Tips & Tricks: How to configure GlobalProtect and IPv6
byjdelio04-11-201702:24 PM - edited 05-11-201710:30 AM
This week's Tips & Tricks will be talking about configuring IPv6 with GlobalProtect.
With more and more ISP's starting to offer only IPv6 IP addresses, the need to have GlobalProtect work with IPv6 has become more and more important. With the introduction of PAN-OS 8.0 and GlobalProtect 4.0, you now have the ability to use IPv6 with GlobalProtect.
ISPs are planning/starting to issue only IPv6 addresses. - Tunnels cannot be brought up if IPv6 is not supported on both the client and the VPN concentrator
In dual stack scenarios, only IPv4 tunnels can exist. - IPv6 traffic cannot be tunneled, it will not be inspected by the gateway - routed through the IPv6 default gateway
Both remote users and LSVPN are affected.
Implement support for IPv6 for the GP portal, gateway, GP client (agent), GP app and satellite: - Tunnel endpoints are IPv6 capable - IPv6 user traffic can be routed through the tunnel
Basic concepts when using IPv4 and IPv6 and GlobalProtect:
Basic Concepts for IPv4 and IPv6 and GlobalProtect
Gateway IP address can be IPv4, IPv6, or both.
IP pools can be IPv4, IPv6, or both - for GP client, existence of IPv4 pool is mandatory regardless of whether IPv4 is tunneled or not! - for satellite, there is no such limitation
Include/Exclude accept both IPv4 and IPv6 subnets.
Access routes and Route filters (Satellite config) accept both IPv4 and IPv6 addresses.
Portal setting can accept both IPv4 and IPv6 addresses. - for GP client, IPv6 address needs to be enclosed in square brackets: [ ]
On Satellite, tunnel interface needs to have IPv6 enabled for IPv6 traffic to be tunneled to the gateway.
On Satellite, IPv4 and IPv6 routes can be published.
If the same portal/gateway may be accessed on both IPv4 and IPv6 address, then the certificate typically has IPv4 address as CN (Subject) and IPv6 address as IP in Subject Alternative Name.
Best practice - use FQDN to access portal/gateway and have it as CN of the certificate. - may also have IPv4/IPv6 addresses in SubAltName
OCSP responder can be configured as IPv6 address.
Tunnel Interface changes:
Tunnel interface configuration affects what (type of) traffic will be tunneled.
IPv6 should be enabled in order for IPv6 traffic to be tunneled.
PAN-OS 8.0 must be used on the gateway.
GlobalProtect 4.0 must be used on the client.
Please NOTE!This feature requires GlobalProtect Gateway license. - no commit warning is issued if the feature is configured in absence of a gateway license!
Follow the steps below for the minimal configuration needed for establishing a IPv6 GP connection and for tunneling IPv6 traffic:
Enable IPv6 on the interface used for GP gateway and configure an IP address. (Network > Interfaces > Ethernet)
Generate/import the appropriate gateway certificate. (Device > Certificate Management > Certificates) GP portal/gateway certificate details
Configure the gateway to use the IPv6 interface address. (Network > GlobalProtect > Gateways) The IP Address Type (family) can be: IPv4 Only, IPv6 Only orIPv4 and IPv6. GlobalProtect Gateway configuration - General
Provide gateway's IPv6 address in the portal configuration. (Network > GlobalProtect > Portals) The IP Address Type (family) can be: IPv4 Only, IPv6 Only orIPv4 and IPv6. Portal configuration - General
Portal configuration - External gateways In order to properly configure the External gateway information for the Portal config, plese go inside Network > GlobalProtect > Portals > Portal profile > Agent tab > Agent config profile > External tab and make sure that you add both IPv4 and IPv6 addresses. Note: Gateway selection based on source location for IPv6 is NOT supported.
Portal configuration - External gateways
(Optional) Set the preference for IPv6 (if both IPv4 and IPv6 addresses are present) App setting for GP client, Portal configuration - App (Network > GlobalProtect > Portals > Portal profile > Agent tab > Agent config profile > App tab). If you select IPv6 Preferred, this determines which address family to try first (IPv4 or IPv6) when connecting to the Gateway when both address families are available.
Portal configuration - App
Satellite gateway setting for LSVPN:
Gateway configuration - Satellite (1) - Tunnel settings Inside Network > GlobalProtect > Gateways > Gateway profile > Satellite tab > Tunnel Settings tab, please note that only 1 IP is monitored. If one address is listed then that will be monitored. If Empty, then the Gateway's tunnel interface is monitored. If both IPv4 and IPv6 addressed are listed, then the address family that matches the tunnel type connection to the gateway is monitored.
Gateway configuration - Satellite (1)
Gateway configuration - Satellite (2) - Network Settings Inside Network > GlobalProtect > Gateways > Gateway profile > Satellite tab > Network Settings tab, will contain the IP Pool and Access Route information.
Portal configuration - Satellite Inside Network > GlobalProtect > Portals > Portal profile > Satellite tab > Satellite profile > Gateways tab > Satellite gateway profile. You will see both IPv4 and IPv6 fields. If you select the IPv6 Preferred checkbox, this determines which family to try first when connecting to the gateway when both families are available.
Portal configuration - Satellite
Satellite configuration (Portal Address = IP) Inside Network > IPSec Tunnels > IPSec tunnel profile, you will see many options. If you are going to be using an IPv6 Address for the Portal Address, you will see these options.
Satellite configuration (Portal Address = IP)
Satellite configuration (Portal Address = FQDN) Still Inside Network > IPSec Tunnels > IPSec tunnel profile, If you use a FQDN for the Portal Address, you will have an additional option for "IPv6 preferred for portal registration". This determines which address family to connect to the portal if the FQDN resolves to both IPv6 and IPv4.
Satellite configuration (Portal Address = FQDN)
Enable IPv6 on tunnel interface on the gateway - for LSVPN, -- assign IPv6 address on tunnel interface (no link-local address is accepted) -- enable IPv6 on the tunnel interface on satellites
Tunnel interface - Gateway Inside Network > Interfaces > Tunnel, select the tunnel interface, and inside there you will have the options for IPv4 and IPv6 addresses for the tunnel interface.
Tunnel interface - Gateway
For LSVPN, at least one IP address (IPv4 or IPv6) must be configured. Otherwise, commit will fail. - missing IP address of a given family disables tunneling for that address family (Either IPv4 or IPv6) - no such restriction for GP client
Configure IPv6 IP Pool. Inside Network > GlobalProtect > Gateways > Gateway Profile > Agent > Client Settings > Client config profile > IP Pools, is where you will add any IPv4 and IPv6 IP Pool info. Gateway configuration - IP Pools
Gateway Configuration - Split Tunnel Inside Network > GlobalProtect > Gateways > Gateway Profile > Agent > Client Settings > Client config profile > Split Tunnel, is where you will add any IPv4 and IPv6 include or exclude Split Tunnel info.
Gateway configuration - Split Tunnel
(Optional) Configure IPv6 access routes (Include/Exclude). This can be performed in Network > Virtual Routers , inside your virtual router profile.
Once you commit, you will be ready to go.
If you are running an internal gateway config, here is what the Portal Configuration looks like. Portal configuration - Internal gateways
GP client configuration For the GlobalProtect client, In order to get the client to connect to the gateway, the "portal" needs to be either a FQDN, IPv4 Address or an IPv6 address in square brackets. Ex. [2000:6800::68].
GP Client configuration
My Next Tips & Tricks will be showing how to perform some troubleshooting steps for IPv6 and GlobalProtect, so keep an eye out.
As always, I hope this helps someone.. if so, please like and or comment below. We welcome all comments and suggestions.