Sorry for a little be off topic query. I am checking which VPN solutions are IPv6 compatible outside and inside the tunnel and can so transport with any IPv6/IPv4 connection IPv6/IPv4 internal to then tunnel Maybe somebody made such tests already and can point me to it. What i found so far: Citrix SSL VPN ( seems to have only partial support) https://support.citrix.com/article/CTX233563 https://www.citrix.com/blogs/2010/07/13/are-citrix-products-ipv6-ready/ so IPv6 / IPv6 not yet supported https://support.citrix.com/article/CTX211780 NetScaler Gateway VPN users are not able to resolve IPv4 DNS when their ISP has IPv6 enabled. OpenVPN https://community.openvpn.net/openvpn/wiki/IPv6 No complete example found yet. Wireguard (LINUX only) seems to support it but missing other stuff like hostchecker Cisco SSL VPN https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_sslvpn/configurat... IPv6 Support and Limitations for Pulse Connect Secure Features https://docs.pulsesecure.net/WebHelp/Content/PCS/PCS_AdminGuide_8.2/IPv6%20S... Microsoft Direct access (win7/win10) and new Always on VPN (Win10 only) https://directaccess.richardhicks.com/2018/02/05/what-is-the-difference-betw... https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/vpn... -- --- best regards Christian Bretterhofer
HI, On Sun, Mar 10, 2019 at 10:09:02PM +0100, christian bretterhofer wrote:
I am checking which VPN solutions are IPv6 compatible outside and inside the tunnel and can so transport with any IPv6/IPv4 connection IPv6/IPv4 internal to then tunnel [..] OpenVPN https://community.openvpn.net/openvpn/wiki/IPv6 No complete example found yet.
OpenVPN can do what you're asking for. The wiki page is old and needs work. The config options described are correct ("--server-ipv6", "--ifconfig-ipv6", "--route-ipv6"), but the part about "you need to do 'proto udp6'" is 2.3.x style (which can use either IPv4 or IPv6 outside the tunnel, but not auto-detect what is needed), while 2.4.x is fully dual-stacked and will use whatever is in DNS and/or in the config. Gert Doering -- with my OpenVPN maintainer and IPv6 evangelist hats :-) -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Hello, I know there are many examples out there but I have this post (in spanish) about to have IPv4 and IPv6 in one VPN using OpenVPN: https://blog.acostasite.com/2018/05/ipv4-e-ipv6-en-una-sola-vpn-utilizando.h... Alejandro, El 11/3/19 a las 06:33, Gert Doering escribió:
HI,
On Sun, Mar 10, 2019 at 10:09:02PM +0100, christian bretterhofer wrote:
I am checking which VPN solutions are IPv6 compatible outside and inside the tunnel and can so transport with any IPv6/IPv4 connection IPv6/IPv4 internal to then tunnel [..] OpenVPN https://community.openvpn.net/openvpn/wiki/IPv6 No complete example found yet. OpenVPN can do what you're asking for.
The wiki page is old and needs work. The config options described are correct ("--server-ipv6", "--ifconfig-ipv6", "--route-ipv6"), but the part about "you need to do 'proto udp6'" is 2.3.x style (which can use either IPv4 or IPv6 outside the tunnel, but not auto-detect what is needed), while 2.4.x is fully dual-stacked and will use whatever is in DNS and/or in the config.
Gert Doering -- with my OpenVPN maintainer and IPv6 evangelist hats :-)
Sorry for shameless plugging a VPN solution I'm involved in. Let's Connect! VPN (aka eduVPN): It is currently based on OpenVPN 2.x Technical documentation is found here: https://github.com/eduvpn/documentation features: -full IPv4/IPv6 support (out of the box) -being able to manage VPN clients -meant for large scale deployments -everything is open-source: e.g. server management software, all clients (iOS, Windows, MacOS, Android, ..) -integrates with identity management systems (SAML) Let's Connect! VPN was co-funded by the RIPE community fund, .NL fund and the NREN community. cheers, Rogier On 10/03/2019 22:09, christian bretterhofer wrote:
Sorry for a little be off topic query.
I am checking which VPN solutions are IPv6 compatible outside and inside the tunnel and can so transport with any IPv6/IPv4 connection IPv6/IPv4 internal to then tunnel
Maybe somebody made such tests already and can point me to it. What i found so far:
Citrix SSL VPN ( seems to have only partial support) https://support.citrix.com/article/CTX233563 https://www.citrix.com/blogs/2010/07/13/are-citrix-products-ipv6-ready/ so IPv6 / IPv6 not yet supported https://support.citrix.com/article/CTX211780 NetScaler Gateway VPN users are not able to resolve IPv4 DNS when their ISP has IPv6 enabled.
OpenVPN https://community.openvpn.net/openvpn/wiki/IPv6 No complete example found yet.
Wireguard (LINUX only) seems to support it but missing other stuff like hostchecker
Cisco SSL VPN https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_sslvpn/configurat...
IPv6 Support and Limitations for Pulse Connect Secure Features https://docs.pulsesecure.net/WebHelp/Content/PCS/PCS_AdminGuide_8.2/IPv6%20S...
Microsoft Direct access (win7/win10) and new Always on VPN (Win10 only) https://directaccess.richardhicks.com/2018/02/05/what-is-the-difference-betw... https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/vpn...
-- --- best regards Christian Bretterhofer
We use PaloAlto GlobalProtect and have it running dual stack both as a gateway and for internal access – it works well. Only limitation is that it doesn’t seem to pass ICMPv6 traceroute traffic over the tunnel, we haven’t logged this as a bug as it is not really a big issue. Dan Kitchen CEO razorblue | IT Solutions for Business ddi: 0330 122 7143<tel:0330%20122%207143> | t: 0333 344 6 344<tel:03333446344> | w: razorblue.com<https://www.razorblue.com> [[Razorblue Logo]]<https://www.razorblue.com> Legal and address information for all Razorblue Group companies can be found at razorblue.com/contact<http://www.razorblue.com/contact>. [[ISO 9001 / ISO 27001 / Cyber Essentials]]<http://> From: ipv6-wg <ipv6-wg-bounces@ripe.net> On Behalf Of christian bretterhofer Sent: 10 March 2019 21:09 To: ipv6-wg@ripe.net Subject: [ipv6-wg] SSL VPN Clients WARNING: This e-mail originated from outside the Razorblue Group corporate network Sorry for a little be off topic query. I am checking which VPN solutions are IPv6 compatible outside and inside the tunnel and can so transport with any IPv6/IPv4 connection IPv6/IPv4 internal to then tunnel Maybe somebody made such tests already and can point me to it. What i found so far: Citrix SSL VPN ( seems to have only partial support) https://support.citrix.com/article/CTX233563<https://support.citrix.com/article/CTX233563> https://www.citrix.com/blogs/2010/07/13/are-citrix-products-ipv6-ready/<https://www.citrix.com/blogs/2010/07/13/are-citrix-products-ipv6-ready/> so IPv6 / IPv6 not yet supported https://support.citrix.com/article/CTX211780<https://support.citrix.com/article/CTX211780> NetScaler Gateway VPN users are not able to resolve IPv4 DNS when their ISP has IPv6 enabled. OpenVPN https://community.openvpn.net/openvpn/wiki/IPv6<https://community.openvpn.net/openvpn/wiki/IPv6> No complete example found yet. Wireguard (LINUX only) seems to support it but missing other stuff like hostchecker Cisco SSL VPN https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_sslvpn/configuration/xe-3s/sec-conn-sslvpn-xe-3s-book/sec-conn-sslvpn-ipv6-ssl-supp.pdf<https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_sslvpn/configuration/xe-3s/sec-conn-sslvpn-xe-3s-book/sec-conn-sslvpn-ipv6-ssl-supp.pdf> IPv6 Support and Limitations for Pulse Connect Secure Features https://docs.pulsesecure.net/WebHelp/Content/PCS/PCS_AdminGuide_8.2/IPv6%20Support%20and%20Limitations.htm<https://docs.pulsesecure.net/WebHelp/Content/PCS/PCS_AdminGuide_8.2/IPv6%20Support%20and%20Limitations.htm> Microsoft Direct access (win7/win10) and new Always on VPN (Win10 only) https://directaccess.richardhicks.com/2018/02/05/what-is-the-difference-between-directaccess-and-always-on-vpn/<https://directaccess.richardhicks.com/2018/02/05/what-is-the-difference-between-directaccess-and-always-on-vpn/> https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/vpn-map-da<https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/vpn-map-da> -- --- best regards Christian Bretterhofer
I know from experience FortiNet FortiGate does offer dual-stack SSL-VPN, in combination with their FortiClient SSL-VPN software. I haven't found an official statement yet, but the details can be found using the configuration documentation: https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/941552/editing-t... christian bretterhofer wrote at 2019-03-10 22:09:
Sorry for a little be off topic query.
I am checking which VPN solutions are IPv6 compatible outside and inside the tunnel and can so transport with any IPv6/IPv4 connection IPv6/IPv4 internal to then tunnel
Maybe somebody made such tests already and can point me to it. What i found so far:
Citrix SSL VPN ( seems to have only partial support) https://support.citrix.com/article/CTX233563 https://www.citrix.com/blogs/2010/07/13/are-citrix-products-ipv6-ready/ so IPv6 / IPv6 not yet supported https://support.citrix.com/article/CTX211780 NetScaler Gateway VPN users are not able to resolve IPv4 DNS when their ISP has IPv6 enabled.
OpenVPN https://community.openvpn.net/openvpn/wiki/IPv6 No complete example found yet.
Wireguard (LINUX only) seems to support it but missing other stuff like hostchecker
Cisco SSL VPN https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_sslvpn/configurat... IPv6 Support and Limitations for Pulse Connect Secure Features https://docs.pulsesecure.net/WebHelp/Content/PCS/PCS_AdminGuide_8.2/IPv6%20S...
Microsoft Direct access (win7/win10) and new Always on VPN (Win10 only) https://directaccess.richardhicks.com/2018/02/05/what-is-the-difference-betw... https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/vpn...
-- --- best regards Christian Bretterhofer
Hi, On Mon, Mar 11, 2019 at 10:54:55AM +0100, Michiel Klaver via ipv6-wg wrote:
I know from experience FortiNet FortiGate does offer dual-stack SSL-VPN, in combination with their FortiClient SSL-VPN software.
Be aware. At least in 5.x, it's not "dual-stack", but "two single-stack SSL-VPNs in one box" - if you connect over v4, you cannot transport v6, and if you connect over v6 you cannot transport v4. Not even if you use the client-less browser mode (try connecting via web browser, open "http://v6.de", look at the missing iframes...). "This works as designed, if you want it changed, please open a feature enhancement request". Since you posted a link to 6.0.0 documentation - we haven't tested 6.x with SSL-VPN yet, but I haven't seen anything in the release notes that make me think they have fixed ("enhanced") this. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
I am sure this WG has many capable people. My request is simple. Please unsubscribe me. I have sent an email to ipv6-wg-request@ripe.net to do so but still keep getting emails. I have been trying to unsubscribe for the last few year without success. I tried to block emails but they still creep through. If there is anyway on your end to please remove this email or to bar it then please do so. Many thanks.
On 11 Mar 2019, at 13:37, Gert Doering <gert@space.net> wrote:
Hi,
On Mon, Mar 11, 2019 at 10:54:55AM +0100, Michiel Klaver via ipv6-wg wrote:
I know from experience FortiNet FortiGate does offer dual-stack SSL-VPN, in combination with their FortiClient SSL-VPN software.
Be aware.
At least in 5.x, it's not "dual-stack", but "two single-stack SSL-VPNs in one box" - if you connect over v4, you cannot transport v6, and if you connect over v6 you cannot transport v4.
Not even if you use the client-less browser mode (try connecting via web browser, open "http://v6.de", look at the missing iframes...).
"This works as designed, if you want it changed, please open a feature enhancement request".
Since you posted a link to 6.0.0 documentation - we haven't tested 6.x with SSL-VPN yet, but I haven't seen anything in the release notes that make me think they have fixed ("enhanced") this.
Gert Doering -- NetMaster -- have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
On Mon, Mar 11, 2019, at 14:37, Gert Doering wrote:
At least in 5.x, it's not "dual-stack", but "two single-stack SSL-VPNs in one box" - if you connect over v4, you cannot transport v6, and if you connect over v6 you cannot transport v4.
I can confirm it's the same thing in v6.0 (just tested on 6.0.4). Just as a note, the use of "firewall authentication" - no VPN client - is one of the ways I try to explain tech guys "you see - with IPv6 life is easier". -- Radu-Adrian FEURDEAN
participants (8)
-
Alejandro Acosta -
christian bretterhofer -
Dan Kitchen -
Gert Doering -
irfan -
Michiel Klaver -
Radu-Adrian FEURDEAN -
Rogier Spoor