Preface
I have some odd reasons for deploying ipv6. A chinese door entry system, Xbox Live events however the latest isn’t as odd – a CloudFlare depolyment.
Why would you need ipv6 for deploying cloudflare you may ask, well, with ipv6 being preferred in most modern OS’s and CloudFlare being ipv6 enabled – yes it all just works, UNTIL you want to have certain parts of a site IP restricted based on a pinhole VPN and your end clients are dual stacked.

Pinhole VPN ? HUH
A VPN whereas certain subnets are included in interesting traffic whereas users VPN to a device, which then classes some internet hosts as interesting traffic. This means you then have a known IP to help those restrictions.
Now, this works fine with ipv4 and ipv6, *but* if the user has an IPv6 connection, such as BT/Sky in the UK – v6 is preferred, hence CloudFlare even passing the original IP sees an IPV6 home user – which given things aren’t static is difficult to restrict.
The fix – add ipv6 to the pinhole VPN.
Adding IPV6 to a pinhole VPN
Adding ipv6 is pretty straight forward on an ASA – following the same basic path as ipv4 vpns, except of course NAT.
Worth mentioning you should have same-security intra-interface set. This is required as essentially on a pinhole, you’re coming in from the outside, to go out via the outside interface.
Steps:
- Configure IPv6 Interfaces, route Outside
- Define a pool
- Create some Object Groups
- Alter some ACLs
- Add ipv6 to the Group Policy
- Add ipv6 pool to the Tunnel Group
Example:
** note, this is not a complete example, more so adding ipv6 support to an existing client VPN setup.
For the below: our outside is 2001:DB8::/64, pool is 2001:db8:0:1::/64
Our VPN uses the ACL named “vpn” for specifying interesting traffic.
interface GigabitEthernet1/1
nameif outside
ipv6 address 2001:DB8::2//64 standby 2001:DB8::4ipv6 route outside ::/0 2001:DB8::1
! note, pool has to start with an address, not a network
ipv6 local pool ipv6pool 2001:DB8:0:1::1/64 200object-group network CloudFlare-ipv6
network-object 2400:cb00::/32
network-object 2606:4700::/32
network-object 2803:f800::/32
network-object 2405:b500::/32
network-object 2405:8100::/32
network-object 2a06:98c0::/29
network-object 2c0f:f248::/32
object-group network ipv6_ssl_vpn_pool
network-object 2001:DB8:0:1::/64! VPN ACL is already defined, so all we do here is add an entry for ipv6
access-list vpn extended permit ip object-group CloudFlare-ipv6 object-group ipv6_ssl_vpn_pool! note! ipv6 and ipv4 use the SAME tunnel ACL, do note confuse this with VPN filter. So no need to specify an ACL here.
group-policy GroupPolicy attributes
ipv6-split-tunnel-policy tunnelspecifiedtunnel-group TunnelGroup general-attributes
ipv6-address-pool ipv6pool
So now, when folks VPN in, to get to CloudFlare, they use the ipv6 tunnel, meaning a known ipv6 address.
No responses yet