Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Bitrex
Explorer

Endpoint Security VPN, IPv6 and Hub Mode: IPv6 is not handled

Hello,

When Endpoint Security VPN is configured in hub mode, the expectation is, that all traffic would be sent through the gateway the client is connected to. This does not apply to IPv6 traffic, since the Endpoint Security VPN does not support it at all. Thus if the client has IPv6 enabled and is in a network with working IPv6 connectivity, all v6 traffic will bypass the tunnel and leave the client directly, This obviously defeats the purpose of having configuring a hub mode setup. I'm aware of two ways to fix this: Deliver the Desktop/Client Firewall Policy from Endpoint Policy Managment, where such an option is available or disable IPv6 on the client computers LAN/WLAN/WWAN interfaces. 

Both options aren't ideal. Enabling the EPM just for disabling v6 on VPN clients appears excessive, permanently disabling IPv6 on the client is backwards and possibly unreliable depending on how it would be enforced. What I'm looking for, is a simple way to tell the client that IPv6 should be disconnected while the tunnel is up. Is there a way to do this except the two I mentioned?

Regards,

GS

5 Replies
PhoneBoy
Admin
Admin

I'm afraid if you want to still allow people to use IPv6, then you'll have to deploy Desktop Firewall.

mgades
Participant

Any insights on when we can we expect to have IPv6 support fixed in Endpoint Security VPN?
This has been supported for ages at a certain competitor (eg. Cisco AnyConnect)

0 Kudos
514numbers
Participant

Installation of desktop policy impossible with predefined IPv6 objects. Error messages on compilation with IPv6 objects or services for the desktop policy. Was worth a quick try.

Anybody got this to be blocked some other way?

0 Kudos
PhoneBoy
Admin
Admin

Don't know the specific timeline for this.
If this is a requirement for you, please engage with your local Check Point office.

0 Kudos
514numbers
Participant

There is a new feature within the trac_client_1.ttm and supported on 80.50+ client ( easy to automatic upgrade ). This feature doesn't require the policy server desktop firewall.

We tested this and it works.

ref:

allow_ipv6 string Blocks or allows IPv6 traffic to the client true / false / client_decide true E80.50

0 Kudos