| Description |
This article describes how to configure Dialup IPsec remote access with Dual Stack IPv4 and IPv6 configuration.
This article is intended to assist in setting up a dial-up tunnel to enable remote access using Dual Stack IPv4 and IPv6.
In this example, FortiOS v7.2.5 and FortiClient v7.0.9 will be used.
|
| Solution |
Diagram:
In order to enable IPv6 connectivity with the FortiGate, enable the built-in IPv6 feature. Go to System -> Feature visibility -> Enable IPv6 and Apply the change.
Configuration of the Dialup Tunnel using IPv4.
If there already is a tunnel configured using IPv4, skip to the IPv6 part below.
- Go to VPN -> IPsec Tunnels -> Create New IPsec Tunnel.
Note that the Creating Wizard will only serve as a starting template to configure the IPv4 part of the config.
Enter the tunnel name and select Remote Access.
- Select the Incoming Interface, create a pre-shared key, and select the User Group.
- Select the local IPv4 interface and the Local Address, which could be ALL or an address object specifying the subnet of the local interface.
The Client Address Range is what IP address that the users will receive when connecting to the tunnel.
- The Client Options part is an optional preference setting.
- FortiGate will automatically create the tunnel and Policies.
Review the Settings, then hit Create.
Configuration of the Dialup Tunnel using IPv6.
- Go to VPN -> IPsec Tunnels -> Edit the tunnel and convert it to Custom.
- Under the Network Tab, select Edit and add the IPv6 subnet address range under IPv6 mode config. This determines the range of IPv6 addresses the users will be receiving when connecting to the tunnel. In this example, the following range: 2001:db8::1-2001:db8::10 with a prefix length of 128 will be used.
- The Authentication part can be kept as it is or changed based on preference.
- In the Phase-1 Proposal, only one DH group is selected since the aggressive mode is used.
- The XAUTH part has already been configured when using the Wizard:
- For Phase2-Selectors, the Encryption and DH group have been changed on preference.
After reviewing the tunnel configuration, make sure to save the settings at the bottom of this page.
- To achieve IPv6 connectivity, we have to add another Phase 2 for IPv6.
Open the CLI and edit the tunnel using the following command:
config vpn ipsec phase2-interface
edit phase2_ipv6
set phase1name Dialup_DualStck
set proposal aes128-sha256 aes256-sha256
set dhgrp 20
set src-addr-type subnet6
set dst-addr-type subnet6
end
- Go to VPN -> IPsec Tunnels -> Edit the tunnel and make sure to have two Phase 2 Selectors from the GUI like the following.
Configuration of the FortiClient side.
- Edit the FortiClient XML file to enable IPv6. To do so, follow this Community Article here:
Technical Tip: Not receiving an IPv6 address from Dialup IPsec tunnel on FortiClient
- Configure the FortiClient VPN connection:
Review the configuration and make sure it matches the FortiGate side.
It should now be connected successfully to FortiGate using DualStack.
- In order to be able to reach an IPv6 subnet on the FortiGate side, we will need to create a policy. Go to Policy & Objects -> Firewall Policy and Create a New Policy.
Verification:
- Verify connectivity by pinging an IPv6 address that resides on the FortiGate side.
- Verify connectivity by pinging an IPv4 address that resides on the FortiGate side.
If any problem occurs, feel free to contact Fortinet Support:
https://support.fortinet.com/welcome/#/
Related article:
Technical Tip: Not receiving an IPv6 address from Dialup IPsec tunnel on FortiClient
|
