Curious situation - not urgent, but I'd like to know more

Kurt Buff kurt.buff at gmail.com
Sun Dec 20 19:48:00 CET 2015 

Yes - "our" should read "out" - they were not anything we would hand out,
and ISTR that they were listed on the NIC entries, separately from the
DirectAccess addresses listed in the other ipconfig entries.

Per my earlier statement, I'll either retrieve those settings from the
ticket, or try to recreate.

Kurt

On Sun, Dec 20, 2015 at 1:10 AM, Eric Vyncke (evyncke) <evyncke at cisco.com>
wrote:

> Interesting situation indeed :-)
>
> As we all known, Microsoft DirectAccess uses IPsec over IPv6 (and
> potentially over Teredo or SSL-VPN if the host does not have native IPv6).
> So, if your DirectAccess head-end is dual-stack, it now receives Ipsec
> packets over IPv6 rather than HTTLS or Teredo over IPv4, so, firewall
> settings must be tuned for that.
>
> Now, I am really puzzled by your sentence "his Comcast-installed router
> was handing our IPv6 addresses on his home LAN", is it a typo in 'our'
> rather than 'out' ? It would be interesting to see the
> addresses/prefixes/routes of the failing DirectAccess client as well as
> which IPv6 address.prefix is used by DirectAccess for the
> normally-functionning clients.
>
> -éric
>
>
> On 19/12/15 22:37, "ipv6-ops-bounces+evyncke=cisco.com at lists.cluenet.de on
> behalf of Kurt Buff" <ipv6-ops-bounces+evyncke=cisco.com at lists.cluenet.de
> on behalf of kurt.buff at gmail.com> wrote:
>
> >All,
> >
> >I ran into an interesting situation some months ago which still
> >baffles me, and though I was able to work around it, I expect it will
> >happen again.
> >
> >We implemented MSFT DirectAcess at our company quite some time ago
> >(using 2008R2 and Forefront 2010), and it works extremely well.
> >
> >At least it worked well for everyone until one of the employees got
> >his Comcast connection upgraded, and then DirectAccess didn't work for
> >that employee any more.
> >
> >We proved that if he tethered to his cell phone, that would work, and
> >if he used an SSL VPN client while on his Comcast connect that would
> >work, but DirectAccess would not work at home.
> >
> >Finally, I discovered that his Comcast-installed router was handing
> >our IPv6 addresses on his home LAN. Turning that off enabled
> >DirectAccess to work again.
> >
> >We do not have an assigned IPv6 block from our ISP, though of course
> >MSFT OSes use it, and auto-assign themselves addresses, but for now
> >we're ignoring it.
> >
> >Has anyone run into this problem and solved it - not by turning off
> >iIPv6 address assignment for the home LAN, but really solved it? If
> >so, how did you do that?
> >
> >Would getting and implementing an IPv6 assignment from our ISP cure
> >the problem, or make it worse?
> >
> >I've found little guidance from MSFT about DirectAccess in an IPv6
> >environment, though I admit I haven't been terribly diligent in my
> >searches.
> >
> >Kurt
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20151220/3c9eb827/attachment-0001.html

More information about the ipv6-ops mailing list