Tips & Tricks: How to configure GlobalProtect and IPv6

by ‎04-11-2017 02:24 PM - edited ‎05-11-2017 10:30 AM (3,073 Views)

This week's Tips & Tricks will be talking about configuring IPv6 with GlobalProtect.

 

Overview

With more and more ISP's starting to offer only IPv6 IP addresses, the need to have GlobalProtect work with IPv6 has become more and more important. With the introduction of PAN-OS 8.0  and GlobalProtect 4.0, you now have the ability to use IPv6 with GlobalProtect.

 

Challenge:

  • ISPs are planning/starting to issue only IPv6 addresses.
    - Tunnels cannot be brought up if IPv6 is not supported on both the client and the VPN concentrator
  • In dual stack scenarios, only IPv4 tunnels can exist.
    - IPv6 traffic cannot be tunneled, it will not be inspected by the gateway - routed through the IPv6 default gateway
  • Both remote users and LSVPN are affected.

 

Solution:

  • Implement support for IPv6 for the GP portal, gateway, GP client (agent), GP app and satellite:
    - Tunnel endpoints are IPv6 capable
    - IPv6 user traffic can be routed through the tunnel

 

Basic concepts when using IPv4 and IPv6 and GlobalProtect:

Basic Concepts for IPv4 and IPv6 and GlobalProtectBasic Concepts for IPv4 and IPv6 and GlobalProtect

Gateway changes:

  • Gateway IP address can be IPv4, IPv6, or both.
  • IP pools can be IPv4, IPv6, or both
    - for GP client, existence of IPv4 pool is mandatory regardless of whether IPv4 is tunneled or not!
    - for satellite, there is no such limitation
  • Include/Exclude accept both IPv4 and IPv6 subnets.
  • Access routes and Route filters (Satellite config) accept both IPv4 and IPv6 addresses.

Client/Satellite changes:

  • Portal setting can accept both IPv4 and IPv6 addresses.
    - for GP client, IPv6 address needs to be enclosed in square brackets: [ ]
  • On Satellite, tunnel interface needs to have IPv6 enabled for IPv6 traffic to be tunneled to the gateway.
  • On Satellite, IPv4 and IPv6 routes can be published.

Certificate changes:

  • If the same portal/gateway may be accessed on both IPv4 and IPv6 address, then the certificate typically has IPv4 address as CN (Subject) and IPv6 address as IP in Subject Alternative Name.
  • Best practice - use FQDN to access portal/gateway and have it as CN of the certificate.
    - may also have IPv4/IPv6 addresses in SubAltName
  • OCSP responder can be configured as IPv6 address.

Tunnel Interface changes:

  • Tunnel interface configuration affects what (type of) traffic will be tunneled.
  • IPv6 should be enabled in order for IPv6 traffic to be tunneled.

Software requirements:

  • PAN-OS 8.0 must be used on the gateway.
  • GlobalProtect 4.0 must be used on the client.

Licensing requirements:

  • Please NOTE! This feature requires GlobalProtect Gateway license.
    - no commit warning is issued if the feature is configured in absence of a gateway license!

 

Configuration

Follow the steps below for the minimal configuration needed for establishing a IPv6 GP connection and for tunneling IPv6 traffic:

  1. Enable IPv6 on the interface used for GP gateway and configure an IP address. (Network > Interfaces > Ethernet)
  2. Generate/import the appropriate gateway certificate. (Device > Certificate Management > Certificates)
    GP portal/gateway certificate detailsGP portal/gateway certificate details
  3. Configure the gateway to use the IPv6 interface address. (Network > GlobalProtect > Gateways) The IP Address Type (family) can be: IPv4 Only, IPv6 Only or IPv4 and IPv6.
    GlobalProtect Gateway configuration - GeneralGlobalProtect Gateway configuration - General
  4. Provide gateway's IPv6 address in the portal configuration. (Network > GlobalProtect > Portals) The IP Address Type (family) can be: IPv4 Only, IPv6 Only or IPv4 and IPv6.
    Portal configuration - GeneralPortal configuration - General

     

    Portal configuration - External gateways
    In order to properly configure the External gateway information for the Portal config, plese go inside Network > GlobalProtect > Portals > Portal profile > Agent tab > Agent config profile > External tab and make sure that you add both IPv4 and IPv6 addresses.  Note: Gateway selection based on source location for IPv6 is NOT supported.

    Portal configuration - External gatewaysPortal configuration - External gateways

     

  5. (Optional) Set the preference for IPv6 (if both IPv4 and IPv6 addresses are present)
    App setting for GP client, Portal configuration - App (Network > GlobalProtect > Portals > Portal profile > Agent tab > Agent config profile > App tab).  If you select IPv6 Preferred, this determines which address family to try first (IPv4 or IPv6) when connecting to the Gateway when both address families are available.

    Portal configuration - AppPortal configuration - App

     

  6. Satellite gateway setting for LSVPN:


    Gateway configuration - Satellite (1) - Tunnel settings
    Inside Network > GlobalProtect > Gateways > Gateway profile > Satellite tab > Tunnel Settings tab, please note that only 1 IP is monitored. If one address is listed then that will be monitored. If Empty, then the Gateway's tunnel interface is monitored.  If both IPv4 and IPv6 addressed are listed, then the address family that matches the tunnel type connection to the gateway is monitored.

    Gateway configuration - Satellite (1)Gateway configuration - Satellite (1)

     

    Gateway configuration - Satellite (2) - Network Settings
    Inside Network > GlobalProtect > Gateways > Gateway profile > Satellite tab > Network Settings tab, will contain the IP Pool and Access Route information.

    Tunnel settingsTunnel settings

     

    Portal configuration - Satellite
    Inside Network > GlobalProtect > Portals > Portal profile > Satellite tab > Satellite profile > Gateways tab > Satellite gateway profile. You will see both IPv4 and IPv6 fields. If you select the IPv6 Preferred checkbox, this determines which family to try first when connecting to the gateway when both families are available. 

    Portal configuration - SatellitePortal configuration - Satellite

     

    Satellite configuration (Portal Address = IP)
    Inside Network > IPSec Tunnels > IPSec tunnel profile, you will see many options.  If you are going to be using an IPv6 Address for the Portal Address, you will see these options.

    Satellite configuration (Portal Address = IP)Satellite configuration (Portal Address = IP) 

    Satellite configuration (Portal Address = FQDN)
    Still Inside Network > IPSec Tunnels > IPSec tunnel profile, If you use a FQDN for the Portal Address, you will have an additional option for "IPv6 preferred for portal registration". This determines which address family to connect to the portal if the FQDN resolves to both IPv6 and IPv4.

    Satellite configuration (Portal Address = FQDN)Satellite configuration (Portal Address = FQDN)

  7. Enable IPv6 on tunnel interface on the gateway
    - for LSVPN,
      -- assign IPv6 address on tunnel interface (no link-local address is accepted)
      -- enable IPv6 on the tunnel interface on satellites

    Tunnel interface - Gateway
    Inside Network > Interfaces > Tunnel, select the tunnel interface, and inside there you will have the options for IPv4 and IPv6 addresses for the tunnel interface.

    Tunnel interface - GatewayTunnel interface - Gateway

    • For LSVPN, at least one IP address (IPv4 or IPv6) must be configured. Otherwise, commit will fail.
      - missing IP address of a given family disables tunneling for that address family (Either IPv4 or IPv6)
      - no such restriction for GP client
  8. Configure IPv6 IP Pool.
    Inside Network > GlobalProtect > Gateways > Gateway Profile > Agent > Client Settings > Client config profile > IP Pools, is where you will add any IPv4 and IPv6 IP Pool info.
    Gateway configuration - IP PoolsGateway configuration - IP Pools
  9. Gateway Configuration - Split Tunnel
    Inside Network > GlobalProtect > Gateways > Gateway Profile > Agent > Client Settings > Client config profile > Split Tunnel, is where you will add any IPv4 and IPv6 include or exclude Split Tunnel info.

    Gateway configuration - Split TunnelGateway configuration - Split Tunnel

     

  10. (Optional) Configure IPv6 access routes (Include/Exclude). This can be performed in Network > Virtual Routers , inside your virtual router profile.

  11. Once you commit, you will be ready to go.

 

Internal Gateways

If you are running an internal gateway config, here is what the Portal Configuration looks like. 
Portal configuration - Internal gatewaysPortal configuration - Internal gateways

 

GP client configuration
For the GlobalProtect client, In order to get the client to connect to the gateway, the "portal" needs to be either a FQDN, IPv4 Address or an IPv6 address in square brackets. Ex. [2000:6800::68].

GP Client configurationGP Client configuration

 

My Next Tips & Tricks will be showing how to perform some troubleshooting steps for IPv6 and GlobalProtect, so keep an eye out.

 

As always, I hope this helps someone.. if so, please like and or comment below. We welcome all comments and suggestions.

 

Thanks for reading!

Stay Secure,

Joe Delio

 

Ask Questions Get Answers Join the Live Community