When travelling to guest Wifis, e.g., at different customers sites, hotels, or public Wifis in general, I often have only IPv4 access to the Internet. Since I do not want to use IPv6 tunnelling protocols such as Teredo, I decided to use the Cisco AnyConnect Secure Mobility Client to tunnel IPv6 between my test laboratory (Cisco ASA) and my computer. With a few changes on the ASA, my computer now gets a private IPv4 address and a global unicast IPv6 address out of my space at home. Since I am using a VPN tunnel to access the Internet from untrusted Wifis anyway, the overall process did not change that much.
In the following, I am showing a few screenshots but not a complete configuration guide for the AnyConnect Client.
(I assume that there is an AnyConnect Secure Mobility Client in place and running already. I also assume that native IPv6 is configured on the outside interface of the Cisco ASA as well.)
Full IPv4 and IPv6 Tunnel
If so, there are only two steps to activate IPv6 for the VPN tunnel: The creation of an IPv6 pool and the allocation of that pool in the connection profile:
If a connection is made to this connection profile (in many cases over an IPv4-only network), the AnyConnect client gets addresses from both protocols:
In the VPN monitoring section of the Cisco ASDM, both IPv4/IPv6 addresses are shown, too:
That’s it. ;) Works perfectly for me.
Split Tunnel IPv4 – Full Tunnel IPv6
I also configured another group policy that tunnels only my private IPv4 networks and the complete IPv6 space. I am using this policy when I reside on trusted networks that only have IPv4 access to the Internet. However, this leads to strange behaviours with Windows 7 since IPv6 was NOT preferred over IPv4 anymore and IPv6 domain lookups did not work anymore, too. The result was, that simple “ping ipv6-only-host” commands threw an error such as “unknown host”, PuTTY was not able to get the IPv6 address of IPv6 hosts in general, and web browsers used IPv4 per default. But IPv6 still worked if it was requested specifically such as “ping -6 ipv6-only-host”.
The AnyConnect route details looked quite ok:
But the system did not use IPv6 until the user triggered it explicitly:
Some troubleshooting with Wireshark revealed that in the first case (when pinging a host such as ping facebook.com ) Windows ONLY requested a type A record via DNS. But as I did a ping -6 facebook.com , it requested a type AAAA record. More interestingly, Windows did not use the configured DNS server in the group policy from the AnyConnect profile (in my case: 8.8.8.8), but the DNS server that is configured on the hardware interface. (Note the time gap between both DNS requests as a result from my two different pings above):
Solution: After I added the 8.8.8.8 IPv4 address to the tunnelled network list in the group policy, Windows used this DNS server and requested both records (A and AAAA) directly. The following screenshot shows the DNS requests as I did a simple ping facebook.com without the “-6” option. (No time gap between both requests anymore):
Now, the Route Details pane from AnyConnect looks like that:
Short summary:
- If only the private IPv4 networks are tunnelled, Windows initiates DNS queries from its hardware interface and sends these requests to the DNS server that is configured on that hardware interface. Furthermore, Windows only requests the type A record.
- If additionally the IPv4 DNS server address is tunnelled (in my case the 8.8.8.8), Windows initiates DNS requests from the AnyConnect interface and sends the requests to the DNS server that is configured in the Cisco ASA group policy. In this case, Windows also requests the type AAAA records, since the initiating interface is capable of IPv6.
Featured image “East Side Access Progress: May 21, 2014” by Metropolitan Transportation Authority of the State of New York is licensed under CC BY 2.0.
Nice post. Gave me a clue how to sort it. In my case though I didn’t and don’t have native IPv6 on my line so also works if you are using the ASA as the gateway but have a IPv6-in-IPv4 tunnel configured on another device. In my case a Vyatta virtual router. In that case you just need to enable IPv6 addresses on the ASA interfaces required, suppress the RA and of course create a route to the IPv6 internet using the Vyatta tunnel. Works like a charm.