Configure IPv6 Full and Split Tunnel

BIG-IP Next has enhanced the network access profiles for tunneling:

Full Tunneling

Full Tunneling specifies that all traffic from client devices connected to network access (including traffic to or from the local subnet) is forced over the VPN tunnel. This allows for greater control of traffic from remote users. Traffic destined for the Internet can traverse through the company’s gateway security devices and have a corporate policy applied to it. After client devices are connected to BIG-IP Next network access VPN, changes are made to their routing configurations. This includes changes to the client routing table, default route, and default gateway.

Follow the steps to configure the policy for IPv6 full tunnel mode:

  1. Log in to the BIG-IP Next Central Manager. Navigate to the Go to Security Workspace > Security > Access > Policies.

  2. Click the Start Creating button and select the required policy type. Available options are the Per-Session Policy and Per-Request Policy. For more information regarding the creation of the policies, refer to the How To: Create and manage policies using BIG-IP Central Manager.

  3. On the selected policy type panel, navigate to the Policy Configurations > General Properties tab and add the name of the policy in the Policy Name text box. Click Continue.

  4. Retain the other policy configurations to the default values.

  5. On the Resources tab, click the Start Creating option and select the Network Access option from the drop-down list. A Network Access page appears.

  6. On the Network Access page, click the Network Settings tab.

  7. Scroll down to the Client Settings, under the Traffic Options section, select the Force all traffic through tunnel radio button. Additional options are displayed. Keep the default values. Click Continue.

  8. On the IP Pools tab, enter the respective lease pool name in the IPv4 Lease Pool and IPv6 Lease Pool text boxes. The IPv4 lease pool name is mandatory. Click Continue.

  9. On the DNS/Hosts tab, enter the primary and secondary server addresses in the respective IPv4 and IPv6 text boxes. This is optional. Click Continue.

  10. Retain the other network access configurations to the default values. Click Finish.

  11. To create the Webtop, navigate to the Resources tab, click the Start Creating option, and select Webtop from the drop-down list. A network access webtop allows end-users to connect and disconnect from the network access connection. You can assign only a single network access resource to this webtop for starting a network access connection. The Network Access Webtop configuration is defined in the resources property in the Access policy.

  12. Under the Properties section, add the name of the webtop.

  13. Select the required Fallback section Initial State from the drop-down list. Available options are Expanded and Collapsed.

  14. Under the Options section, select all the checkboxes except the Show URL Entry Field option. Available options are Minimize to Tray, Show Warning When Closed, Show URL Entry Field, and Show Resource Search. Click Finish.

  15. On the policy configurations page, retain the default values. Click Finish. A VPD page appears.

  16. Add the required policy agents to create a policy such as a Logon page, Active Directory Authentication.

  17. Click Save. An access policy is saved.

Split Tunneling

Split tunneling for traffic specifies that only the traffic targeted to a specified address space is sent over the network access tunnel. It results in less traffic flowing through BIG-IP Next, as only traffic destined for the VPN traverses the tunnel. Less traffic leads to a smaller workload for BIG-IP Next and lowered bandwidth requirements. Split tunneling also allows for a strict separation between corporate intranet traffic and private Internet use. In addition, it allows the administrator to specify multiple networks/hosts in the LAN address space.

Follow the steps to configure the policy for IPv6 split tunnel mode:

  1. Log in to the BIG-IP Next Central Manager. Navigate to the Go to Security Workspace > Security > Access > Policies.

  2. Click the Start Creating button and select the required policy type. Available options are the Per-Session Policy and Per-Request Policy. For more information regarding the creation of the policies, refer to the How To: Create and manage policies using BIG-IP Central Manager.

  3. On the selected policy type panel, navigate to the Policy Configurations > General Properties tab and add the name of the policy in the Policy Name textbox. Click Continue.

  4. Retain the other policy configurations to the default values.

  5. On the Resources tab, click the Start Creating option and select the Network Access option from the drop-down list. A Network Access page appears.

  6. On the Network Access page, click the Network Settings tab. Scroll down to the Client Settings, under the Traffic Options section, select the Use split tunneling for traffic radio button. Additional options are displayed.

  7. Under the Include Static Address Spaces section, click the Start Adding option.

  8. Select the IPv6 from the Type drop-down list. Available options are DNS, IPv4, and IPv6. Enter the IPv6 address in the Address text box and add the description in the Description text box.

  9. Click Add Row and select the IPv4 from the Type drop-down list. Enter the IPv4 address in the Address text box and add the description in the Description text box.

  10. Similarly, under the Exclude Address Spaces section, users can provide DNS, IPv4, or IPv6 addresses for exclusion. Users should add an IPv4 address when the IPv6 address is added. Click Continue.

  11. On the IP Pools tab, enter the respective lease pool name in the IPv4 Lease Pool and IPv6 Lease Pool text boxes. The IPv4 lease pool name is mandatory. Click Continue.

  12. On the DNS/Hosts tab, enter the primary and secondary server addresses in the respective IPv4 and IPv6 text boxes. This is optional. Click Continue.

  13. Retain the other network access configurations to the default values. Click Finish.

  14. To create the Webtop, navigate to the Resources tab, click the Start Creating option, and select Webtop from the drop-down list. A network access webtop allows end-users to connect and disconnect from the network access connection. You can assign only a single network access resource to this webtop for starting a network access connection. The Network Access Webtop configuration is defined in the resources property in the Access policy.

  15. Under the Properties section, add the name of the webtop.

  16. Select the required Fallback section Initial State from the drop-down list. Available options are Expanded and Collapsed.

  17. Under the Options section, select all the checkboxes except the Show URL Entry Field option. Available options are Minimize to Tray, Show Warning When Closed, Show URL Entry Field, and Show Resource Search. Click Finish.

  18. On the policy configurations page, retain the default values. Click Finish. A VPD page appears.

  19. Add the required policy agents to create a policy such as a Logon page, Active Directory Authentication.

  20. Click Save. An access policy is saved.