Re: Support IPv6 in Remote Access VPN

AndreiR · ‎2024-04-17

Folks,

From CPX, from our customers, from Check Mates we know, some of you already met with IPv6 from Internet Service Providers, and that was kind of a challenge for you to adopt your Remote Access infrastructure. Check Point is here to assist you.

Today we start offering early version of Remote Access IPsec VPN client which works in IPv6 networks. As this is beta release, I'm pointing your attention to that disclaimer:

Disclaimer

Side build of E88.10 standalone VPN client contains initial support of IPv6 on client side in NAT64 scenario, which means:

Security gateway resides in IPv4 network;
Security gateway may be of any version, starting R81 and including upcoming R82;
Client may reside in either IPv4 network or in IPv6 network;
If client resides in IPv6 network, it is obligation of Internet Service Provider to implement:

NAT64 translation between IPv6 and IPv4 networks;
Provide DNS64 service which resolves names into IPv6 and supplies IPv6 prefix according to RFC 7050 and RFC 8880;

Although beta version of the client passed quality check, it might have bugs and some features may not operate in proper way. As of now we are aware of following issues:

IPv6 Office Mode is not yet supported
Roaming from IPv6 to IPv6 network may not work
Split DNS is not yet supported
Link Selection is not yet supported
Simultaneous Login Prevention is not yet supported
Location Awareness, DC-based is not yet supported (interface-based should work)
Secondary Tunnel Resilience for ATM is not yet supported
Proxy Detection and Replacement is not yet supported
Use IPv6 addresses in Desktop policy is not yet supported

We will be glad to hear early feedback on that version. Should you want to try this beta and / or report any issue, please send me direct message.

mgades · ‎2024-04-17

Good to hear progress for IPv6 support in the Remote Access client finally 😊

Can you confirm that the above does not support the following scenario (yet)?

Gateway is native IPv6 enabled (resides in IPv6 network and is globally reachable via IPv6)
Native IPv6 end-to-end from client to gateway

So the initial support for an IPv6-only VPN client depends on NAT64/DNS64 from the ISP (or elsewhere in transit), and in case of a dual-stacked client (eg. both with IPv4 and IPv6 address on the client) it will just connect directly to the IPv4 address of the gateway? In the latter case as todays behavior?

PhoneBoy · ‎2024-04-17

You are correct, it is not IPv6 end to end at present.
Having said that, it doesn't require a specific version of gateway, something that would likely be needed for true end to end IPv6 connectivity.

AndreiR · ‎2024-04-17

@mgades , you are correct. This is not full IPv6 solution. Our intention is to share initial version with early birds who met IPv6 in NAT64 scenario. Of course, later we will roll-out solution for IPv6 gateways with IPv6 Office Mode support.

mgades · ‎2024-04-17

Thanks @AndreiR. I just wanted to verify if I read it correctly that IPv6 enabled gateways are not supported yet.

We've been running native IPv6 on our gateways since R80.40 (2020), so I'm very happy about any progress on IPv6 feature parity 😃

the_rock · ‎2024-04-17

Thats really good news, because lets be honest, IPV6 will be more and more present everywhere.

Chers,

Andy

Are you a member of CheckMates?

Support IPv6 in Remote Access VPN