Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
AndreiR
Employee
Employee

Support IPv6 in Remote Access VPN

Folks,

From CPX, from our customers, from Check Mates we know, some of you already met with IPv6 from Internet Service Providers, and that was kind of a challenge for you to adopt your Remote Access infrastructure. Check Point is here to assist you.

Today we start offering early version of Remote Access IPsec VPN client which works in IPv6 networks. As this is beta release, I'm pointing your attention to that disclaimer:

Disclaimer

Side build of E88.10 standalone VPN client contains initial support of IPv6 on client side in NAT64 scenario, which means:

  • Security gateway resides in IPv4 network;
  • Security gateway may be of any version, starting R81 and including upcoming R82;
  • Client may reside in either IPv4 network or in IPv6 network;
  • If client resides in IPv6 network, it is obligation of Internet Service Provider to implement:
    • NAT64 translation between IPv6 and IPv4 networks;
    • Provide DNS64 service which resolves names into IPv6 and supplies IPv6 prefix according to RFC 7050 and RFC 8880;

Although beta version of the client passed quality check, it might have bugs and some features may not operate in proper way. As of now we are aware of following issues:

  • IPv6 Office Mode is not yet supported
  • Roaming from IPv6 to IPv6 network may not work
  • Split DNS is not yet supported
  • Link Selection is not yet supported
  • Simultaneous Login Prevention is not yet supported
  • Location Awareness, DC-based is not yet supported (interface-based should work)
  • Secondary Tunnel Resilience for ATM is not yet supported
  • Proxy Detection and Replacement is not yet supported
  • Use IPv6 addresses in Desktop policy is not yet supported

We will be glad to hear early feedback on that version. Should you want to try this beta and / or report any issue, please send me direct message.

5 Replies
mgades
Contributor

Good to hear progress for IPv6 support in the Remote Access client finally 😊

Can you confirm that the above does not support the following scenario (yet)?

  • Gateway is native IPv6 enabled (resides in IPv6 network and is globally reachable via IPv6)
  • Native IPv6 end-to-end from client to gateway

So the initial support for an IPv6-only VPN client depends on NAT64/DNS64 from the ISP (or elsewhere in transit), and in case of a dual-stacked client (eg. both with IPv4 and IPv6 address on the client) it will just connect directly to the IPv4 address of the gateway? In the latter case as todays behavior?

PhoneBoy
Admin
Admin

You are correct, it is not IPv6 end to end at present.
Having said that, it doesn't require a specific version of gateway, something that would likely be needed for true end to end IPv6 connectivity.

AndreiR
Employee
Employee

@mgades , you are correct. This is not full IPv6 solution. Our intention is to share initial version with early birds who met IPv6 in NAT64 scenario. Of course, later we will roll-out solution for IPv6 gateways with IPv6 Office Mode support.

mgades
Contributor

Thanks @AndreiR. I just wanted to verify if I read it correctly that IPv6 enabled gateways are not supported yet.

We've been running native IPv6 on our gateways since R80.40 (2020), so I'm very happy about any progress on IPv6 feature parity 😃

0 Kudos
the_rock
Legend
Legend

Thats really good news, because lets be honest, IPV6 will be more and more present everywhere.

Chers,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events