Meraki Community

DB984 · ‎Dec 15 2021

Hi,

I'm aware the AnyConnect VPN server on the MX doesn't route ipv6 traffic.

We specified "Tunnel All Traffic" in the anyconnect setup, with the objective to isolate the endpoint from direct connections to/from the remote network (ie we wanted all connections to go through the VPN). My hope was that the combination of "no ipv6 support", and "tunnel all traffic" would simply be that no ipv6 traffic would go anywhere, ipv6 connections would fail, and it would fall back to ipv4.

Instead, it appears the VPN simply ignores ipv6 completely. Endpoints were still able to connect to, google for example, over ipv6, while the VPN was connected, completely defeating the purpose of 'tunnel all traffic' through the VPN.

Is there any way to set this up so that ipv6 traffic goes nowhere while the VPN is up?

thanks,

Dave

CptnCrnch · ‎Dec 16 2021

Perhaps the easiest option here would be disabling IPv6 on your endpoint (e.g. via GPO on Windows). At least as long as MX is completely able to handle it.

DB984 · ‎Dec 16 2021

I'd considered that too, and in fact it's about the only thing I've come up with so far.

I was really hoping for a "better" solution. Although I haven't explicitly tested it yet, I fully expect the ipv6 leak will occur on non-windows platforms as well, including mobile where disabling ipv6 isn't really an option.

I'm pretty disappointed they don't offer ipv6 leak protection, or even seem to acknowledge it as a problem. It makes the MX tunnel-all-traffic option not fit-for-purpose in my opinion.

Meraki Community

AnyConnect MX VPN server "tunnel all traffic" vs ipv6

AnyConnect MX VPN server "tunnel all traffic" vs ipv6