Curious situation - not urgent, but I'd like to know more

Eric Vyncke (evyncke) evyncke at cisco.com
Sun Dec 20 10:10:34 CET 2015 

Interesting situation indeed :-)

As we all known, Microsoft DirectAccess uses IPsec over IPv6 (and
potentially over Teredo or SSL-VPN if the host does not have native IPv6).
So, if your DirectAccess head-end is dual-stack, it now receives Ipsec
packets over IPv6 rather than HTTLS or Teredo over IPv4, so, firewall
settings must be tuned for that.

Now, I am really puzzled by your sentence "his Comcast-installed router
was handing our IPv6 addresses on his home LAN", is it a typo in 'our'
rather than 'out' ? It would be interesting to see the
addresses/prefixes/routes of the failing DirectAccess client as well as
which IPv6 address.prefix is used by DirectAccess for the
normally-functionning clients.

-éric


On 19/12/15 22:37, "ipv6-ops-bounces+evyncke=cisco.com at lists.cluenet.de on
behalf of Kurt Buff" <ipv6-ops-bounces+evyncke=cisco.com at lists.cluenet.de
on behalf of kurt.buff at gmail.com> wrote:

>All,
>
>I ran into an interesting situation some months ago which still
>baffles me, and though I was able to work around it, I expect it will
>happen again.
>
>We implemented MSFT DirectAcess at our company quite some time ago
>(using 2008R2 and Forefront 2010), and it works extremely well.
>
>At least it worked well for everyone until one of the employees got
>his Comcast connection upgraded, and then DirectAccess didn't work for
>that employee any more.
>
>We proved that if he tethered to his cell phone, that would work, and
>if he used an SSL VPN client while on his Comcast connect that would
>work, but DirectAccess would not work at home.
>
>Finally, I discovered that his Comcast-installed router was handing
>our IPv6 addresses on his home LAN. Turning that off enabled
>DirectAccess to work again.
>
>We do not have an assigned IPv6 block from our ISP, though of course
>MSFT OSes use it, and auto-assign themselves addresses, but for now
>we're ignoring it.
>
>Has anyone run into this problem and solved it - not by turning off
>iIPv6 address assignment for the home LAN, but really solved it? If
>so, how did you do that?
>
>Would getting and implementing an IPv6 assignment from our ISP cure
>the problem, or make it worse?
>
>I've found little guidance from MSFT about DirectAccess in an IPv6
>environment, though I admit I haven't been terribly diligent in my
>searches.
>
>Kurt

More information about the ipv6-ops mailing list