Here's the quickest means for adding ipv6 into a anyconnect tunnel-group profile;
Step1 ( define your pool space and the number of address to serve )
ipv6 local pool
ipv6pool 2001:db8:9:9::1/64 10
Step2 ( define the group policy )
( define your
policy optional use the default group
Policy )
group-policy
DfltGrpPolicy attributes
dns-server value 8.8.8.8 8.8.4.4
dns-server value
2001:4860:4860::8844 2001:4860:4860::8888
vpn-tunnel-protocol ikev1 l2tp-ipsec
ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value
split-tun-ipsec
default-domain value example.com
user-authentication enable
Step3 ( build a
tunnel-group and insert your ipv6 pool, here' I have both ipv4 and ipv6 pools )
tunnel-group
DefaultWEBVPNGroup general-attributes
address-pool VPNPool03
ipv6-address-pool ipv6pool
alternative cfg with tunnel pool in the group-policy and not specified
at the tunnel-group.
group-policy
DfltGrpPolicy attributes
dns-server value 2001:4860:4860::8844
2001:4860:4860::8888
vpn-tunnel-protocol ikev1 l2tp-ipsec
ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value
split-tun-ipsec
default-domain value getesa.gq
user-authentication enable
ipv6-address-pools
value ipv6pool <----ADD pool here
tunnel-group
DefaultWEBVPNGroup general-attributes
address-pool VPNPool03
no ipv6-address-pool
ipv6pool < remove POOL from tunnel-group
Now here's a few screenshots of the anyconnect client diagnostics and show commands
Ken Felix
Freelance Network / Security Engineer
kfelix ----a---t---socpuppets ---d---o---t---com
^ ^
=( @ @ )=
o
/ \
Hi
ReplyDeleteI have a cisco ASA 5515 of version 9.1(2).
Am trying to assign ipv6 address for the anyconnect clients using an ipv6 local pool.
But it doesn't work...Do i need end-to-end ipv6 connectivity ?
ip local pool pool 192.168.105.10-192.168.105.20 mask 255.255.255.240
ipv6 local pool IPv6 2001:eab::15/64 5
!
interface GigabitEthernet0/0
nameif External
security-level 100
ip address 192.168.101.197 255.255.255.0
ipv6 enable
!
interface GigabitEthernet0/1
nameif Internal
security-level 0
ip address 192.168.105.2 255.255.255.240
ipv6 address 2001:eab::/64 eui-64
ipv6 enable
!
webvpn
enable External
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-3.1.05152-k9.pkg 2
anyconnect profiles Remote_client_profile disk0:/Remote_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_Remote internal
group-policy GroupPolicy_Remote attributes
wins-server none
dns-server value 172.16.254.11
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
split-tunnel-policy tunnelall
default-domain value netskope.com
webvpn
anyconnect profiles value Remote_client_profile type user
tunnel-group Remote type remote-access
tunnel-group Remote general-attributes
address-pool pool
ipv6-address-pool IPv6
default-group-policy GroupPolicy_Remote
tunnel-group Remote webvpn-attributes
group-alias Remote enable
!
No your client doesn't need a ipv6 address just ipv6 support in the OS. Follow the above examples and ensure you understand the groups.
ReplyDeleteMaybe i was wrong.... The intention is to tunnel ipv6 traffic also from the end user over the cisco ipsec tunnel.
ReplyDeleteIPv4 tunnel and traffic is working fine.
Without any change in ipv4 config, will ipv6 traffic go thru the ipv4 tunnel ?
What this was the sslvpn anyconnectbut v3 of the anyconnect client supports ipv6 and yes over the same ipv4 tunnels. So you can tunnel ipv6 in a ipsec-tunnel configuration.
ReplyDelete