Cisco AnyConnect: IPv6 Access through IPv4 VPN Tunnel

When traveling to guest Wifis, e.g., at different customers sites, hotels, or public Wifis in general, I often have only IPv4 access to the Internet. Since I do not want to use IPv6 tunneling protocols such as Teredo, I decided to use the Cisco AnyConnect Secure Mobility Client to tunnel IPv6 between my test laboratory (Cisco ASA) and my computer. With a few changes on the ASA, my computer now gets a private IPv4 address and a global unicast IPv6 address out of my space at home. Since I am using a VPN tunnel to access the Internet from untrusted Wifis anyway, the overall process did not change that much.

In the following I am showing a few screenshots but not a complete configuration guide for the AnyConnect Client.

(I assume that there is an AnyConnect Secure Mobility Client in place and running already. I also assume that native IPv6 is configured on the outside interface of the Cisco ASA as well.)

Full IPv4 and IPv6 Tunnel

If so, there are only two steps to activate IPv6 for the VPN tunnel: The creation of an IPv6 pool and the allocation of that pool in the connection profile:

Cisco ASA IPv6 PoolCisco ASA Connection Profile

If a connection is made to this connection profile (in many cases over an IPv4-only network), the AnyConnect client gets addresses from both protocols:

Cisco AnyConnect Statistics

In the VPN monitoring section of the Cisco ASDM,  both IPv4/IPv6 addresses are shown, too:

Cisco ASA AnyConnect Session Details

That’s it. ;) Works perfectly for me.

Split Tunnel IPv4 – Full Tunnel IPv6

I also configured another group policy which tunnels only my private IPv4 networks and the complete IPv6 space. I am using this policy when I reside on trusted networks that only have IPv4 access to the Internet. However, this lead to strange behaviours with Windows 7 since IPv6 was NOT preferred over IPv4 anymore and IPv6 domain lookups did not work anymore, too. The result was, that simple “ping ipv6-only-host” commands threw an error such as “unknown host”, PuTTY was not able to get the IPv6 address of IPv6 hosts in general, and web browsers used IPv4 per default. But IPv6 still worked if it was requested specifically such as “ping -6 ipv6-only-host”.

The AnyConnect route details looked quite ok:

Split Cisco AnyConnect Route Details

But the system did not use IPv6 until the user triggered it explicitly:

Split Windows 7 ping and ping -6

Some troubleshooting with Wireshark revealed that in the first case (when pinging a host such as ping facebook.com ) Windows ONLY requested a type A record via DNS. But as I did a ping -6 facebook.com , it requested a type AAAA record. More interestingly, Windows did not use the configured DNS server in the group policy from the AnyConnect profile (in my case: 8.8.8.8), but the DNS server that is configured on the hardware interface. (Note the time gap between both DNS requests as a result from my two different pings above):

Split Wireshark without 8.8.8.8 ping and ping -6

Solution: After I added the 8.8.8.8 IPv4 address to the tunneled network list in the group policy, Windows used this DNS server and requested both records (A and AAAA) directly. The following screenshot shows the DNS requests as I did a simple ping facebook.com  without the “-6” option. (No time gap between both requests anymore):

Split Wireshark with 8.8.8.8 ping directly both A and AAAA

Now, the Route Details pane from AnyConnect looks like that:

Split Cisco AnyConnect Route Details with 8.8.8.8

Short summary:

  1. If only the private IPv4 networks are tunneled, Windows initiates DNS queries from its hardware interface and sends these requests to the DNS server that is configured on that hardware interface. Furthermore, Windows only requests the type A record.
  2. If additionally the IPv4 DNS server address is tunneled (in my case the 8.8.8.8), Windows initiates DNS requests from the AnyConnect interface and sends the requests to the DNS server that is configured in the Cisco ASA group policy. In this case, Windows also requests the type AAAA records, since the initiating interface is capable of IPv6.

3 thoughts on “Cisco AnyConnect: IPv6 Access through IPv4 VPN Tunnel

  1. Nice post. Gave me a clue how to sort it. In my case though I didn’t and don’t have native IPv6 on my line so also works if you are using the ASA as the gateway but have a IPv6-in-IPv4 tunnel configured on another device. In my case a Vyatta virtual router. In that case you just need to enable IPv6 addresses on the ASA interfaces required, suppress the RA and of course create a route to the IPv6 internet using the Vyatta tunnel. Works like a charm.

Leave a Reply

Your email address will not be published. Required fields are marked *