Summary
This article describes how to configure AppGate to use IPv4 and IPv6 on the same interface to allow clients to build TLS tunnels via IPv4 or IPv6.
Symptom
The AppGate Client is unable to connect when UDP (and TCP) SPA is enabled and the AppGate Client has an IPv6 source address.
Cause
The clients Internet Service Provider (ISP) is using IPv6 that is using Carrier Grade Network Address Translation (CGNAT) that is sending UDP and TCP packets from different IPv4 source addresses OR IPv6 with no CGNAT to translate to IPv4.
Resolution
Prerequisites
1. IPv6 must be configured on the underlying network infrastructure
On-Prem
Ensure that IPv6 Address can be extended to the AppGate appliance interface via DHCP or Static. IPv6 Address must be routable on the internet. This process will vary based on network design.
AWS (configure steps may vary)
VPC > Action > Edit CIDRs > Add IPv6 CIDR Block
Subnet > Action > Edit IPv6 CIDRs > Add IPv6 CIDR Block
Instance > Action > Network > Manage IP Addresses > Expand Interface > Assign New IP(v6) Address
Instance > Networking(TAB) > IPv6 address should now show on Networking tab
Azure (configure steps may vary)
In the VNet select Address space in Settings.
Select the box Add additional address range. Enter 2404:f800:8000:122::/63.
Select Save.
Select Subnets in Settings.
In Subnets, select your subnet name from the list. In this example, the subnet name is default
In the subnet configuration, select the box Add IPv6 address space.
In IPv6 address space, enter 2404:f800:8000:122::/64.
Select Save.
2. DNS entries will need to be configured on each gateway appliance
Controllers - Ensure that the "DNS Name" listed in each client profile > Identity > Client Profiles has a corresponding AAAA record in your public DNS zone for each controller.
Gateways - If DNS names are used in Client Hostname\IP field in the GW section on the > System > Appliances > {Gateway Appliance Name} > Function tab you will also need to configure AAAA records to match the Client Hostname\IP. If you are currently using a IPv4 address in the Client Hostname\IP you will need to move to a DNS entry with both an A record and AAAA record to make sure the gateway can be resolved via IPv4 and IPv6.
Configuration
Configure Appliance(s)
Ensure all Client profile, Controller and Gateway hostnames have A Records and AAAA Records
1. Interface configuration
In System > Appliances > [Appliance Name] > System Settings
- Under Interfaces > Edit Interface eth(x)
- Configure Static IPv6 Address or enable DHCP Address
2. Configure Hostnames
If you are using IPs in the Client Hostname/IP of your gateway they will need to be change to hostnames. This hostname can be different than the real hostname since it will be published externally.
3. Renew Appliance Certificate
!!! WARNING !!! Potential Client Interruption
Change the hostname on one appliance at a time.
Once the hostname is reconfigured you must renew the appliances Certificate.
Renewing the certificate will move users from one gateway to another OR disconnect the users in a single gateway site.
If you are concerned about client interruption make this change in a maintenance window.
Verify clients are connected to the modified gateway before moving to the next appliance.
Renew the certificate from the ":" menu on the System > Appliance page in the admin UI
Validation
IP Configuration
Your IPv6 address will show on the "addressshow" Remote Commands from the ":" menu on the System > Appliance page in the admin UI
OR
Run by runningip addr from the Appliance command line
DNS Configuration
Verify your DNS Names with the "dig" Remote Commands from the ":" menu on the System > Appliance page in the admin UI
ORRun by running dig ctrl1.example.com AAAA from the Appliance command line