Created on
04-26-2023
03:45 AM
Edited on
04-26-2023
03:46 AM
By
Stephen_G
Description
This article describes how to route IPv6 traffic over an IPv4 IPsec tunnel.
Scope
FortiGate, any supported version of FortiOS.
Solution
In the following scenario, site to site IPsec tunnel is configured over IPv4 address schema and will be accessing an IPv6 loopback subnet. Two FortiGates, labelled FGT-A and FGT-B, are operating in the network.
Network Topology:
FGT-A configuration:
1) WAN Interface configuration
# show sys interface wan2
# config system interface
edit "wan2"
set vdom "root"
set ip 10.33.10.141 255.255.240.0
set allowaccess ping https ssh http telnet
set type physical
set role wan
set snmp-index 4
next
end
2) VPN configuration
# show vpn ipsec phase1-interface
# config vpn ipsec phase1-interface
edit "VPN-A"
set interface "wan2"
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set remote-gw 10.33.4.158
set psksecret ENC 5eBP+monKYV5jHEnlhGVpwHB5egnSKXBPHaFpQyty+HvXrZWMRZjRxHu6xeV49hkOoC+xmoRLyKIRLHK+S8sPeDCs+oovlrq5wuVXBeJ9PlQzf85x9k+Q4oz6x36F3jDtnwbkJxLpQDNf2QxrzaRyf7M4PoPSDUCa1Dyq3jd4KRth5RJtxWmkvFO1mA1z6O79MjxPg==
next
end
# show vpn ipsec phase2-interface
# config vpn ipsec phase2-interface
edit "VPN-A"
set phase1name "VPN-A"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set src-addr-type subnet6 <- Change the source address type to subnet6 to use the IPv6 local selector
set dst-addr-type subnet6 <- Change the destination address type to subnet6 to use the IPv6 remote selector
set src-subnet6 2001::1/128 <- Define the IPv6 local selector
set dst-subnet6 2001::2/128 <- Define the IPv6 remote selector
next
end
3) Firewall policy configuration
# show firewall policy
# config firewall policy
edit 2
set name "VPN"
set uuid 3a7ef4a2-e3ff-51ed-189b-035e2b85f649
set srcintf "lipv6-A"
set dstintf "VPN-A"
set action accept
set srcaddr6 "all"
set dstaddr6 "all"
set schedule "always"
set service "ALL"
next
edit 3
set uuid 2abedcc0-e419-51ed-70cd-08f475e4ef50
set srcintf "VPN-A"
set dstintf "lipv6-A"
set action accept
set srcaddr6 "all"
set dstaddr6 "all"
set schedule "always"
set service "ALL"
set comments " (Copy of VPN) (Reverse of VPN)"
next
end
4) Static route configuration
# show router static6
# config router static6
edit 1
set dst 2001::2/128
set device "VPN-A"
next
end
FGT-B configuration:
1) Interface configuration
# show sys interface wan2
# config system interface
edit "wan2"
set vdom "root"
set ip 10.33.4.158 255.255.240.0
set allowaccess ping https ssh http telnet
set type physical
set role wan
set snmp-index 6
next
end
# show sys interface lipv6-B
# config system interface
edit "lipv6-B"
set vdom "root"
set type loopback
set snmp-index 23
# config ipv6
set ip6-address 2001::2/128
set ip6-allowaccess ping
end
next
end
2) VPN configuration
# show vpn ipsec phase1-interface
# config vpn ipsec phase1-interface
edit "VPN-B"
set interface "wan2"
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set remote-gw 10.33.10.141
set psksecret ENC o0zSXeUni06PEgAqokPwlfKX1yUP254OkWzBsNDRKN+pmtp3mQ3xGfICT/RQGJuUpN51eF9iWJSkzHpm+3vWS5+jZwRzBRe4b6GtyyMJAZ0qo0HacgyaALMHJmgvrmVIiku79RGqSFY/ROQsPzZ+CnKVEWa8PZJhjepbZSnAkcbjW0usuvvoSvr+ZyOta6Xzaahlww==
next
end
# show vpn ipsec phase2-interface
# config vpn ipsec phase2-interface
edit "VPN-B"
set phase1name "VPN-B"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set src-addr-type subnet6 <- Change source address type to subnet6 to use IPv6 local selector
set dst-addr-type subnet6 <- Change destination address type to subnet6 to use IPv6 remote selector
set src-subnet6 2001::2/128 <- Define IPv6 local selector
set dst-subnet6 2001::1/128 <- Define IPv6 remote selector
next
end
3) Firewall policy configuration:
# show firewall policy
# config firewall policy
edit 2
set name "VPN"
set uuid 1f51940a-e3ff-51ed-0b3d-9039ca523bfb
set srcintf "lipv6-B"
set dstintf "VPN-B"
set action accept
set srcaddr6 "all"
set dstaddr6 "all"
set schedule "always"
set service "ALL"
next
edit 3
set uuid 312daf30-e402-51ed-498c-d7115745b9f7
set srcintf "VPN-B"
set dstintf "lipv6-B"
set action accept
set srcaddr6 "all"
set dstaddr6 "all"
set schedule "always"
set service "ALL"
set comments " (Copy of VPN) (Reverse of VPN)"
next
end
4) Static route configuration:
# show router static6
# config router static6
edit 1
set dst 2001::1/128
set device "VPN-B"
next
end
Verification of ipsec tunnel:
On FGT-A:
# dia vpn ike gateway list
vd: root/0
name: VPN-A
version: 1
interface: wan2 8
addr: 10.33.10.141:500 -> 10.33.4.158:500 <- IPv4 ipsec phase1
tun_id: 10.33.4.158/::10.33.4.158
remote_location: 0.0.0.0
network-id: 0
created: 11094s ago
IKE SA: created 1/2 established 1/2 time 0/4510/9020 ms
IPsec SA: created 1/2 established 1/1 time 0/0/0 ms
id/spi: 13 b2cda29cd2d19bb9/ca9716abca3f4633
direction: responder
status: established 11087-11087s ago = 0ms
proposal: aes128-sha256
key: 077b599444290c05-cd58d5bd83ea5c4a
lifetime/rekey: 86400/75042
DPD sent/recv: 00000005/00000000
# dia vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=VPN-A ver=1 serial=1 10.33.10.141:0->10.33.4.158:0 tun_id=10.33.4.158 tun_id6=::10.33.4.158 dst_mtu=1500 dpd-link=on weight=1
bound_if=8 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=primary accept_traffic=1 overlay_id=0
proxyid_num=1 child_num=0 refcnt=4 ilast=10179 olast=10179 ad=/0
stat: rxp=10 txp=28 rxb=1982 txb=2936
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=5
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=VPN-A proto=0 sa=1 ref=2 serial=2
src: 0:2001::1-2001::1:0 <- IPv6 phase2 local selector
dst: 0:2001::2-2001::2:0 <- IPv6 phase2 remote selector
SA: ref=6 options=10226 type=00 soft=0 mtu=1438 expire=32143/0B replaywin=2048
seqno=1b esn=0 replaywin_lastseq=00000009 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42903/43200
dec: spi=d86f7f5e esp=aes key=16 7486354041daccf95b4de88157c0c8c1
ah=sha1 key=20 354a7e252c6954d4aa73f8074448e590184b5ace
enc: spi=5b62d3fe esp=aes key=16 d107ffdd286af5f48a95513bb860f19e
ah=sha1 key=20 a8a643ad1ae4cf90ae8972460bb4cac174bb7f07
dec:pkts/bytes=11/2134, enc:pkts/bytes=53/7136
npu_flag=03 npu_rgwy=10.33.4.158 npu_lgwy=10.33.10.141 npu_selid=1 dec_npuid=1 enc_npuid=1
run_tally=0
# get router info6 routing-table 2001::2/128
Routing entry for 2001::2/128
Known via "static", distance 10, metric 0, best
Last update 03:05:59 ago
* via VPN-A tunnel 10.33.4.158
# execute ping6-options source6 2001::1
# execute ping6 2001::2
PING 2001::2(2001::2) from 2001::1 : 56 data bytes
64 bytes from 2001::2: icmp_seq=1 ttl=64 time=0.283 ms
64 bytes from 2001::2: icmp_seq=2 ttl=64 time=0.218 ms
--- 2001::2 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss, time 4046ms
rtt min/avg/max/mdev = 0.218/0.235/0.283/0.029 ms
# dia sniffer packet any "host 2001::2" 4 0 a
interfaces=[any]
filters=[host 2001::2]
2023-04-26 10:12:49.238687 VPN-A out 2001::1 -> 2001::2: icmp6: echo request seq 1
2023-04-26 10:12:49.238911 VPN-A in 2001::2 -> 2001::1: icmp6: echo reply seq 1
2023-04-26 10:12:50.245048 VPN-A out 2001::1 -> 2001::2: icmp6: echo request seq 2
2023-04-26 10:12:50.245226 VPN-A in 2001::2 -> 2001::1: icmp6: echo reply seq 2
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.