Technical Tip: BGPv6 over IPv4 IPsec VPN tunnel
Description
This article describes how to configure BGPv6 over a normal IPv4 IPsec VPN tunnel.
Assuming that the IPsec VPN tunnel is correctly set up and working for IPv4 traffic.
Note: This article shows only the configuration pertaining to IPv6.
Solution
FortiGate-VM configuration:
Configure IPsec VPN tunnel to allow IPv6 traffic by adding extra phase-2 as follows:
BGPv6 configuration:
FGT1000D configuration:
This article describes how to configure BGPv6 over a normal IPv4 IPsec VPN tunnel.
Assuming that the IPsec VPN tunnel is correctly set up and working for IPv4 traffic.
Note: This article shows only the configuration pertaining to IPv6.
Solution
FortiGate-VM configuration:
Configure IPsec VPN tunnel to allow IPv6 traffic by adding extra phase-2 as follows:
config vpn ipsec phase2-interfaceConfigure corresponding IPv6 IP on the IPsec VPN interface to allow dynamic routing on IPv6 as follows:
edit "IPv6"
set phase1name "FGT-1000D"
set src-addr-type subnet6
set dst-addr-type subnet6
next
end
config system interface
edit "FGT-1000D"
config ipv6
set ip6-address 101:101:101::66/64
set ip6-allowaccess ping
end
next
end
BGPv6 configuration:
config router bgp
set as 65001
set router-id 66.66.66.66
config neighbor
edit "101:101:101::182"
set activate disable <-- This is important if there is dual-stack BGPv4 and BGPv6.
set remote-as 65182
next
end
config network6
edit 1
set prefix6 2403:2c00:ffff::/64
next
end
end
FGT1000D configuration:
config vpn ipsec phase2-interface
edit "IPv6"
set phase1name "FGTKVM-66"
set src-addr-type subnet6
set dst-addr-type subnet6
next
end
config system interface
edit "FGTKVM-66"
config ipv6
set ip6-address 101:101:101::182/64
set ip6-allowaccess ping
end
next
end
config router bgp
set as 65182
set router-id 10.47.0.182
config neighbor
edit "101:101:101::66"
set activate disable
set remote-as 65001
next
end
config network6
edit 1
set prefix6 2403:2c00:fffe::/64
next
end
end
Verification on FGT-VM:
1) If this entry is seen, meaning IPv4-mapped-IPv6 address is being used as next hop (ac11.64b6 = 172.17.100.182). Run "set activate disable" in "config neighbor" setting to overcome this issue. For more information, please refer here.
2) Only 101:101:101::182 as next-hop is seen.
FGT-kvm # get router info6 bgp networkNote:
BGP table version is 2, local router ID is 66.66.66.66
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* 2403:2c00:fffe::/64
::ffff:ac11:64b6 0 0 65182 I <-- (1)
*> 101:101:101::182 0 0 65182 I <-- (2)
*> 2403:2c00:ffff::/64
100 32768 i
Total number of prefixes 2
1) If this entry is seen, meaning IPv4-mapped-IPv6 address is being used as next hop (ac11.64b6 = 172.17.100.182). Run "set activate disable" in "config neighbor" setting to overcome this issue. For more information, please refer here.
2) Only 101:101:101::182 as next-hop is seen.
FGT-kvm # get router info6 routing-table bgp
IPv6 Routing Table
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
I - IS-IS, B - BGP
* - candidate default
Timers: Uptime
B 2403:2c00:fffe::/64 [20/0] via 101:101:101::182, FGT-1000D, 1d02h40m
Related Articles