Feed on

My host’s home network is behind NAT, has no 6to4 connectivity and the router squashes IP protocol 41 (6in4). Normally in this situation I’d fire up a Teredo tunnel, but here it’s pretty unreliable.  My control traffic to Microsoft’s Teredo server goes to Singapore, and who knows where my closest Teredo relays are. After some random period of time the tunnel is unusable and comes back later.

At first I tried using Hurricane Electric’s PPTP VPN to tunnel my 6in4 traffic over a PPTP VPN from my Mac desktop and laptop, but never got either one to work. I could send traffic outbound, see it received on the remote host, but never see the return traffic.  Interestingly, if I initiated traffic from the remote to my desktop, I saw traffic in both directions.  I’m not a smart person, so I gave up and resorted back to Teredo.

My lab network has full IPv6 connectivity, so my next thought was trying to run an AnyConnect-based VPN which claims to allow IPv6 over IPv4. This would allow me to carry my v6 traffic over an SSL VPN (DTLS) over 443/TCP, which avoids the whole clobbering of proto-41 traffic and shoddy Teredo tunneling.  I figured out while a PIX 515 with 8.0 works fine for basic IPv6 firewalling to hosts, one needs an actual ASA to terminate AnyConnect clients.

I configured an ASA 5505 running 8.2(3) on my test network. I configured WebVPN/AnyConnect for SSL VPN (SVC), then came back and added some IPv6 VPN bits. There actually wasn’t much to do, and it’s decently documented in the AnyConnect admin guide. The “IPv6 Tunnel Default Gateway” seems unneeded and took forever to figure out what exactly it did: secondary/fallback static route to in case you want to send traffic to another router instead of the ASA.

ipv6asa# show vpn-sessiondb svc
Session Type: SVC

Username     : bwann                  Index        : 21
Assigned IP  :           Public IP    :
Assigned IPv6: 2600:c1f0:0:f00e::6
Protocol     : Clientless SSL-Tunnel DTLS-Tunnel
License      : SSL VPN
Encryption   : RC4 AES128             Hashing      : SHA1
Bytes Tx     : 15450063               Bytes Rx     : 3679785
Group Policy : webvpn                 Tunnel Group : webvpn
Login Time   : 00:18:49 UTC Tue Sep 28 2010
Duration     : 4h:38m:49s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A

It works quiet nicely. same-security-traffic permit intra-interface enables hairpinning, allowing me to access outside v6 resources from my VPN connection. Of course there’s not much feature parity here. There’s no IPv6 split tunneling that I can tell, it just assigns an address from the pool to my workstation and sets my inet6 default route at it. My v6 pool is global-scope space that’s routed to my ASA.

If your hosting network doesn’t have outside v6 connectivity, you can still use this to communicate with servers behind your firewall via v6. You can get away with using a site-local FEC0:: network as your pool. But, this is borrrrrring.

Leave a Reply