I have some odd reasons for deploying ipv6. A chinese door entry system, Xbox Live events however the latest isn’t as odd – a CloudFlare depolyment.
Why would you need ipv6 for deploying cloudflare you may ask, well, with ipv6 being preferred in most modern OS’s and CloudFlare being ipv6 enabled – yes it all just works, UNTIL you want to have certain parts of a site IP restricted based on a pinhole VPN and your end clients are dual stacked.
Pinhole VPN ? HUH
A VPN whereas certain subnets are included in interesting traffic whereas users VPN to a device, which then classes some internet hosts as interesting traffic. This means you then have a known IP to help those restrictions.
Now, this works fine with ipv4 and ipv6, *but* if the user has an IPv6 connection, such as BT/Sky in the UK – v6 is preferred, hence CloudFlare even passing the original IP sees an IPV6 home user – which given things aren’t static is difficult to restrict.
The fix – add ipv6 to the pinhole VPN.
Adding IPV6 to a pinhole VPN
Adding ipv6 is pretty straight forward on an ASA – following the same basic path as ipv4 vpns, except of course NAT.
Worth mentioning you should have same-security intra-interface set. This is required as essentially on a pinhole, you’re coming in from the outside, to go out via the outside interface.
- Configure IPv6 Interfaces, route Outside
- Define a pool
- Create some Object Groups
- Alter some ACLs
- Add ipv6 to the Group Policy
- Add ipv6 pool to the Tunnel Group
** note, this is not a complete example, more so adding ipv6 support to an existing client VPN setup.
For the below: our outside is 2001:DB8::/64, pool is 2001:db8:0:1::/64
Our VPN uses the ACL named “vpn” for specifying interesting traffic.
ipv6 address 2001:DB8::2//64 standby 2001:DB8::4
ipv6 route outside ::/0 2001:DB8::1
! note, pool has to start with an address, not a network
ipv6 local pool ipv6pool 2001:DB8:0:1::1/64 200
object-group network CloudFlare-ipv6
object-group network ipv6_ssl_vpn_pool
! VPN ACL is already defined, so all we do here is add an entry for ipv6
access-list vpn extended permit ip object-group CloudFlare-ipv6 object-group ipv6_ssl_vpn_pool
! note! ipv6 and ipv4 use the SAME tunnel ACL, do note confuse this with VPN filter. So no need to specify an ACL here.
group-policy GroupPolicy attributes
tunnel-group TunnelGroup general-attributes
So now, when folks VPN in, to get to CloudFlare, they use the ipv6 tunnel, meaning a known ipv6 address.