This topic covers the following subjects:
■ IPv6 remote access over Cisco AnyConnect: This section covers providing IPv6 access to enterprise services over a dual-stack SSL VPN session using the Cisco AnyConnect SSL VPN Client.
■ IPv6 remote access over Cisco VPN Client: This section discusses providing IPv6 access to enterprise services over an IPsec session using the Cisco VPN Client and host-based IPv6 tunnels.
Many IT groups put a lot of effort into providing IPv6 access within the traditional boundaries of their enterprise and often delay supporting those users who work remotely. Traditional encrypted client-based Virtual Private Network (VPN) solutions can be leveraged to provide IPv6 access while a user works remotely, provided that the VPN solution can offer at least one of these three capabilities:
■ Enable IPv6 to traverse an IPv4 Secure Socket Layer (SSL) VPN session, and also provide dual-stack support on the VPN termination device.
■ Enable IPv6-based tunnels through an established IPv4 IPsec VPN session to an IPv6 tunnel termination point inside the enterprise.
■ Provide native IPv6 support between a remote client and the enterprise site over a secured connection (for example, over IPsec or SSL).
The first solution leverages the Cisco AnyConnect SSL VPN Client (SVC) to establish an SSL-over-IPv4 connection to the Cisco Adaptive Security Appliance (ASA). IPv6 is transported between the client and the ASA over the IPv4/SSL connection, and then, after it is terminated on the Cisco ASA, the IPv6 traffic is routed as a native IPv6 packet.
The second solution leverages the Cisco VPN Client to establish an IPsec-over-IPv4 session to one of a few Cisco VPN head-end solutions, such as the Cisco Adaptive Security Appliance (ASA), Cisco IOS router, or Cisco VPN 3000 Concentrator. A tunnel mechanism such as Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), 6to4, or manually configured tunnels encapsulates IPv6 traffic inside of IPv4 and then is injected into the IPsec VPN connection. The Cisco VPN head-end device terminates the IPsec connection, but the IPv6-in-IPv4 tunnel remains and is routed to the tunnel termination device further inside the enterprise network. After the IPv6-in-IPv4 tunnel is terminated, IPv6 is routed as a native IPv6 packet.
The third solution today leverages the capability of Microsoft DirectAccess (DA). Microsoft DA provides IPv6-only remote access capabilities between Microsoft Windows 7 and Windows Server 2008 R2 hosts. Microsoft DA requires IPv6-only connectivity between the secured endpoints. If the transport between the endpoints is not IPv6, Microsoft DA attempts to encapsulate IPv6 over a number of tunneling mechanisms such as 6to4, Teredo, ISATAP, and IP-HTTPS. There is much to understand with Microsoft DA, but the theory, design, and deployment of Microsoft DA is outside the scope of this topic. You should refer to the guides at the following Microsoft site to find out whether Microsoft DA is appropriate for your network:
http://technet.microsoft.com/en-us/network/dd420463.aspx
This topic focuses on the first two solutions: remote access using Cisco AnyConnect and Cisco VPN Client. At the time of this writing, neither offers native remote access support over IPv6 transport, but the AnyConnect solution has this on the road map. You should check with your Cisco account team or the product pages on the Cisco website for the release of AnyConnect access over IPv6 transport.
With the Cisco AnyConnect solution on the Cisco ASA, a user can securely connect to the enterprise site in two ways:
■ Clientless SSL VPN
■ Cisco AnyConnect VPN Client
The Clientless SSL VPN (also called WebVPN) method enables a user to open a web browser, connect to the Cisco ASA portal, and establish a Transport Layer Security (TLS) connection over IPv4/TCP port 443. From there, the client can access applications that reside inside the enterprise. If the Cisco ASA and the back-end applications accessed through the portal are configured to work over IPv6, the client can access those applications over IPv6. The Clientless SSL VPN configuration is not shown in this topic. Refer to the Cisco documentation for more information:
http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_ guide/deploy.html#wp1016526
The Cisco AnyConnect VPN Client is an application that is installed on the user’s host. The user launches the Cisco AnyConnect VPN Client and establishes Datagram Transport Layer Security (DTLS) over IPv4/UDP port 443 to the Cisco ASA. Although the traditional TLS over TCP port 443 is supported, DTLS (RFC 4347) helps avoid latency and bandwidth problems normally found in some SSL-only connections by providing a low-latency path over UDP. This helps with latency-sensitive applications such as voice. When DTLS is enabled for the Cisco AnyConnect environment, two simultaneous tunnels are used: one for TLS and one for DTLS. If the UDP tunnel is blocked or interrupted, traffic can traverse the TLS-based tunnel.
Figure 10-1 shows a high-level view of a dual-stack-enabled computer accessing the enterprise corporate network using the SVC. The SVC establishes a DTLS session (over the IPv4 Internet) to the Cisco ASA. The Cisco ASA is also enabled for dual-stack functionality. After the IPv6 packets from the client traverse the DTLS connection through the Cisco ASA, the packets are routed to their destination inside the corporate network.
Figure 10-1 Cisco AnyConnect VPN Client Connection
Figure 10-2 is an example topology for the configuration shown in this section. The client has an IPv4 address of 172.16.1.2 and is connected to the IPv4 Internet. The Cisco ASA connects to the IPv4 Internet through a Cisco router (not shown) that provides access, basic filtering, and IPv4 Network Address Translation (NAT). The Cisco ASA has an "outside" IPv4 address of 10.124.1.4 and an "inside" IPv4 address of 10.124.3.1. The Cisco ASA is dual-stack enabled on the inside and also has an IPv6 address of 2001:DB8:CAFE:1002::1.
Figure 10-2 Cisco AnyConnect VPN Client Example Topology
The Cisco ASA has two pools of addresses for incoming AnyConnect sessions. One is an IPv4 pool with a range of 10.124.3.30-10.124.3.80. The other is an IPv6 pool providing 50 addresses in the 2001:DB8:CAFE:1002::/64 prefix, with a starting address of 2001:DB8:CAFE:1002::100/64. After a Cisco AnyConnect Client connection is established, the client will be assigned an IPv4 and IPv6 address out of these pools. Also, other network services can be leveraged over either IPv4 or IPv6, such as Domain Name System (DNS), user authorization/authentication, Microsoft Active Directory integration, and so on. Security filtering and inspection are no different in this model than in an IPv4-only model. You would apply security policies for IPv6 at the same point as IPv4 for the internally destined traffic.
The configuration shown in Example 10-1 is a snippet of the full Cisco ASA configuration and is not meant to be a best-practice configuration, but simply one example of how to enable IPv6 support for Cisco AnyConnect. Also note that all of this configuration can be done in the Cisco Adaptive Security Device Manager (ASDM) GUI.
The example shows an "outside" and "inside" interface. The Cisco ASA software requires that basic IPv6 be enabled (through the ipv6 enable command) on the outside interface. This is just a software requirement, and this interface is not used to process IPv6 packets for the VPN session. No special security considerations need to be made to protect this interface from IPv6 attack from the Internet because this command is locally significant (although an IPv6 link-local address is created) and no IPv6 access is available (the Internet connection is IPv4-only), and the attacker would need to have direct physical access to this link/port to even have a chance of attacking the link-local address of the outside interface.
Example 10-1 Cisco ASA AnyConnect Configuration
After the client has established an active SVC connection to the Cisco ASA, a number of output commands can show sessions and statistics. Example 10-2 shows output from two different commands.
The first output shows the IPv6 pool name, address range, size, and number of addresses in use and available. The output gives the "In Use" addresses and also the "Available Addresses" (output shortened because this is a long list).
The second output shows a summarized output for the vpn-sessiondb details, specifically the DTLS-Tunnel status. The output includes the assigned IPv4 and IPv6 address and the public IPv4 address that the client is using to connect with.
Example 10-2 IPv6 Pool and vpn-sessiondb Command Output
Figure 10-3 shows the Cisco AnyConnect VPN Client statistics for the connection.
Figure 10-3 Cisco AnyConnect Client Statistics
The user can now access both IPv4- and IPv6-enabled applications and services through a single AnyConnect SSL session. Support for end-to-end IPv6 access from the user to the ASA head-end using SSL over IPv6 transport is on the product road map and will be available for those customers who need it.
