look here ;
So let's look at the ASA configuration.
1st let's see what the ASA used for the group-policy and tunnel-group for my user;
( show vpn-sessiondb anyconnect )
Now for my group-policy for my user;
group-policy DfltGrpPolicy attributes
dns-server value 2001:4860:4860::8844 2001:4860:4860::8888
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tun-ipsec
default-domain value socpuppets.com
user-authentication enable
and the tunnel-group;
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool VPNPool03
and the corresponding ipv4 pool;
show ip local pool VPNPool03
Begin End Mask Free Held In use
192.168.150.65 192.168.150.96 255.255.255.0 31 0 1
Okay so is this normal? A /128 prefix on a dialup sslvpn client ? and a group-policy that's not enabled for ipv6? And then why 2 link-local address?
Will I was trying to read up on this rfc & on ipv6 and ppp;
Since the anyconnect virtual interface is enabled for ipv6, it uses this unique link-local address. I'm guessing after it attempts to establishing a PPP session, it crafts a link-local EUI48 address using the primary interface mac_address. Remember, a ppp or serial interface, does not have a mac_address.
What I did find out, the adapter will always generate a new link-local address upon establishment of connectivity;
( three new attempts gave me the following )
So if you take heed of the tentative scopeid, I believe it's using DAD ( duplicate address detection ) to ensure the link-local-address is unique.
I will continue some more diagnostics and hopefully test this on a linux or windows anyconnect client soon.
Ken Felix
Freelance Network / Security Engineer
kfelix ----a---t---socpuppets ---d---o---t---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment