The Cable GuyIPv6 Traffic over VPN Connections

Joseph Davies

As you begin to evaluate the role of Internet Protocol version 6 (IPv6) on your intranet and start planning for its deployment, you should understand how IPv6 traffic is supported over virtual private network (VPN) connections in Windows. With VPN connections, you can extend your network to include links across public

networks such as the Internet. VPN connections are protected by strong authentication protocols to validate the credentials of the connecting user, and encryption methods to provide data confidentiality.

Windows® XP and Windows Server® 2003 include an IPv6 protocol stack, but many core services and networking components do not support IPv6. Windows Vista™ and Windows Server 2008 have full-featured support for IPv6, which is installed and enabled by default. In fact, almost all of the networking applications and services included with Windows Vista and Windows Server 2008 support IPv6. This month, I examine the support in Windows Vista, Windows Server 2008, Windows XP, and Windows Server 2003 for IPv6 traffic sent over VPN connections that are established across the Internet Protocol version 4 (IPv4) and IPv6 Internets.

VPN Connections across the IPv4 Internet

For most of today’s intranets, VPN connections are created across the IPv4 Internet. Figure 1 shows Windows-based components for VPN connections of this type. These components consist of the following:

Figure 1 Windows-based components for VPN connections across the IPv4 Internet

Figure 1** Windows-based components for VPN connections across the IPv4 Internet **(Click the image for a larger view)

VPN Client This is a computer that initiates a remote access VPN connection to a VPN server and communicates with intranet resources. A remote access VPN connection allows the VPN client to act as if it were directly connected to the intranet. A VPN client can run either client or server versions of Windows.

VPN Server This computer listens for remote VPN connection attempts, enforces authentication and connection requirements, and routes packets between VPN clients and intranet resources. A VPN server typically runs a server version of Windows with the Routing and Remote Access service.

VPN Router A VPN router is a computer that initiates or listens for site-to-site VPN connection attempts. A site-to-site VPN connection connects two portions of an intranet together. A VPN router runs a server version of Windows and the Routing and Remote Access service.

VPN Connection A VPN connection is the logical link between the VPN client and the VPN server or between VPN routers as defined by the encapsulation of a VPN protocol.

IPv6-Enabled Intranet This intranet can forward IPv6 traffic, either natively or tunneled as IPv4 packets.

IPv6/IPv4 Host This intranet node sends and receives IPv6 traffic, either natively or tunneled as IPv4 packets.

Windows-based VPN clients, servers, and routers can use the following VPN protocols to encapsulate the packets sent across the VPN connection: Point-to-Point Tunneling Protocol (PPTP), Layer Two Tunneling Protocol with Internet Protocol security (L2TP/IPsec), and Secure Socket Tunneling Protocol (SSTP). SSTP is only supported by Windows Vista with Service Pack 1 and Windows Server 2008.

For VPN connections across the IPv4 Internet, there are two methods that are used for sending IPv6: IPv6 packets tunneled as IPv4 packets, hereafter referred to as IPv6-over-IPv4 traffic, and native IPv6 traffic.

Throughout this column, support for IPv6 traffic across VPN connections is stated in terms of VPN protocols and versions of Windows. For remote access VPN connections, a given combination of VPN protocol and version of Windows implies support by both remote access client and remote access server components of Windows.

IPv6-over-IPv4 Traffic

In this method, a remote access client or an IPv6/IPv4 host on the intranet encapsulates IPv6 packets with an IPv4 header and sends the result as an IPv4 packet. For intranets, the IntraSite Automatic Tunnel Addressing Protocol (ISATAP) IPv6 transition technology (RFC 4214) allows IPv6/IPv4 nodes to exchange IPv6 traffic across an IPv4-only intranet. With ISATAP, you can enable IPv6 connectivity on your IPv4-only intranet without having to configure or upgrade your existing routers to support native IPv6 addressing and forwarding. For more information about ISATAP, see "IPv6 Transition Technologies" at microsoft.com/technet/network/ipv6/ipv6coexist.mspx.

Figure 2 shows the general packet structure for VPN traffic when sending an IPv4 packet using a VPN connection across the IPv4 Internet. The IPv4 packet is encapsulated by the VPN protocol with a header and, depending on the VPN protocol, a trailer. The result is encapsulated with an IPv4 header that allows forwarding across the IPv4 Internet.

Figure 2 IPv4 packets using a VPN connection across the IPv4 Internet

Figure 2** IPv4 packets using a VPN connection across the IPv4 Internet **

For IPv6-over-IPv4 traffic, the payload of the IPv4 packet sent across the VPN connection is an IPv6 packet. Figure 3 shows the general packet structure for VPN traffic when sending an IPv6-over-IPv4 packet using a VPN connection across the IPv4 Internet.

Figure 3 IPv6-over-IPv4 packets using a VPN connection across the IPv4 Internet

Figure 3** IPv6-over-IPv4 packets using a VPN connection across the IPv4 Internet **

For remote access VPN connections, IPv6-over-IPv4 traffic across the IPv4 Internet is supported by PPTP and L2TP/IPsec in Windows Vista, Windows Server 2008, Windows XP SP1 or higher, and Windows Server 2003 and by SSTP in Windows Server 2008. For site-to-site VPN connections, IPv6-over-IPv4 traffic across the IPv4 Internet is supported by PPTP and L2TP/IPsec in Windows Server 2008 and Windows Server 2003.

Native IPv6 Traffic

For native IPv6 traffic, the VPN client, server, or router sends IPv6 packets across the VPN connection without the initial IPv4 encapsulation. This works for intranets that have native IPv6 connectivity and requires that the VPN clients, servers, and routers support the IPv6 Control Protocol (IPV6CP), RFC 2472, which defines how IPv6 nodes negotiate IPv6 configuration options for Point-to-Point Protocol (PPP)-based connections. Windows Vista and Windows Server 2008 support IPV6CP while Windows XP and Windows Server 2003 do not. Figure 4 shows the general packet structure for VPN traffic when sending a native IPv6 packet using a VPN connection across the IPv4 Internet.

Figure 4 Native IPv6 packets using a VPN connection across the IPv4 Internet

Figure 4** Native IPv6 packets using a VPN connection across the IPv4 Internet **

For remote access VPN connections, native IPv6 traffic across the IPv4 Internet is supported by PPTP and L2TP/IPsec in Windows Vista and Windows Server 2008 and by SSTP in Windows Server 2008. For site-to-site VPN connections, native IPv6 traffic that travels across the IPv4 Internet is supported by PPTP and L2TP/IPsec in Windows Server 2008.

VPN Connections across the IPv6 Internet

You can also make VPN connections across the IPv6 Internet. Such VPN connections are uncommon now, but will become more prevalent as more Internet service providers offer IPv6 to their customers and more organizations include IPv6 Internet connectivity in their intranet edge networks.

In order to support VPN connections across the IPv6 Internet, the VPN protocols that are used must support connections over IPv6. In Windows Vista SP1 and Windows Server 2008, the L2TP/IPsec and SSTP VPN protocols support remote access VPN connections over IPv6. In Windows Server 2008, L2TP/IPsec supports site-to-site connections over IPv6. VPN connections across the IPv6 Internet use the same set of components as those for VPN connections across the IPv4 Internet for both remote access and site-to-site VPN connections.

There are also two ways of sending IPv6 packets over the IPv6 Internet: IPv6-over-IPv4 traffic and native IPv6 traffic. Figure 5 shows the general structure of IPv6-over-IPv4 packets when they are sent over a VPN connection across the IPv6 Internet.

Figure 5 IPv6-over-IPv4 packets using a VPN connection across the IPv6 Internet

Figure 5** IPv6-over-IPv4 packets using a VPN connection across the IPv6 Internet **

For remote access VPN connections, IPv6-over-IPv4 traffic across the IPv6 Internet is supported by L2TP/IPsec in Windows Vista and Windows Server 2008 and by SSTP in Windows Server 2008. For site-to-site VPN connections, IPv6-over- IPv4 traffic across the IPv6 Internet is supported by L2TP/IPsec in Windows Server 2008. Just as for IPv6-over-IPv4 traffic over the IPv4 Internet, IPv6-over-IPv4 traffic over the IPv6 Internet requires the deployment of an IPv6 transition technology such as ISATAP on your intranet.

Figure 6 shows the general structure of native IPv6 packets when they are sent over a VPN connection across the IPv6 Internet. Just as for native IPv6 traffic over the IPv4 Internet, native IPv6 traffic over the IPv6 Internet requires IPV6CP support and the deployment of native IPv6 connectivity on your intranet.

Figure 6 Native IPv6 packets using a VPN connection across the IPv6 Internet

Figure 6** Native IPv6 packets using a VPN connection across the IPv6 Internet **

For remote access VPN connections, native IPv6 traffic across the IPv6 Internet is supported by L2TP/IPsec in Windows Vista and Windows Server 2008 and by SSTP in Windows Server 2008. For site-to-site VPN connections, native IPv6 traffic across the IPv6 Internet is supported by L2TP/IPsec in Windows Server 2008.

Wrapping Up

Figure 7 shows the four methods for sending IPv6 traffic over VPN connections and the support in Windows for the two different types of VPN connections. In a nutshell, if you are using an IPv6 transition technology such as ISATAP on your intranet, you can send IPv6-over-IPv4 traffic over VPN connections across both IPv4 and IPv6 Internets. If your intranet supports native IPv6 connectivity, you can send native IPv6 traffic over VPN connections across both the IPv4 and IPv6 Internets with Windows Vista and Windows Server 2008.

Figure 7 Support for IPv6 traffic over VPN connections in Windows

Method of Sending IPv6 Traffic Remote Access VPN Connections Site-to-Site VPN Connections
IPv6-over-IPv4 traffic over the IPv4 Internet PPTP and L2TP/IPsec in Windows Vista, Windows Server 2008, Windows XP SP1 or higher, and Windows Server 2003 SSTP in Windows Vista SP1 and Windows Server 2008 PPTP and L2TP/IPsec in Windows Server 2008 and Windows Server 2003
Native IPv6 traffic over the IPv4 Internet PPTP and L2TP/IPsec in Windows Vista and Windows Server 2008 SSTP in Windows Vista SP1 and Windows Server 2008 PPTP and L2TP/IPsec in Windows Server 2008
IPv6-over-IPv4 traffic over the IPv6 Internet L2TP/IPsec in Windows Vista and Windows Server 2008 SSTP in Windows Vista SP1 and Windows Server 2008 L2TP/IPsec in Windows Server 2008
Native IPv6 traffic over the IPv6 Internet L2TP/IPsec in Windows Vista and Windows Server 2008 SSTP in Windows Vista SP1 and Windows Server 2008 L2TP/IPsec in Windows Server 2008

Joseph Davies is a technical writer with Microsoft and has been teaching and writing about Windows networking topics since 1992. He has written eight books for Microsoft Press and is the author of the monthly online TechNet Cable Guy column.

© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.