Configure GlobalProtect and IPv6

Community Team Member

GlobalProtect and IPv6.png

 

 

Palo Alto Networks provides information on how to configure GlobalProtect and IPv6. Our community experts dive into some challenges and solutions on how to resolve them with some tips and tricks. Find answers on LIVEcommunity. 

 

 

Let's talk about configuring IPv6 with GlobalProtect!

With more ISPs starting to offer only IPv6 IP addresses, the need to have GlobalProtect work with IPv6 has become increasingly important. GlobalProtect gives you the ability to use IPv6 as a standard feature, and we'll show you how to make it happen.

 

 

Challenge

  • ISPs are starting to issue only IPv6 addresses
    • Tunnels cannot be brought up if IPv6 is not supported on both the client and the VPN concentrator
  • In dual stack scenarios, only IPv4 tunnels can exist
    • IPv6 traffic cannot be tunneled, it will not be inspected by the gateway. It will be routed through the IPv6 default gateway
  • Both remote users and LSVPN are affected

 

Solution

  • Implement support for IPv6 for the GlobalProtect portal, gateway, GlobalProtect client (agent), GlobalProtect app and satellite:
    • Tunnel endpoints are IPv6 capable
    • IPv6 user traffic can be routed through the tunnel

Basic Concepts for IPv4 and IPv6 and GlobalProtectBasic Concepts for IPv4 and IPv6 and GlobalProtect

 

As shown above, SSL connections to the portal (from a single client) are using either IPv4 or IPv6. "Outermost" header of the packets to and from the gateway are either IPv4 or IPv6. A single tunnel is brought up, using either IPv4 or IPv6 IP addresses as endpoints. Inside the tunnel, both IPv4 and IPv6 traffic can be encapsulated and associated with a tunnel. X interfaces need to have both IPv4 and IPv6 addresses.

 

 

Gateway Changes

  • Gateway IP address can be IPv4, IPv6, or both
  • IP pools can be IPv4, IPv6, or both
    • For GlobalProtect client, existence of IPv4 pool is mandatory regardless of whether IPv4 is tunneled
    • For satellite, there is no limitation
  • Include/exclude accept both IPv4 and IPv6 subnets
  • Access routes and route filters (satellite config) accept both IPv4 and IPv6 addresses

 

Client/Satellite Changes

  • Portal setting can accept both IPv4 and IPv6 addresses
    • For GP client, IPv6 address needs to be enclosed in square brackets: [ ]
  • On satellite, tunnel interface needs to have IPv6 enabled for IPv6 traffic to be tunneled to the gateway
  • On satellite, IPv4 and IPv6 routes can be published

 

Certificate Changes

  • If the same portal/gateway may be accessed on both IPv4 and IPv6 address, then the certificate typically has an IPv4 address as CN (Subject) and IPv6 address as an IP in the Subject Alternative Name
  • Best practice – Use FQDN to access the portal/gateway and have it as CN of the certificate
    • May also have IPv4 and/or IPv6 addresses in SubAltName
  • OCSP responder can be configured as IPv6 address

 

Tunnel Interface Changes

  • Tunnel interface configuration affects what (type of) traffic will be tunneled
  • IPv6 should be enabled in order for IPv6 traffic to be tunneled

 

Licensing Requirements

NOTE: This feature requires a GlobalProtect Gateway license
No commit warning is issued if the feature is configured in absence of a gateway license

 

Configuration

Follow the steps below for the minimal configuration needed for establishing a IPv6 GP connection and for tunneling IPv6 traffic:

    1. Enable IPv6 on the interface used for GP gateway and configure an IP address. Network > Interfaces > Ethernet
    2. Generate/import the appropriate gateway certificate. Device > Certificate Management > CertificatesGlobalProtect Certificate DetailsGlobalProtect Certificate Details
    3. Configure the gateway to use the IPv6 interface address. (Network > GlobalProtect > Gateways) 
      The IP Address Type (family) can be: IPv4 Only, IPv6 Only or IPv4 and IPv6. GlobalProtect Gateway ConfigurationGlobalProtect Gateway Configuration GeneralGlobalProtect Gateway Configuration General
    4. Provide gateway's IPv6 address in the portal configuration. Network > GlobalProtect > Portals 
      The IP Address Type (family) can be: IPv4 Only, IPv6 Only or IPv4 and IPv6
      GlobalProtect Portal Configuration GeneralGlobalProtect Portal Configuration General

 

Portal Configuration – External Gateways

 

To properly configure the external gateway information for the portal config, navigate to:
Network > GlobalProtect > Portals > Portal profile > Agent tab > Agent config profile > External tab

Make sure that you add both IPv4 and IPv6 addresses.

NOTE: Gateway selection based on source location for IPv6 is NOT supported.

GlobalProtect Configs External tabGlobalProtect Configs External tab

  1. (Optional) Set the preference for IPv6 (if both IPv4 and IPv6 addresses are present)
    • Navigate to App setting for GlobalProtect client, portal configuration – App inside:
      Network > GlobalProtect > Portals > Portal profile > Agent tab > Agent config profile > App tab
    • If you select IPv6 Preferred, this determines which address family to try first (IPv4 or IPv6) when connecting to the gateway when both address families are available.

      GlobalProtect Configs App TabGlobalProtect Configs App Tab

  2. Satellite gateway setting for LSVPN
    • Gateway configuration: Satellite (1) – Navigate to tunnel settings inside: 
      Network > GlobalProtect > Gateways > Gateway profile > Satellite tab > Tunnel Settings tab 
      NOTE: Only one IP is monitored.
    • If one address is listed, then that will be monitored. If empty, then the gateway's tunnel interface is monitored.
    • If both IPv4 and IPv6 addressed are listed, the address family matching the tunnel type connection to the gateway is monitored.GlobalProtect Gateway Configuration Tunnel SettingsGlobalProtect Gateway Configuration Tunnel Settings
    • Gateway configuration: Satellite (2) – Navigate to network settings inside: 
      Network > GlobalProtect > Gateways > Gateway profile > Satellite tab > Network Settings tab 
    • This will contain the IP Pool and Access Route information. GlobalProtect Gateway Configuration Network Settings TabGlobalProtect Gateway Configuration Network Settings Tab
    • Portal configuration– Satellite – Navigate to the satellite gateway inside: 
      Network > GlobalProtect > Portals > Portal profile > Satellite tab > Satellite profile > Gateways tab > Satellite gateway profile 
    • You will see both IPv4 and IPv6 fields.
    • If you select the IPv6 Preferred checkbox, this determines which family to try first when connecting to the gateway when both families are available. GlobalProtect Portal Configuration Gateways tab Satellite GatewayGlobalProtect Portal Configuration Gateways tab Satellite Gateway
    • Satellite configuration (Portal Address = IP) – Navigate to the IPSec tunnel inside:
      Network > IPSec Tunnels > IPSec tunnel profile 
    • You will see many options.
    • If you are going to be using an IPv6 Address for the Portal Address, you will see these options. IPSec Tunnel General TabIPSec Tunnel General Tab
    • Satellite configuration (Portal Address = FQDN) – still inside: 
      Network > IPSec Tunnels > IPSec tunnel profile 
    • If you use a FQDN for the Portal Address, you will have an additional option for "IPv6 preferred for portal registration."
    • This determines which address family to connect to the portal if the FQDN resolves to both IPv6 and IPv4. IPSec Tunnel General Tab Portal Address = FQDNIPSec Tunnel General Tab Portal Address = FQDN
  3. Enable IPv6 on tunnel interface on the gateway
    • For LSVPN:
      • assign IPv6 address on tunnel interface (no link-local address is accepted)
      • enable IPv6 on the tunnel interface on satellites
    • Tunnel interface - Gateway - Navigate to the tunnel by going to: 
      Network > Interfaces > Tunnel 
    • Select the tunnel interface.
    • Inside there, you will have the options for IPv4 and IPv6 addresses for the tunnel interface.GlobalProtect Tunnel InterfaceGlobalProtect Tunnel Interface
    • For LSVPN, at least one IP address (IPv4 or IPv6) must be configured. Otherwise, commit will fail.
      • Missing IP address of a given family disables tunneling for that address family (Either IPv4 or IPv6)
      • No such restriction for GP client

  4. Configure IPv6 IP Pool - Navigate to IP Pools inside: 
    Network > GlobalProtect > Gateways > Gateway Profile > Agent > Client Settings > Client config profile > IP Pools 
    • This is where you will add any IPv4 and IPv6 IP Pool info. GlobalProtect Gateway Configuration IP Pools TabGlobalProtect Gateway Configuration IP Pools Tab
  5. Gateway Configuration - Split Tunnel - Navigate to Split Tunnel inside:
    Network > GlobalProtect > Gateways > Gateway Profile > Agent > Client Settings > Client config profile > Split Tunnel 
    • This is where you will add any IPv4 and IPv6 include or exclude Split Tunnel info. GlobalProtect Configs Split Tunnel tabGlobalProtect Configs Split Tunnel tab
  6. (Optional) Configure IPv6 access routes (Include/Exclude).
    • This can be performed by navigating to: 
      Network > Virtual Routers 
    • This will take you inside your virtual router profile.

  7. Once you commit, you will be ready to go.

 

Internal Gateways

If you are running an internal gateway config, here is what the Portal Configuration looks like. 

GlobalProtect Configs Internal Host Detection IPv6GlobalProtect Configs Internal Host Detection IPv6

 

GlobalProtect Client Configuration

 

In order to get the GlobalProtect client to connect to the gateway, the portal needs to be either a FQDN, IPv4 Address, or an IPv6 address in square brackets like this [2000:6800::68]. 

GlobalProtect Client window home tabGlobalProtect Client window home tab

 

More Information

For even more information about GlobalProtect, please see the following resource page.

GlobalProtect Resource List on Configuring and Troubleshooting

 

For more information about IPv6 and GlobalProtect, please see the following links.

Support for IPv6-Only GlobalProtect Deployments

IPv6 Support by Feature

 

For even more GlobalProtect troubleshooting, please view the following article.

Troubleshooting GlobalProtect

 

 

 

Thanks for taking time to read my blog.
If you enjoyed this, please hit the Like (thumbs up) button, don't forget to subscribe to the LIVEcommunity Blog.

 

As always, we welcome all comments and feedback in the comments section below.

 

Stay Secure,
Joe Delio
End of line

 
4,913 Views
Ask Questions Get Answers Join the Live Community
Labels