- Configure Interface with IPv6 and IPv4: Verify or set the physical interface (port3 used here) to support both IPv4 and IPv6. The IPV6 address used on this FortiGate is 2001:db8::2/64, and the remote FortiGate is 2001:db8::1/64.
config system interface
edit "port3"
set vdom "root"
set ip 172.25.160.100 255.255.255.0
set allowaccess ping https http
set vlanforward enable
set type physical
set snmp-index 3
config ipv6
set ip6-address 2001:db8::2/64
set ip6-allowaccess ping
set ip6-send-adv enable
end
next
end
- Create an IPsec VPN Tunnel with IPv6 Gateway: Use 'vpn ipsec phase1-interface' to define the IPv6 endpoint. Below, IPv6-tunnel is configured to use an IPv6 peer address.
config vpn ipsec phase1-interface
edit "ipv6-tunnel"
set interface "port3"
set ip-version 6
set ike-version 2
set local-gw6 2001:db8::2
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
set dpd on-idle
set dhgrp 14
set remote-gw6 2001:db8::1
set psksecret <your psk>
set dpd-retryinterval 10
next
end
Key Notes:
- set ip-version 6 enables the use of IPv6 peer addresses.
- Both the local and remote IPv6 gateway addresses are specified.
- Configure Dual IPv6 and IPv4 Phase 2 Selectors: Define one phase 2 for IPv6 and another for IPv4 under the same phase 1.
config vpn ipsec phase2-interface
edit "ipv6-tunnel-p2"
set phase1name "ipv6-tunnel"
set proposal aes256-sha256
set dhgrp 14
set src-addr-type subnet6
set dst-addr-type subnet6
next
edit "ipv4-phase2"
set phase1name "ipv6-tunnel"
set proposal aes256-sha256
set dhgrp 14
end
end
Output to verify the tunnel status below:
diagnose vpn tunnel list name ipv6-tunnel
list ipsec tunnel by names in vd 0
------------------------------------------------------
name=ipv6-tunnel ver=2 serial=3 2001:db8::2:0->2001:db8::1:0 nexthop=:: tun_id=10.0.0.1 tun_id6=::10.0.0.1 status=up dst_mtu=1500 weight=1
bound_if=5 real_if=5 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=primary accept_traffic=1 overlay_id=0
proxyid_num=2 child_num=0 refcnt=6 ilast=1 olast=1 ad=/0
stat: rxp=1 txp=0 rxb=174 txb=0
dpd: mode=on-idle on=1 status=ok idle=10000ms retry=3 count=0 seqno=28
natt: mode=none draft=0 interval=0 remote_port=0
fec: egress=0 ingress=0
proxyid=ipv6-tunnel-p2 proto=0 sa=1 ref=2 serial=2
src: 0:::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff:0
dst: 0:::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff:0
SA: ref=3 options=30202 type=00 soft=0 mtu=1406 expire=42860/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000000 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42902/43200
dec: spi=9a70c2e5 esp=aes key=32 bc3f136ad6d38bfbcbf65f8c223a9c8c1c3365c76cad46bfb3bf6f02fbdf9c7b
ah=sha256 key=32 48680077c51692796c4ef92609cafb7c8ba488258ab18727b4c35dacebec4b64
enc: spi=22f24163 esp=aes key=32 711edf24af65621948b8c6497457d270c1e14e39e4f1bd0770294190f498d0dd
ah=sha256 key=32 d4f458f574f904baf501efb57bb035f33d98801a5ed6510f66fac4b8978bf21f
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
npu_flag=00 npu_rgwy=2001:db8::1 npu_lgwy=2001:db8::2 npu_selid=5 dec_npuid=0 enc_npuid=0
proxyid=s proto=0 sa=1 ref=2 serial=3
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:0.0.0.0-255.255.255.255:0
SA: ref=3 options=30202 type=00 soft=0 mtu=1422 expire=42858/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000002 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42897/43200
dec: spi=9a70c2e7 esp=aes key=16 b1c9139e3973990074412f46308a2ddf
ah=sha1 key=20 4963421ea144e20c3f80368ebf31fd9dcde01f1e
enc: spi=22f24164 esp=aes key=16 14cd6513f84f388e45bbcbd0592c4759
ah=sha1 key=20 be11204799b59aa1b59c21f2d0fdba7805f62f07
dec:pkts/bytes=1/174, enc:pkts/bytes=0/0
npu_flag=00 npu_rgwy=2001:db8::1 npu_lgwy=2001:db8::2 npu_selid=8 dec_npuid=0 enc_npuid=0
|
