have to know..
Best regards,
Armand
09-21-2011 08:05 AM
You said "IPv4 inside IPv6." Since the VPN client does not support IPv6, that will not work.
However, if you tunnel the IPv6 inside IPv4 (using, for example, ISATAP) then the VPN client will carry that IPv4 traffic just like any other IPv4 traffic.
Hote that using tunneling protocols like ISATAP with the IPv6 capable AnyConnect client produces unpredictable results, since the AnyConnect client does its own IPv6 to IPv4 conversion. I have hjad mixed results with ISATAP + AnyConnect, and the official message I got from development was "not supported." If you want to run IPv6 over AnyConnect, you are best off using the built in AnytConnect IPv6 facilities.
09-21-2011 09:07 AM
Thanks for your answer.
When you say that Cisco IPSec Client does not support IPv6 : You mean that we can't assign an IPv6 address to the client once the connection is established (by the ASA DHCP pool for example) ? Or that we can't establish the tunnel over the IPv6 Internet (both endpoints are IPv6) ?
09-30-2011 01:58 AM
Can someone answer me ? (last post)
09-30-2011 10:43 AM
The IPSEC client can only form tunnels between IPv4 endpoints, and will only transport IPv4 packets inside the tunnel.
If you are using something that will tunnel IPv6 inside IPv4 (ISATAP, 6in4), the IPv6 will be transported but only because it looks like an IPv4 packet at the driver layer.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: