Tuesday, September 3, 2013

Cisco anyconnect and ipv6

In this post we will look at ipv6 assignments for anyconnect ( aka sslvpn )

Here's the quickest means for adding ipv6 into a anyconnect tunnel-group profile;



Step1 ( define your pool space and the number of address to serve )


ipv6 local pool ipv6pool 2001:db8:9:9::1/64 10


Step2 ( define the group policy )

( define your policy  optional use the default group Policy )

group-policy DfltGrpPolicy attributes
 dns-server value 8.8.8.8 8.8.4.4
dns-server value 2001:4860:4860::8844 2001:4860:4860::8888
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tun-ipsec
 default-domain value example.com
 user-authentication enable


Step3 ( build a tunnel-group and insert your ipv6 pool, here' I have both ipv4 and ipv6 pools )

tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool VPNPool03
 ipv6-address-pool ipv6pool




alternative cfg with tunnel pool in the group-policy and not specified at the tunnel-group.



group-policy DfltGrpPolicy attributes
 dns-server value 2001:4860:4860::8844 2001:4860:4860::8888
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tun-ipsec
 default-domain value getesa.gq
 user-authentication enable
 ipv6-address-pools value ipv6pool      <----ADD pool here

tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool VPNPool03
 no ipv6-address-pool ipv6pool          < remove POOL from tunnel-group


 Now here's a few screenshots of the anyconnect client diagnostics and show commands



and here's some screenshots from the anyconnect client



and





Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(  @   @ )=
          o
       /     \

4 comments:

  1. Hi
    I have a cisco ASA 5515 of version 9.1(2).
    Am trying to assign ipv6 address for the anyconnect clients using an ipv6 local pool.
    But it doesn't work...Do i need end-to-end ipv6 connectivity ?

    ip local pool pool 192.168.105.10-192.168.105.20 mask 255.255.255.240
    ipv6 local pool IPv6 2001:eab::15/64 5
    !
    interface GigabitEthernet0/0
    nameif External
    security-level 100
    ip address 192.168.101.197 255.255.255.0
    ipv6 enable
    !
    interface GigabitEthernet0/1
    nameif Internal
    security-level 0
    ip address 192.168.105.2 255.255.255.240
    ipv6 address 2001:eab::/64 eui-64
    ipv6 enable
    !
    webvpn
    enable External
    anyconnect-essentials
    anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
    anyconnect image disk0:/anyconnect-macosx-i386-3.1.05152-k9.pkg 2
    anyconnect profiles Remote_client_profile disk0:/Remote_client_profile.xml
    anyconnect enable
    tunnel-group-list enable
    group-policy GroupPolicy_Remote internal
    group-policy GroupPolicy_Remote attributes
    wins-server none
    dns-server value 172.16.254.11
    vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
    split-tunnel-policy tunnelall
    default-domain value netskope.com
    webvpn
    anyconnect profiles value Remote_client_profile type user
    tunnel-group Remote type remote-access
    tunnel-group Remote general-attributes
    address-pool pool
    ipv6-address-pool IPv6
    default-group-policy GroupPolicy_Remote
    tunnel-group Remote webvpn-attributes
    group-alias Remote enable
    !

    ReplyDelete
  2. No your client doesn't need a ipv6 address just ipv6 support in the OS. Follow the above examples and ensure you understand the groups.


    ReplyDelete
  3. Maybe i was wrong.... The intention is to tunnel ipv6 traffic also from the end user over the cisco ipsec tunnel.

    IPv4 tunnel and traffic is working fine.
    Without any change in ipv4 config, will ipv6 traffic go thru the ipv4 tunnel ?

    ReplyDelete
  4. What this was the sslvpn anyconnectbut v3 of the anyconnect client supports ipv6 and yes over the same ipv4 tunnels. So you can tunnel ipv6 in a ipsec-tunnel configuration.

    ReplyDelete