If you are a network engineer in this day and age, then you are probably familiar with and regularly using IPv6 (at least on your home lab network). I personally run my home network dual-stacked and have been recently annoyed by how VPN clients (mostly Cisco AnyConnect) handle dual-stacked clients. I have found that when left unconfigured (using defaults), AnyConnect likes to dump all IPv6 traffic silently on dual-stacked clients. This causes IPv6 enabled public websites and services (just the unpopular ones…like Google, YouTube, Facebook, etc) to hang while trying to connect using the looked up AAAA DNS record.
Here are a few tricks I have found to configure AnyConnect to properly handle dual-stacked clients to keep those eyeballs happy. The IPv6 must flow!
Using Local Internet
If your VPN is configured as a “split tunnel” which does not tunnel internet-bound traffic back over the VPN, then you will likely want to use this in your configuration as it has AnyConnect allow the client to send all their IPv6 traffic directly out the clients own internet connection.
If you do tunnel all internet traffic over the VPN, but do not have IPv6 capabilities on the VPN concentrator, then this may still be the solution for you. Keep in mind that if you are tunneling all IPv4 traffic back to the concentrator so you can perform filtering, then this solution may bypass that filtering for IPv6 traffic since it will not get sent over the tunnel.
This method is a good baseline configuration to use on any installation where internet traffic does not need to be filtered centrally as it prepares the AnyConnect system to properly handle IPv6-enabled clients.
What It Does: This configuration example will enable IPv6 over the VPN and assign an address to your VPN clients. It will then setup a split tunnel for IPv6 to tunnel over only the 1::1/64 network (which isn’t used). This tells the VPN client to exclude all other IPv6 traffic from the tunnel, allowing the PC to use the local internet for IPv6.
ip local pool VPNPOOL 10.1.160.0-10.1.160.254 mask 255.255.255.0 ipv6 local pool VPNPOOLv6 1::1/64 256 ! access-list SSL_VPN extended permit ip 10.100.0.0 255.255.0.0 any4 access-list SSL_VPN extended permit ip host 1::1 any6 ! group-policy SSLVPN_GP internal group-policy SSLVPN_GP attributes dns-server value 220.127.116.11 vpn-simultaneous-logins 100 vpn-tunnel-protocol ssl-client ssl-clientless split-tunnel-policy tunnelspecified ipv6-split-tunnel-policy tunnelspecified split-tunnel-network-list value SSL_VPN address-pools value VPNPOOL ipv6-address-pools value VPNPOOLv6
Tunnel Internet Traffic
If your VPN is configured to send all internet-bound traffic over the VPN and you want to include IPv6, then this is likely what you will want to do.
What It Does: This configuration example will enable IPv6 over the VPN, assign an address to your VPN clients, and tunnel all the IPv6 traffic over the VPN to be (possibly filtered and) sent out the internet connection at the VPN concentrator.
ip local pool VPNPOOL 10.1.160.0-10.1.160.254 mask 255.255.255.0 ipv6 local pool VPNPOOLv6 2000:babe::1/64 256 ! group-policy SSLVPN_GP internal group-policy SSLVPN_GP attributes dns-server value 2001:4860:4860::8888 vpn-simultaneous-logins 100 vpn-tunnel-protocol ssl-client ssl-clientless split-tunnel-policy tunnelall ipv6-split-tunnel-policy tunnelall address-pools value VPNPOOL ipv6-address-pools value VPNPOOLv6