We use a Cisco ASA 5505 as the firewall and IPSec VPN endpoint on our network.

We use split-tunneling to reduce the load on our internet link. In other words, when someone is connected to the VPN their DNS queries go through our internal DNS server, and all traffic for hosts that resolve to 10.0.0.0/8 is sent through the tunnel. Other traffic is sent through their local internet gateway. This has worked well for IPv4 traffic.

I've now rolled out IPv6 connectivity (a SixXS 6in4 tunnel) to all servers and desktops on the LAN. A (hopefully growing) number of our users have their own IPv6 connectivity at home.

When I add the IPv6 addresses of our internal servers to our internal Bind9 DNS, some of the external users can no properly longer connect to the internal servers. I'm assuming they get an AAAA records from our DNS and their applications, having a preference for the AAAA address, try to connect directly to the server over IPv6 instead of using the IPSec tunnel. They run into our firewall and eventually time-out and connect over IPv4. In response, I've removed AAAA records from our DNS.

According to this forum post the Cisco IPSec client doesn't support IPv6, so I'd have to make the costly upgrade to AnyConnect.

Workaround that I've thought up:

  • Making a split-brain DNS that supplies AAAA records to LAN hosts, and only A records to VPN clients. VPN clients are on a specific IPv4 range, but no idea how to set up split-brain DNS.
  • Simply not providing AAAA records in internal DNS. This would limit our IPv6 usage to connections from internal clients to internet servers that advertise AAAA records. Internal traffic would remain IPv4.

Your thoughts, please? Is there a solution that would allow me to keep using IPSec VPN yet also advertise IPv6 on servers?


While it's not the most elegant solution, you can address this problem at the DNS level by using BIND split views, which allow you to present different DNS information to different clients. Since your VPN clients are neatly segregated, the filtering will be simple. Setting up your zone files so that you don't have to make multiple entries for each server takes a little art, but is not too difficult. See this example, or the BIND9 documentation.