The Cable Guy: IPv6 Traffic over VPN Connections

United States - English

Argentina (Español)

Australia (English)

Deutschland (Deutsch)

United Kingdom (English)

United States (English)

More...

Welcome | Sign in

TechNet Magazine

Printer Friendly Version

Send

The Cable Guy: IPv6 Traffic over VP...

Share this Page

	Live Favorites
	DotNet Kicks
	Digg
	Slashdot
	del.icio.us
	Yahoo!
	Technorati
	ma.gnolia
	reddit

ISA Server: A Guide to Securing ISA Server 2006

Many organizations rely on ISA Server 2006 to secure their environment, but few take the important step of securing ISA Server itself. Here’s a guide to using the Security Configuration Wizard and Administrative roles to limit its attack surface and secure your ISA Server 2006 implementation.

By Alan Maddison (September 2008)

Security: Managing the Windows Vista Firewall

The recent update to the Windows Vista Firewall offers some impressive new features that make it a compelling choice for the corporate environment. Jesper M. Johansson gives a brief overview of the evolution of the Windows Firewall and delves into enhancements—such as new rules and profiles, domain isolation, and encryption—that will have administrators taking a closer look.

By Jesper M. Johansson (June 2008)

The Cable Guy: Troubleshooting NAP Enforcement

Troubleshooting enforcement behaviors in the Network Access Protection platform can be challenging. The Cable Guy explains how NAP health policy evaluation works and how you can troubleshoot the most common issues.

By Joseph Davies (April 2008)

Special Coverage: Windows Server 2008: Policy-Driven Network Access with Windows Server 2008

How do you allow network access to those who need it without sacrificing security? See how new technologies in Windows Server 2008, such as Windows Firewall with Advanced Security and Network Access Protection, let you implement a policy-based approach to help you achieve this goal. Ian Hameroff and Amith Krishnan 62 Configuring Roles with Server Manager A DNS server need not be a print server. One approach Windows Server 2008 takes to improve security and manageability is to simplify server roles so you can easily install only the tools and services you need, and nothing more. Here's an introduction to using Server Manager for configuring roles and simplifying deployments.

By Ian Hameroff and Amith Krishnan (March 2008)

More ...

Articles by this Author

The Cable Guy: Troubleshooting NAP Enforcement

The Cable Guy: Migrating Your Intranet to IPv6 with ISATAP

Getting ready to move to IPv6? The Cable Guy explains how you can use an IPv6 transition technology to get IPv6 connectivity and migrate to an IPv6-capable intranet.

By Joseph Davies (March 2008)

The Cable Guy: IEEE 802.1X Wired Authentication

IEEE 802.1X authentication provides an additional security barrier for access to your intranet. See how Windows Vista and Windows Server 2008 make it a snap to implement IEEE 802.1X authentication for your wired network.

By Joseph Davies (February 2008)

The Cable Guy: DNS Enhancements in Windows Server 2008

Windows Server 2008 includes many DNS server enhancements. Take a close look at how these updates make name resolution faster, improve support for IPv6, and add greater flexibility to DNS administration.

By Joseph Davies (January 2008)

The Cable Guy: Network Policy Server

The Network Policy Server (NPS) service in Windows Server 2008 replaces the Internet Authentication Service used in Windows Server 2003 and brings numerous enhancements, from the ability to enforce system health requirements to improved management capability.

By Joseph Davies (December 2007)

The Cable Guy: Wireless Single Sign-On

Single Sign On offers many advantages for both end users and administrators. Here's a look at how Single Sign On can simplify implementation of wireless authentication for your network.

By Joseph Davies (November 2007)

The Cable Guy: The Authenticated Internet Protocol

The Internet Key Exchange protocol and Authenticated Internet Protocol are both used to determine keying material and negotiate security parameters for IPsec-protected communications. Get an in-depth look at how they work.

By Joseph Davies (October 2007)

The Cable Guy: Strong and Weak Host Models

A multihomed host provides enhanced connectivity by simultaneously connecting to multiple networks. However, services running on multihomed hosts have an increased vulnerability to being attacked. To help you prevent attack, here’s a look at the various host models of multihomed hosts and how they are supported in Windows.

By Joseph Davies (September 2007)

More ...

Popular Articles

Security: The Great Debate: Security by Obscurity

Security by obscurity involves taking measures that don't remove an attack vector but instead conceal it. Some argue that this is a bad practice while others claim that as part of a larger strategy, every bit counts. The debate is quite heated, and some of our finest security experts face off, explaining security by obscurity and presenting both sides of the debate.

By Jesper M. Johansson and Roger Grimes (June 2008)

System Center: Introducing System Center Mobile Device Manager

The new System Center Mobile Device Manager provides a complete set of tools for managing Windows Mobile devices through an MMC snap-in or via Windows PowerShell. Find out how this vital tool will allow you to manage mobile devices, increase security, and deliver mobile VPN capabilities.

By Matt Fontaine (May 2008)

IIS 7.0: Top 10 Performance Improvements in IIS 7.0

The latest release of IIS introduces a modular and extensible platform with improved support for common deployment and management scenarios, enabling significant performance improvements. Here’s a look at 10 key areas in IIS 7.0 that provide these improvements.

By Mike Volodarsky (September 2008)

Security: Advances in BitLocker Drive Encryption

Windows Vista SP1 and Windows Server 2008 introduce important changes to BitLocker, including support for data volumes and improved protection against cryptographic attacks. Byron Hynes explores the new features, demonstrates how to use BitLocker on a server, and discusses some of the recent media coverage affecting BitLocker.

By Byron Hynes (June 2008)

More ...

Read the Blog

Inside SharePoint: SharePoint Directory Integration

Pav Cherny discusses the limitations of the built-in Directory Management Service in SharePoint and explains how you can replace this component with a custom solution that lets you synchronize SharePoint recipient information with other directory solutions. In particular, he ...
Read more!

Security: Understanding Shared Account Password Management

"One of the common things that administrators must deal with on an ever-increasing basis is the regular changing of the password for shared and privileged accounts, such as the built-in administrator or root account, a firecall account, or perhaps even a process account." In the Read more!

Utility Spotlight: Windows Memory Diagnostic

Suppose one of the PCs you support is acting up—freezing, crashing, blue screening. Is some piece of hardware failing? Is some newly installed application causing trouble? Or could it be faulty memory? One way to find out for sure is with the free Microsoft Windows Memory Diagnostic ...
Read more!

Exchange Queue & A: September

Henrik Walther answers your questions about Microsoft Exchange. Here’s just a sample of the ones he tackles in the September issue of TechNet Magazine: ...
Read more!

Take Your Line of Business Applications Mobile

Beyond traditional voice, messaging, and productivity functions, many businesses today want mobile professionals to have access to the same line of business systems they use in the office through mobile LOB applications, adding new considerations for those tasked with deploying and maintaining IT systems. In ...
Read more!

Anatomy of a Malware Scam

Back in the Winter 2005 issue of TechNet Magazine, when TechNet Magazine was still in its infancy, Jesper Johansson wrote a fantastic article called "Anatomy Of A Hack: How A Criminal Might Infiltrate Your Network". ...
Read more!

More ...

The Cable Guy IPv6 Traffic over VPN Connections

Joseph Davies

As you begin to evaluate the role of Internet Protocol version 6 (IPv6) on your intranet and start planning for its deployment, you should understand how IPv6 traffic is supported over virtual private network (VPN) connections in Windows. With VPN connections, you can extend your network to include links across public

networks such as the Internet. VPN connections are protected by strong authentication protocols to validate the credentials of the connecting user, and encryption methods to provide data confidentiality.

Windows® XP and Windows Server® 2003 include an IPv6 protocol stack, but many core services and networking components do not support IPv6. Windows Vista™ and Windows Server 2008 have full-featured support for IPv6, which is installed and enabled by default. In fact, almost all of the networking applications and services included with Windows Vista and Windows Server 2008 support IPv6. This month, I examine the support in Windows Vista, Windows Server 2008, Windows XP, and Windows Server 2003 for IPv6 traffic sent over VPN connections that are established across the Internet Protocol version 4 (IPv4) and IPv6 Internets.

VPN Connections across the IPv4 Internet

For most of today’s intranets, VPN connections are created across the IPv4 Internet. Figure 1 shows Windows-based components for VPN connections of this type. These components consist of the following:

Figure 1 Windows-based components for VPN connections across the IPv4 Internet (Click the image for a larger view)

VPN Client This is a computer that initiates a remote access VPN connection to a VPN server and communicates with intranet resources. A remote access VPN connection allows the VPN client to act as if it were directly connected to the intranet. A VPN client can run either client or server versions of Windows.

VPN Server This computer listens for remote VPN connection attempts, enforces authentication and connection requirements, and routes packets between VPN clients and intranet resources. A VPN server typically runs a server version of Windows with the Routing and Remote Access service.

VPN Router A VPN router is a computer that initiates or listens for site-to-site VPN connection attempts. A site-to-site VPN connection connects two portions of an intranet together. A VPN router runs a server version of Windows and the Routing and Remote Access service.

VPN Connection A VPN connection is the logical link between the VPN client and the VPN server or between VPN routers as defined by the encapsulation of a VPN protocol.

IPv6-Enabled Intranet This intranet can forward IPv6 traffic, either natively or tunneled as IPv4 packets.

IPv6/IPv4 Host This intranet node sends and receives IPv6 traffic, either natively or tunneled as IPv4 packets.

Windows-based VPN clients, servers, and routers can use the following VPN protocols to encapsulate the packets sent across the VPN connection: Point-to-Point Tunneling Protocol (PPTP), Layer Two Tunneling Protocol with Internet Protocol security (L2TP/IPsec), and Secure Socket Tunneling Protocol (SSTP). SSTP is only supported by Windows Vista with Service Pack 1 and Windows Server 2008.

For VPN connections across the IPv4 Internet, there are two methods that are used for sending IPv6: IPv6 packets tunneled as IPv4 packets, hereafter referred to as IPv6-over-IPv4 traffic, and native IPv6 traffic.

Throughout this column, support for IPv6 traffic across VPN connections is stated in terms of VPN protocols and versions of Windows. For remote access VPN connections, a given combination of VPN protocol and version of Windows implies support by both remote access client and remote access server components of Windows.

IPv6-over-IPv4 Traffic

In this method, a remote access client or an IPv6/IPv4 host on the intranet encapsulates IPv6 packets with an IPv4 header and sends the result as an IPv4 packet. For intranets, the IntraSite Automatic Tunnel Addressing Protocol (ISATAP) IPv6 transition technology (RFC 4214) allows IPv6/IPv4 nodes to exchange IPv6 traffic across an IPv4-only intranet. With ISATAP, you can enable IPv6 connectivity on your IPv4-only intranet without having to configure or upgrade your existing routers to support native IPv6 addressing and forwarding. For more information about ISATAP, see "IPv6 Transition Technologies" at microsoft.com/technet/network/ipv6/ipv6coexist.mspx.

Figure 2 shows the general packet structure for VPN traffic when sending an IPv4 packet using a VPN connection across the IPv4 Internet. The IPv4 packet is encapsulated by the VPN protocol with a header and, depending on the VPN protocol, a trailer. The result is encapsulated with an IPv4 header that allows forwarding across the IPv4 Internet.

Figure 2 IPv4 packets using a VPN connection across the IPv4 Internet

For IPv6-over-IPv4 traffic, the payload of the IPv4 packet sent across the VPN connection is an IPv6 packet. Figure 3 shows the general packet structure for VPN traffic when sending an IPv6-over-IPv4 packet using a VPN connection across the IPv4 Internet.

Figure 3 IPv6-over-IPv4 packets using a VPN connection across the IPv4 Internet

For remote access VPN connections, IPv6-over-IPv4 traffic across the IPv4 Internet is supported by PPTP and L2TP/IPsec in Windows Vista, Windows Server 2008, Windows XP SP1 or higher, and Windows Server 2003 and by SSTP in Windows Server 2008. For site-to-site VPN connections, IPv6-over-IPv4 traffic across the IPv4 Internet is supported by PPTP and L2TP/IPsec in Windows Server 2008 and Windows Server 2003.

Native IPv6 Traffic

For native IPv6 traffic, the VPN client, server, or router sends IPv6 packets across the VPN connection without the initial IPv4 encapsulation. This works for intranets that have native IPv6 connectivity and requires that the VPN clients, servers, and routers support the IPv6 Control Protocol (IPV6CP), RFC 2472, which defines how IPv6 nodes negotiate IPv6 configuration options for Point-to-Point Protocol (PPP)-based connections. Windows Vista and Windows Server 2008 support IPV6CP while Windows XP and Windows Server 2003 do not. Figure 4 shows the general packet structure for VPN traffic when sending a native IPv6 packet using a VPN connection across the IPv4 Internet.

Figure 4 Native IPv6 packets using a VPN connection across the IPv4 Internet

For remote access VPN connections, native IPv6 traffic across the IPv4 Internet is supported by PPTP and L2TP/IPsec in Windows Vista and Windows Server 2008 and by SSTP in Windows Server 2008. For site-to-site VPN connections, native IPv6 traffic that travels across the IPv4 Internet is supported by PPTP and L2TP/IPsec in Windows Server 2008.

VPN Connections across the IPv6 Internet

You can also make VPN connections across the IPv6 Internet. Such VPN connections are uncommon now, but will become more prevalent as more Internet service providers offer IPv6 to their customers and more organizations include IPv6 Internet connectivity in their intranet edge networks.

In order to support VPN connections across the IPv6 Internet, the VPN protocols that are used must support connections over IPv6. In Windows Vista SP1 and Windows Server 2008, the L2TP/IPsec and SSTP VPN protocols support remote access VPN connections over IPv6. In Windows Server 2008, L2TP/IPsec supports site-to-site connections over IPv6. VPN connections across the IPv6 Internet use the same set of components as those for VPN connections across the IPv4 Internet for both remote access and site-to-site VPN connections.

There are also two ways of sending IPv6 packets over the IPv6 Internet: IPv6-over-IPv4 traffic and native IPv6 traffic. Figure 5 shows the general structure of IPv6-over-IPv4 packets when they are sent over a VPN connection across the IPv6 Internet.

Figure 5 IPv6-over-IPv4 packets using a VPN connection across the IPv6 Internet

For remote access VPN connections, IPv6-over-IPv4 traffic across the IPv6 Internet is supported by L2TP/IPsec in Windows Vista and Windows Server 2008 and by SSTP in Windows Server 2008. For site-to-site VPN connections, IPv6-over- IPv4 traffic across the IPv6 Internet is supported by L2TP/IPsec in Windows Server 2008. Just as for IPv6-over-IPv4 traffic over the IPv4 Internet, IPv6-over-IPv4 traffic over the IPv6 Internet requires the deployment of an IPv6 transition technology such as ISATAP on your intranet.

Figure 6 shows the general structure of native IPv6 packets when they are sent over a VPN connection across the IPv6 Internet. Just as for native IPv6 traffic over the IPv4 Internet, native IPv6 traffic over the IPv6 Internet requires IPV6CP support and the deployment of native IPv6 connectivity on your intranet.

Figure 6 Native IPv6 packets using a VPN connection across the IPv6 Internet

For remote access VPN connections, native IPv6 traffic across the IPv6 Internet is supported by L2TP/IPsec in Windows Vista and Windows Server 2008 and by SSTP in Windows Server 2008. For site-to-site VPN connections, native IPv6 traffic across the IPv6 Internet is supported by L2TP/IPsec in Windows Server 2008.

Wrapping Up

Figure 7 shows the four methods for sending IPv6 traffic over VPN connections and the support in Windows for the two different types of VPN connections. In a nutshell, if you are using an IPv6 transition technology such as ISATAP on your intranet, you can send IPv6-over-IPv4 traffic over VPN connections across both IPv4 and IPv6 Internets. If your intranet supports native IPv6 connectivity, you can send native IPv6 traffic over VPN connections across both the IPv4 and IPv6 Internets with Windows Vista and Windows Server 2008.

Figure 7 Support for IPv6 traffic over VPN connections in Windows

Method of Sending IPv6 Traffic	Remote Access VPN Connections	Site-to-Site VPN Connections
IPv6-over-IPv4 traffic over the IPv4 Internet	PPTP and L2TP/IPsec in Windows Vista, Windows Server 2008, Windows XP SP1 or higher, and Windows Server 2003 SSTP in Windows Vista SP1 and Windows Server 2008	PPTP and L2TP/IPsec in Windows Server 2008 and Windows Server 2003
Native IPv6 traffic over the IPv4 Internet	PPTP and L2TP/IPsec in Windows Vista and Windows Server 2008 SSTP in Windows Vista SP1 and Windows Server 2008	PPTP and L2TP/IPsec in Windows Server 2008
IPv6-over-IPv4 traffic over the IPv6 Internet	L2TP/IPsec in Windows Vista and Windows Server 2008 SSTP in Windows Vista SP1 and Windows Server 2008	L2TP/IPsec in Windows Server 2008
Native IPv6 traffic over the IPv6 Internet	L2TP/IPsec in Windows Vista and Windows Server 2008 SSTP in Windows Vista SP1 and Windows Server 2008	L2TP/IPsec in Windows Server 2008

Joseph Davies is a technical writer with Microsoft and has been teaching and writing about Windows networking topics since 1992. He has written eight books for Microsoft Press and is the author of the monthly online TechNet Cable Guy column.

Product Families

Resources

About Microsoft

Popular Places

Popular Searches

Popular Downloads