Skip to main content
Cisco Meraki

IPv6 Support on MX Security & SD-WAN Platforms - VPN

VPN

Meraki AutoVPN

The MX is able to carry and route IPv6 and IPv4 traffic inside the AutoVPN tunnels, but leverages IPv4 to create the end-to-end tunnels themselves. Note that at this time, MXs cannot establish IPv6 AutoVPN tunnels.

Note:

  • Currently, only Local VLANs in Routed mode or Local Networks are currently supported for IPv6.  

  • Local Static routes cannot be advertised in VPN.

  • Since eBGP is not supported for IPv6, traffic routed across AutoVPN.  Traffic exiting at the hub will require an IPv6 route from the upstream gateway (including the spoke prefixes) pointed back to the hub MX, so the return traffic can be properly routed back to the spokes.

  • IPv6 full-tunnel support is not implemented at this time due to technical limitations. Hence, disable VPN mode for IPv6 enabled VLANs or disable IPv6 for VLANs which you wish to use IPv4 full-tunnel.

  • iBGP is enabled between hub and spoke MXs by default on MX 17+ firmware if each network has IPv6 enabled.

  • Browse to Security & SD-WAN > Site-to-site VPN page

  • Ensure MX is configured in the desired VPN mode (Off, Hub or Spoke)

    • If in spoke mode, remember to configure the appropriate hubs

  • Scroll down to the VPN Settings and Enable/Disable VPN mode for each VLAN as desired

  • Save the changes to apply the configuration

  • Browse to Security & SD-WAN > Site-to-site VPN page

    • Ensure MX is configured in the desired VPN mode (Hub or Spoke)

  • Scroll to the VPN Settings section > Local networks > Click “Add a local network”

    • Configure the desired IPv6 Prefixes (1 per entry) & click save to commit the changes

 

IPv6 AnyConnect VPN support

With the release of MX 18.1.04 firmware, the MX Security & SD-WAN appliances are now able to support IPv6 for AnyConnect to both terminate a client VPN tunnel as well as IPv6 traffic inside the tunnel.

Note:

  • Requires MX 18.104+ firmware
  • Only ULA Addresses are currently supported inside the tunnel at this tim
  • Since ULA is being used, the MX will NAT IPv6 client traffic to the Internet
  • Split tunneling is not currently supported for IPv6 traffic. This means all Ipv6 traffic will be tunneled
  • AnyConnect support only Dual Stack when IPv6 is enabled, AnyConnect does not support IPv6-only on the inside or outside
  • To use a single stack IPv4, you must remove the IPv6 prefix from the AnyConnect Settings page which disables IPv6 on AnyConnect
  • The IPv4 inside interface will only pass traffic on the WAN uplink if there is an active IPv4 WAN link
  • The IPv6 inside interface will only pass traffic on the WAN uplink if there is an active IPv6 WAN link

Configuring IPv6 for AnyConnect

  • Browse to Security & SD-WAN > Client VPN page
  • Enable AnyConnect if not already so and configure the appropriate setting
  • Set the IPv6 ULA prefix you would like to use and DNS servers
  • Save the configuration

Refer to the main KB: IPv6 Support on MX Security & SD-WAN Platforms [Core Fundamentals]

  • Was this article helpful?