Cisco Anyconnect Vpn Ipv6

I have a cisco ASA 5515 of version 9.1(2). Am trying to assign ipv6 address for the anyconnect clients using an ipv6 local pool. But it doesn't work.Do i need end-to-end ipv6 connectivity? Ip local pool pool 192.168.105.10-192.168.105.20 mask 255.255.255.240 ipv6 local pool IPv6 2001:eab::15/64 5! Interface GigabitEthernet0/0 nameif External. This is true even if ipv6 is not configured for anyconnect. So to sum up, the AnyConnect client does not support split-tunneling of the IPv6 traffic. All IPv6 traffic must go over the AnyConnect tunnel (ie TunnelAll). If you are not supporting IPv6 over the tunnel, you will not be able to access IPv6 resources when connected.

Cisco Anyconnect Vpn Disable Ipv6
Cisco Anyconnect Vpn Ipv6 Login
Cisco Anyconnect Vpn Download Free
Cisco Anyconnect Vpn Address
Cisco Anyconnect Vpn Client Download

VPN, CISCO AnyConnect, IPv6 notes As of Fall 2018 the VPN supports IPv6. This page explains what that means and how IPv6 traffic is handled in the different profiles.

When traveling to guest Wifis, e.g., at different customers sites, hotels, or public Wifis in general, I often have only IPv4 access to the Internet. Since I do not want to use IPv6 tunneling protocols such as Teredo, I decided to use the Cisco AnyConnect Secure Mobility Client to tunnel IPv6 between my test laboratory (Cisco ASA) and my computer. With a few changes on the ASA, my computer now gets a private IPv4 address and a global unicast IPv6 address out of my space at home. Since I am using a VPN tunnel to access the Internet from untrusted Wifis anyway, the overall process did not change that much.

In the following I am showing a few screenshots but not a complete configuration guide for the AnyConnect Client.

(I assume that there is an AnyConnect Secure Mobility Client in place and running already. I also assume that native IPv6 is configured on the outside interface of the Cisco ASA as well.)

Note that this post is one of many related to IPv6. Click here for a structured list.

Full IPv4 and IPv6 Tunnel

If so, there are only two steps to activate IPv6 for the VPN tunnel: The creation of an IPv6 pool and the allocation of that pool in the connection profile:

If a connection is made to this connection profile (in many cases over an IPv4-only network), the AnyConnect client gets addresses from both protocols:

In the VPN monitoring section of the Cisco ASDM, both IPv4/IPv6 addresses are shown, too:

That’s it. ;) Works perfectly for me.

Split Tunnel IPv4 – Full Tunnel IPv6

I also configured another group policy which tunnels only my private IPv4 networks and the complete IPv6 space. I am using this policy when I reside on trusted networks that only have IPv4 access to the Internet. However, this lead to strange behaviours with Windows 7 since IPv6 was NOT preferred over IPv4 anymore and IPv6 domain lookups did not work anymore, too. The result was, that simple “ping ipv6-only-host” commands threw an error such as “unknown host”, PuTTY was not able to get the IPv6 address of IPv6 hosts in general, and web browsers used IPv4 per default. But IPv6 still worked if it was requested specifically such as “ping -6 ipv6-only-host”.

The AnyConnect route details looked quite ok:

But the system did not use IPv6 until the user triggered it explicitly:

Some troubleshooting with Wireshark revealed that in the first case (when pinging a host such as ping facebook.com ) Windows ONLY requested a type A record via DNS. But as I did a ping -6 facebook.com , it requested a type AAAA record. More interestingly, Windows did not use the configured DNS server in the group policy from the AnyConnect profile (in my case: 8.8.8.8), but the DNS server that is configured on the hardware interface. (Note the time gap between both DNS requests as a result from my two different pings above):

Solution: After I added the 8.8.8.8 IPv4 address to the tunneled network list in the group policy, Windows used this DNS server and requested both records (A and AAAA) directly. The following screenshot shows the DNS requests as I did a simple ping facebook.com without the “-6” option. (No time gap between both requests anymore):

Now, the Route Details pane from AnyConnect looks like that:

Short summary:

If only the private IPv4 networks are tunneled, Windows initiates DNS queries from its hardware interface and sends these requests to the DNS server that is configured on that hardware interface. Furthermore, Windows only requests the type A record.
If additionally the IPv4 DNS server address is tunneled (in my case the 8.8.8.8), Windows initiates DNS requests from the AnyConnect interface and sends the requests to the DNS server that is configured in the Cisco ASA group policy. In this case, Windows also requests the type AAAA records, since the initiating interface is capable of IPv6.

Featured image “East Side Access Progress: May 21, 2014” by Metropolitan Transportation Authority of the State of New York is licensed under CC BY 2.0.

Topics Map > Networking > Virtual Private Networking (VPN)

This page explains the distinctions between the Cisco AnyConnect VPN profiles available during the login process.

Normal use: 'SplitTunnel' profile

Most people will ordinarily select the '1_SplitTunnel_(Default)' profile. This sends traffic meant for University computers to the University, and doesn't intervene in your non-University web browsing such as Facebook or Google. As of Fall 2018 both IPv4 and IPv6 traffic are supported by the VPN. Click here for more details on how exactly the IPv6 traffic is handled with Split Tunnel.

The Office of Privacy and Information Assurance (OPIA) suggests the use of the split tunnel profile from secured networks that you trust, such as home and work networks.

Special cases: 'TunnelAll,' 'SplitTunnel_NoPrivateIP', '2FA_Duo,' and 'ReduceDisconnects' profiles

Tunnel All (off-campus online resource use, traveling in countries with restricted network access)

The '3_TunnelAll' profile is used in cases where you need to present a University identity to a third party website, such as the Library's online resource collection. (See Library Resources and the VPN for more information about remote access to the Library's resources.) There are some other services provided to campus based on IP address in addition to those from the Library. Additionally, if you are traveling outside the US and want to reach US servers for services such as Google or Facebook then the Tunnel All profile will send all your data back to campus first, and then out to those services. Researchers accessing NIST data must use either '3_TunnelAll' or '4_TunnelAll_2FA_Duo' in order to be compliant with grant award restrictions. As of Fall 2018 both your IPv4 and IPv6 traffic are sent back to campus.

The Office of Privacy and Information Assurance (OPIA) recommends the use of the Tunnel All profile from untrusted networks, such as unsecured wireless networks, coffee shops, hotels, and other potentially vulnerable networks. This way all of your network traffic is encrypted on the path between your computer and the campus network, helping to protect your data from snooping.

Problem: I cannot connect to Tunnel_All VPN and local server or printer without being disconnected.

Answer: You need to check the box in settings for 'Allow local (LAN) access when using VPN' in your settings. That should let you keep access to the local samba server while using Tunnel All.

VPN, Configuration for local LAN access

SplitTunnel_NoPrivateIP

The '5_SplitTunnel_NoPrivateIP' profile is used in the rare case that you need to use the features of SplitTunnel but also need to be able to connect to computers off-campus that are on Private IP addresses normally used on campus. The standard '1_SplitTunnel_(Default)' profile will send traffic meant for any university IP address, both the public addresses and private addresses, used on campus. Most of the time this will not interfere with your ability to use non-university resources. However a few Internet providers and businesses might be using the same parts of private IP space in such a way that '1_SplitTunnel_(Default)' will not work correctly. In that case you can use '3_TunnelAll' or '5_SplitTunnel_NoPrivateIP' to connect. See more about what IP ranges are in use on campus on the Guide to University of Illinois IP Spaces.

As of Fall 2018 both IPv4 and IPv6 traffic are supported by the VPN. Click here for more details on how exactly the IPv6 traffic is handled with Split Tunnel.

Cisco Anyconnect Vpn Disable Ipv6

2FA_Duo (IT Pros and Secure Application Access)

See About UI Verify and 2FA for details on the University implementation of Two-factor authentication (2FA). Some campus IT Pros use Duo devices for two-factor authentication, as do some University Applications. If you want to use your Duo device along with the VPN authentication system, select one of the profiles that includes '_2FA' or 'Duo' in the name before you start the VPN connection. In the line below your password type in one of the following: 'push', 'phone', or 'SMS' to tell the VPN how you want Duo to contact you.

ReduceDisconnects

The '7_SplitTunnel_ReduceDisconnects' profile is used when you are attempting to use the VPN from a congested or lossy network. The profile is designed to try and keep your VPN connection established even when you are experiencing brief network disruptions. This will not improve your overall network performance, but it will make it less likely that your VPN connection will be disconnected due to those network disruptions. Other than that, the profile is the same as the '1_SplitTunnel_(Default)' profile. Depending on some settings on your host operating system (related to TCP-Keepalives), it is possible that this profile will not work well. This limitation is the reason that it is not the default profile and it is only recommended in cases where the default profile has already been shown not to work well.

Why does the program default to SplitTunnel and not TunnelAll?

Tunnel All is required for library use, but usually slows people's network connection down for regular Internet use. Split Tunnel sends traffic for campus IP addresses to campus, but also lets all their traffic out to the Internet go straight to where it is going without the overhead of first encrypting it, then sending it to the university, having it unencrypted, and then sending it back out to the Internet. Then the response comes back to the University, get encrypted, and then sent back to their computer where it has to be unencrypted. That adds time, and the encryption process uses a lot of CPU power on their computer. It also sends all the traffic in and out of the University's Internet connection (multiple times) that otherwise doesn't need to be there, using a moderately expensive resource shared by all of campus.

Because of all the extra steps the data has to take with Tunnel All, most people have the best experience using the Internet and University resources at the same time with Split Tunnel.

Cisco Anyconnect Vpn Download Free

Split Tunnel does let people connect to classroom servers, just not Library online resources. Classroom servers have University IP addresses, so the VPN sends that traffic to campus in either Split Tunnel or Tunnel All. The Library's online resources are located off-campus, and depend on checking your IP address to see if you are allowed to use them. That means the traffic must come from campus, so only Tunnel All works.