IP- HTTPS is working correctly but 6to4 has a problem.
Packet filter prevents 6to4 IPsec connections ESP –packets (Encapsulating Security Payload).
This shows, how we tested DirectAccess in different client machines:
Connection type: 6to4
Connection IP-address: 2002:50dc:2a62::50dc:2a62
DirectAccess connection started to work, only after when I added the last hexadecimal (2a62) into Network Service “DirectAccess” (Ethernet, Protocol=0x2a62, Outgoing).
We found the package from the SEP packet log.
This rule of DirectAccess looks like this:
IP [41,50,51,58]
UDP [Remote=500,3544]
Ethernet [Protocol=0x86dd]
Ethernet [Protocol=0x2a62; Outgoing]
Ethernet [Protocol=0x70a5]
Ethernet [Protocol=0x70a6]
Ethernet [Protocol=0x5ef5]
Ethernet [Protocol=0xc067]
Ethernet [Protocol=0x7087]
Ethernet [Protocol=0x7088]
Network monitor shows that particular ESP -packet is inside IPv6-packet (what is 6to4 packet) and that packet is IPv6-packet inside normal IPv4.
If we use SEP RU6MP3, then the DirectAccess connection works perfectly and we don’t even need to make any separate network service rule for that. Only allow IPv6 traffic. That’s it.
Also we have heard from Symantec principal regional product manager, that Symantec has made some changes into SEP RU7 firewall, so that might be the reason for this.
Conclusion:
SEP packet filter cannot deal with ESP – packet. Because it only understands IPv6- address last part to Ethernet Frame types.
This problem occurs in these SEP versions: 11.0.7000, 11.0.7101 and 12.1.671.
We have tried to get answers from Symantec support, but we have not received enough technical help to fix this.
We have about 7000 clients and we are missing the solution.
New ideas are needed to solve this problem