Skip to main content
bluemerle
bluemerle
Visitor III
May 27, 2025
Question

How to handle IPSec VPN and Endpoints using Dual Stack Lite (DS-Lite) behind CGNAT?

  • May 27, 2025
  • 5 replies
  • 2541 views

I've set up an IPsec VPN with certificate-based authentication and started migrating away from SSL-VPN.

 

Unfortunately, around 10% of our remote users are on DS-Lite. This means they have a public IPv6 address but share a single IPv4 address via Carrier Grade NAT. SSL-VPN works in this setup, but IPsec does not.

 

To address this, I:

Added an IPv6 address to our WAN interface via Router Advertisement (ping6 works in both directions).

Created a AAAA DNS record for the FQDN vpn.companyname.com.

Added the subnet fd00:abcd::10 - fd00:abcd::100 /64 to the IPsec tunnel, along with 172.16.25.x IPv4 addresses.

Enabled split tunneling for IPv6: Split to Tunnel → none (we don’t use IPv6 internally elsewhere).

Added an IPsec Phase 2 entry via CLI with:

set src-addr-type subnet6

set dst-addr-type subnet6

Now, FortiClient 7.4.3 connects but freezes after clicking "Connect". It does not fail, it just hangs indefinitely.

The idea is to establish the IPsec tunnel over IPv6 and route all private IPv4 traffic through it.

 

The setup is working fine for IPv4 only.

Target is a FG200F on v7.4.7.  vs.  FortiClient v7.4.3

<block_ipv6>0</block_ipv6> is set in the FortiClient config.

 

 

 

5 replies

Anthony_E
Staff
Anthony_E
Staff
May 30, 2025

Hello,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Best Regards
Anthony_E
Staff
Anthony_E
Staff
June 2, 2025

Hello,

We are still looking for someone to help you.

We will come back to you ASAP.


Thanks,

Best Regards
Anthony_E
Staff
Anthony_E
Staff
June 5, 2025

Hi,

 

Handling IPsec VPN and endpoints using Dual Stack Lite (DS-Lite) behind CGNAT involves several considerations:

  1. Enable NAT Traversal (NAT-T): Ensure that NAT-T is enabled on both ends of the IPsec VPN. This encapsulates ESP packets within UDP, typically using port 4500, which helps traverse NAT devices.
  2. Configure DS-Lite: DS-Lite allows IPv4 traffic to be tunneled over an IPv6 network. Ensure that your network devices support DS-Lite and are properly configured to handle IPv4 over IPv6 tunneling.
  3. Use IPv6 for VPN Endpoints: If possible, configure the VPN endpoints to use IPv6 addresses. This can help bypass some of the limitations imposed by CGNAT on IPv4 traffic.
  4. Test Connectivity: Use diagnostic tools to test the connectivity and ensure that the VPN tunnel is established correctly. Commands like `ping` and `traceroute` can help verify the path and connectivity.
  5. Monitor and Troubleshoot: Use logging and monitoring tools to keep track of the VPN performance and troubleshoot any issues that arise. Debugging commands specific to IPsec and IKE can be useful for this purpose.
  6. Consult Vendor Documentation: Refer to the documentation provided by your VPN and network equipment vendors for specific configurations and best practices related to DS-Lite and CGNAT.
Best Regards
    bluemerle
    bluemerleAuthor
    Visitor III
    June 13, 2025

    I got it working by splitting the DNS into separate A and AAAA records and adding two profiles in FortiClient, respectively.

    ipv4.company.com → VPN via IPv4

    ipv6.company.com → VPN via IPv6

     

    I've seen this bug before, but I thought FortiClient v7.4.3 had it fixed.

      Jirka1
      Jirka1
      Explorer II
      December 2, 2025

      hi,

      did you manage to solve the problem somehow?

      I'm on the same path now.

      FortiClient 7.4.4 EMS + FortiGate 7.4.9, DialUp IPsec IKE2 + SAML.

      As soon as the client has been assigned DualStack /IPv4+IPv6/ by its provider, FortiClient ends with a "Crash" error.

      And I also have the AAAA record directed correctly.

      Thanks.

      Jirka

      bluemerle
      bluemerleAuthor
      Visitor III
      December 3, 2025

      We still have 2 IPsec profiles in the Fortclient and 2 DNS records. 

       

      1. for IPv4 -> vpn_ipv4.company.corp -> DNS A Record only
      2. for IPv6 -> vpn_ipv6.company.corp -> DNS AAAA Record only.

       

      Config looks like this (FG 7.4.9) (V6 part)


      edit "IPSec VPN IPv6"
      set type dynamic
      set interface "port1"
      set ip-version 6
      set ike-version 2
      set authmethod signature
      set peertype peergrp
      set net-device disable
      set mode-cfg enable
      set ipv4-dns-server1 $CHANGEME
      set proposal aes128-sha256
      set dpd on-idle
      set dhgrp 19
      set certificate "Fortigate_2025-2027"
      set peergrp "pki-ldap"
      set ipv4-start-ip 172.16.25.1
      set ipv4-end-ip 172.16.25.253
      set ipv4-split-include "IPSec VPN SplitToTunnel"
      set ipv6-split-include "none"
      set dpd-retryinterval 60
      next

      #####Phase 2

      config vpn ipsec phase2-interface

      edit "IPSec VPN IPv6""
      set phase1name "IPSec VPN IPv6
      set proposal aes128-sha256
      set dhgrp 19

      next

      #####

       

      I recall that I had to use the CLI to setup the V6 tunnel, else the "set ip-version 6" was missing.

      ###

      Firewall Certificate includes the DNS names, fixed IPs and the

      X509v3 Extended Key Usage: IPSec End System

      flag.... don't know if that's required at all.

       

       

        Terms & ConditionsAccessibility statement