Using Traffic Filters with Always On VPN provides administrators the option to configure a true Zero Trust Network Access (ZTNA) solution for their field-based users and devices. By enabling traffic filtering, network access over the Always On VPN connection can be controlled using fine-grained policies. Traffic Filter rules can be configured to restrict access based source and destination IP addresses, protocols, and source and destination ports. Administrators can further restrict access based on the application generating the traffic.
IPv6
While testing these features recently, I learned that the Microsoft Endpoint Manager (formerly Intune) user interface does not appear to support IPv6 when configuring traffic filter rules. As you can see here, the UI explicitly asks for an IPv4 address and complains when entering an IPv6 address in the address field, as shown here.
Interestingly, it is possible to add IPv6 addresses in XML, as follows.
<TrafficFilter>
<App>
<Id>Microsoft.RemoteDesktop_8wekyb3d8bbwe</Id>
</App>
<Protocol>6</Protocol>
<RemotePortRanges>3389</RemotePortRanges>
<RemoteAddressRanges>2001:470:f109::/48</RemoteAddressRanges>
</TrafficFilter>
Connection Failure
Unfortunately, after loading the XML on a test client, the Always On VPN connection fails with the following error message.
“Can’t connect to <ConnectionName>. Catastrophic failure.”
In addition, the Application event log records an event ID 20227 from the RasClient source with the following error.
“The user <UserName> dialed a connection name <ConnectionName> which has failed. The error code returned on failure is -2147418113.”
Workaround
At this time, the only known workaround is to update the configuration on the RRAS server to use IPv4 addressing for VPN clients.
Summary
Unfortunately, IPv6 is still a second-class citizen when it comes to Always On VPN. Although enabling IPv6 works well in most common deployment scenarios, the Microsoft Endpoint Manager management console often fails to accept IPv6 entries in IP address fields. In addition, some advanced features such as traffic filtering are incompatible with IPv6.
Additional Information
Windows 10 Always On VPN and Zero Trust Network Access (ZTNA)
Windows 10 Always On VPN Windows Server RRAS Service Does Not Start
Steff
/ January 2, 2023Hi Richard, thanks a lot for your article!
One question about IPv6 support: we have an Always On deployment with multiple workers for user and device tunnels using only IKEv2 and a F5 LB in front of it. As more and more home office users have DS-Lite internet access only, we would like to enable our VPN service for IPv6.
Do you know if it is enough if we give our load balancers a Global Unicast IPv6 address? The clients would then resolve the IPv6 address of the loadbalancers via AAA DNS record and establish an IPSec connection on ports 500 and 4500 UDP. In the background, the F5 loadbalances the connections via IPv4 to the workers. Or will this not work?
Richard M. Hicks
/ January 2, 2023I expect that would work. It’s not uncommon to use load balancers to convert IPv6 to IPv4 (or IPv4 to IPv6) in this way. However, doing this will likely result in some unexpected behavior. Specifically, the VPN server will see all traffic coming from the load balancer, not the client itself. This can cause problems for IKEv2/IPsec. Details here:
https://directaccess.richardhicks.com/2020/04/13/always-on-vpn-ikev2-load-balancing-and-nat/