| Description | This article describes how to configure an IKEv2 dial-up IPsec tunnel over an IPv6-only WAN connection, enabling access to both IPv4 and IPv6 internal resources, and optionally providing full IPv4 internet connectivity for IPv6-only hosts by encapsulating IPv4 traffic within the IPv6 tunnel. |
| Scope | FortiGate, FortiClient v7.4.0 -and v7.4.3. |
| Solution |
In this scenario, for simplicity, the FortiGate is configured to act as both the IPv6 internet gateway and the DNS server, using the following entries in its DNS Database:
ipv6.local : 2001:db8:cafe:2::1
The IPv4 protocol is disabled on the client machine's network adapter, with only IPv6 configured.
DNS Server, Database, and Network Interface Configuration:
config system dns-server edit "port1" next end
config system dns-database edit "LocalLAB" set domain "ipv6.local" config dns-entry edit 1 set type AAAA set hostname "@" set ipv6 2001:db8:cafe:2::1 next edit 2 set type AAAA set hostname "vpn" set ipv6 2001:db8:cafe:2::1 next edit 3 set type AAAA set hostname "loop" set ipv6 2001:db5:cafe:10::1 next edit 4 set hostname "loop4" set ip 10.10.10.10 next end set contact "hostmaster@ipv6.local" next end
config system interface edit "port1" set vdom "root" set ip 10.5.148.155 255.255.255.252 set allowaccess ping https ssh http fgfm set alias "Internet" config ipv6 set ip6-address 2001:db8:cafe:2::1/64 set ip6-allowaccess ping https ssh http fgfm end next edit "Loop" set vdom "root" set ip 10.10.10.10 255.255.255.255 set allowaccess ping https ssh http fgfm set type loopback set role lan config ipv6 set ip6-address 2001:db5:cafe:10::1/64 set ip6-allowaccess ping https ssh http fgfm end next end
Configuration of Local Users and Groups:
config user local edit "test" set type password set passwd fortinet next end
config user group edit "LocalGRP" set member "test" next end
(Optional) Configuration of Firewall Addresses for inclusion in IPv4/IPv6 Split Tunneling:
config firewall address edit "Loop address" set type interface-subnet set subnet 10.10.10.10 255.255.255.255 set interface "Loop" next end
config firewall address6 edit "Loop addressipv6" set ip6 2001:db5:cafe:10::/64 next end
IKEv2 Dialup IPsec configuration:
config vpn ipsec phase1-interface edit "TestIKEv2IPv6" set type dynamic set interface "port1" set ip-version 6 set ike-version 2 set local-gw6 2001:db8:cafe:2::1 set peertype any set net-device disable set mode-cfg enable set proposal aes128-sha1 aes256-sha256 set dpd on-idle set dhgrp 20 set eap enable set eap-identity send-request set ipv4-start-ip 172.25.25.1 set ipv4-end-ip 172.25.25.10 set ipv4-split-include Loop\ address <--- Optional set dns-mode auto set ipv6-start-ip 2001:db9:cafe:1::1 set ipv6-end-ip 2001:db9:cafe:1::10 set ipv6-split-include "Loop addressipv6" <--- Optional set client-auto-negotiate enable set client-keep-alive enable set psksecret fortinet set dpd-retryinterval 60 next end
config vpn ipsec phase2-interface edit "TestIKEv2P2" set phase1name "TestIKEv2IPv6" set proposal aes128-sha1 aes256-sha256 set dhgrp 20 next edit "IPv6IKEv2" set phase1name "TestIKEv2IPv6" set proposal aes128-sha1 aes256-sha256 set dhgrp 20 set src-addr-type subnet6 set dst-addr-type subnet6 next end
Important: Two Phase-2 interfaces must be configured, one for IPv4 and one for IPv6, even though the dial-up tunnel will accept only IPv6 connections.
Firewall policy configuration for both scenarios: Simultaneous IPv4 and IPv6 Split-Tunneling, and IPv4 Full-Tunneling with IPv6 Split-Tunneling:
config firewall policy edit 1 set name "IPv6IPsec" set srcintf "TestIKEv2IPv6" set dstintf "Loop" set action accept set srcaddr "all" set dstaddr "all" set srcaddr6 "all" set dstaddr6 "all" set schedule "always" set service "ALL" set logtraffic all set groups "LocalGRP" set comments "IPv6 Client to IPv4&IPv6 Loopback" next edit 2 set name "IPv6Only-To-IPv4Internet" set srcintf "TestIKEv2IPv6" set dstintf "port1" set action accept set srcaddr "all" set dstaddr "all" set srcaddr6 "all" set dstaddr6 "all" set schedule "always" set service "ALL" set logtraffic all set nat enable set groups "LocalGRP" set comments "IPv6-Only To Internet [Full_IPv4_Tunneling]" next end
Once connected, the user will receive two IP addresses on the virtual adapter. One for IPv4 and one for IPv6, enabling dual-stack connectivity.
Each tunneling configuration on the phase-1 interface produces different results for the following cases:
Note: To remove split-tunneling configuration, unset ipv4-split-include or ipv6-split-include in the VPN configuration.
Case 2 results:
Case 2: Route Table and Network Interface Configuration:
FortiGate user information and packet capture for IPv4 and IPv6 connections:
If the client cannot connect or obtain an IPv6 address, and the FortiClient is registered, go to the 'Remote Access Profile' in FortiClient EMS and disable the 'Block IPv6' option under IPsec VPN connections. |
