Technical Tip: IPv4 over IPv6 IPSec Tunnel

tthrilok · ‎04-24-2023

Description

This article explains how to configure the IPv6 IPsec tunnel and route IPv4 traffic over the IPv6 tunnel.

Scope

FortiGate.

Solution

Topology:

FGT-1 Configuration:

FG80EP-1 # show system interface lan
config system interface
edit "lan"
set vdom "root"
set ip 10.5.20.136 255.255.240.0
set allowaccess ping https ssh http telnet fgfm
set type hard-switch
set explicit-web-proxy enable
set lldp-reception enable
set measured-upstream-bandwidth 2141
set measured-downstream-bandwidth 34400
set bandwidth-measure-time 1662555493
set monitor-bandwidth enable
set role wan
set snmp-index 19
config ipv6
set ip6-address 1::2/120 <-
end
next
end

VPN configuration CLI:

FG80EP-1 # show vpn ipsec phase1-interface IPv6
config vpn ipsec phase1-interface
edit "IPv6"
set interface "lan"
set ip-version 6 <- Set the ip-version as 6, instead of 4, which is the default.
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set remote-gw6 1::1
set psksecret ENC 0kBQqssLFXYIUPNpaWISuyu9vyVi1Y787HcH9mLMwJ7HnsdIDwEDgQskBvre9qwcw/tljJlDHtjC9rRitfzumbFEPosSdeii9sL3ZimxjwcEFU+ar2TXORxIuf2LCQ7D1rchB1c2JYTst7wM7Jo8RUSqkeTC8R9zNL50wNMNS4jxrxIxQFEoRqk85cBCbnhunTa==
next
end

FG80EP-1 # show full vpn ipsec phase2-interface IPv6
config vpn ipsec phase2-interface
edit "IPv6"
set phase1name "IPv6"
set proposal aes128-sha1
set pfs enable
set diffserv disable
set protocol 0
set src-addr-type subnet
set src-port 0
set dst-addr-type subnet
set dst-port 0
set keylifeseconds 43200
set src-subnet 0.0.0.0 0.0.0.0 <- IPv4 address, in lab scenario it was mentioned 0.0.0.0/0.
set dst-subnet 0.0.0.0 0.0.0.0 <- IPv4 address, in lab scenario it was mentioned 0.0.0.0/0.
next
end

Route configuration CLI:

FG80EP-1 # show router static 5
config router static
edit 5
set dst 1.1.1.1 255.255.255.255
set device "IPv6"
next
end

Firewall policy:

FG80EP-1 # show firewall policy 19
config firewall policy
edit 19
set name "test-ipv6"
set uuid c00a09b2-e03b-51ed-10e1-f2cf2b494dfe
set srcintf "wan1" "loopback-lan"
set dstintf "IPv6"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL_ICMP"
next
end

FGT-2 Configuration:

FortiGate-81E # show system interface wan1
config system interface
edit "wan1"
set vdom "root"
set ip 10.5.20.174 255.255.240.0
set allowaccess ping https ssh http telnet
set type physical
set role wan
set snmp-index 1
config ipv6
set ip6-address 1::1/120 <-
end
next
end

VPN Configuration:

FortiGate-81E # show vpn ipsec phase1-interface
config vpn ipsec phase1-interface
edit "IPv6"
set interface "wan1"
set ip-version 6 <-
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set npu-offload disable
set remote-gw6 1::2 <-
set psksecret ENC bVTuEHyjswR2yhwaLfw9ik5dFMS8/usHTqqpSDcOH+ieRGjh521TEXeU0Iibu9UL2vMqkkBIkpCcO+/bvxgnyM6fonVrUMOGr5J77eQoWZfyhVvNVmVzsqezft8Aaeld08tCFsJQdU5JL8pSZq1vqUcmQLOedcqm0IhCmpgUgZXrUleCujONImveMsVxLR5sDan5uA==
next
end

FortiGate-81E # show full-configuration vpn ipsec phase2-interface
config vpn ipsec phase2-interface
edit "IPv6"
set phase1name "IPv6"
set proposal aes128-sha1
set pfs enable
set diffserv disable
set protocol 0
set src-addr-type subnet
set src-port 0
set dst-addr-type subnet
set dst-port 0
set keylifeseconds 43200
set src-subnet 0.0.0.0 0.0.0.0 <- IPv4 address, in lab scenario I have mentioned 0.0.0.0/0.
set dst-subnet 0.0.0.0 0.0.0.0 <- IPv4 address, in lab scenario I have mentioned 0.0.0.0/0.
next
end

Route Configuration:

FortiGate-81E # show router static 2
config router static
edit 2
set dst 10.10.10.10 255.255.255.255
set device "IPv6" <- Tunnel interface name.
next
end

Firewall policy configuration:

FortiGate-81E # show firewall policy 4
config firewall policy
edit 4
set name "TEST-IPV6"
set uuid a8274878-e03b-51ed-8b01-7ab05d9d3dc0
set srcintf "lan" "LB"
set dstintf "IPv6"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set policy-expiry enable
set policy-expiry-date 2023-05-21 04:57:14
set service "ALL_ICMP"
next
end

FortiGate-81E # show firewall policy 5
config firewall policy
edit 5
set uuid d8a77f16-e272-51ed-1328-da740a33165a
set srcintf "IPv6"
set dstintf "lan" "LB"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set policy-expiry enable
set policy-expiry-date 2023-05-21 05:57:14
set service "ALL_ICMP"
next
end

Verifying Tunnel:

FortiGate-81E # diagnose vpn ike gateway list

vd: root/0
name: IPv6
version: 1
interface: wan1 5
addr: 1::1:500 -> 1::2:500 <-
tun_id: 10.0.0.1/::10.0.0.1
remote_location: 0.0.0.0
network-id: 0
created: 523s ago
IKE SA: created 2/2 established 2/2 time 10/10525/21040 ms
IPsec SA: created 1/1 established 1/1 time 0/0/0 ms

id/spi: 11 ca9443a195aa4c17/1d7807f2d447f6fa
direction: responder
status: established 511-511s ago = 10ms
proposal: aes128-sha256
key: 79312cd552810480-d510e4ba29d1c250
lifetime/rekey: 86400/85618
DPD sent/recv: 00000000/00000000

id/spi: 10 a56c3126efdf45be/501789750129fe2f
direction: initiator
status: established 523-502s ago = 21040ms
proposal: aes128-sha256
key: 2ade19ba22f5cf1c-c3c30d6f4cee2923
lifetime/rekey: 86400/85597
DPD sent/recv: 00000000/00000191

FortiGate-81E #

FortiGate-81E # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=IPv6 ver=1 serial=1 1::1:0->1::2:0 tun_id=10.0.0.1 tun_id6=::10.0.0.1 dst_mtu=1500 dpd-link=on weight=1
bound_if=5 lgwy=static/1 tun=intf mode=auto/1 encap=none/544 options[0220]=frag-rfc run_state=0 role=primary accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=4 ilast=2 olast=2 ad=/0
stat: rxp=36 txp=0 rxb=4248 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
fec: egress=0 ingress=0
proxyid=IPv6 proto=0 sa=1 ref=2 serial=2
src: 0:0.0.0.0-255.255.255.255:0 <-
dst: 0:0.0.0.0-255.255.255.255:0 <-
SA: ref=3 options=10226 type=00 soft=0 mtu=1422 expire=42387/0B replaywin=1024
seqno=1 esn=0 replaywin_lastseq=00000025 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42927/43200
dec: spi=07265fc6 esp=aes key=16 0ffd0428423b00ac2e89ad7cd807cd38
ah=sha1 key=20 831c1dedde6d9977ceb4e5091ff038ef16bfd2b5
enc: spi=3f1551f6 esp=aes key=16 c0b4649a9e2db7ecf682459b04146ea7
ah=sha1 key=20 f2858b649574cd4d6bef3e41e681283033ef040c
dec:pkts/bytes=72/8496, enc:pkts/bytes=0/0
npu_flag=00 npu_rgwy=1::2 npu_lgwy=1::1 npu_selid=1 dec_npuid=0 enc_npuid=0
run_tally=0

Debugs:

Below are the commands for debugging:

diagnose debug reset

diagnose debug application ike -1

diagnose debug enable

ike 0: comes 1::2:500->1::1:500,ifindex=5,vrf=0....
ike 0: IKEv1 exchange=Identity Protection id=ca9443a195aa4c17/0000000000000000 len=572 vrf=0
ike 0:ca9443a195aa4c17/0000000000000000:11: responder: main mode get 1st message...
ike 0:ca9443a195aa4c17/0000000000000000:11: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:ca9443a195aa4c17/0000000000000000:11: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
ike 0:ca9443a195aa4c17/0000000000000000:11: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448
ike 0:ca9443a195aa4c17/0000000000000000:11: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
ike 0:ca9443a195aa4c17/0000000000000000:11: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A4066D83821A0F0AEAA862
ike 0:ca9443a195aa4c17/0000000000000000:11: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
ike 0:ca9443a195aa4c17/0000000000000000:11: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:ca9443a195aa4c17/0000000000000000:11: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3
ike 0:ca9443a195aa4c17/0000000000000000:11: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:ca9443a195aa4c17/0000000000000000:11: VID FORTIGATE 8299031757A36082C6A621DE00000000
ike 0:ca9443a195aa4c17/0000000000000000:11: negotiation result
ike 0:ca9443a195aa4c17/0000000000000000:11: proposal id = 1:
ike 0:ca9443a195aa4c17/0000000000000000:11: protocol id = ISAKMP:
ike 0:ca9443a195aa4c17/0000000000000000:11: trans_id = KEY_IKE.
ike 0:ca9443a195aa4c17/0000000000000000:11: encapsulation = IKE/none
ike 0:ca9443a195aa4c17/0000000000000000:11: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:ca9443a195aa4c17/0000000000000000:11: type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:ca9443a195aa4c17/0000000000000000:11: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:ca9443a195aa4c17/0000000000000000:11: type=OAKLEY_GROUP, val=MODP2048.
ike 0:ca9443a195aa4c17/0000000000000000:11: ISAKMP SA lifetime=86400
ike 0:ca9443a195aa4c17/0000000000000000:11: SA proposal chosen, matched gateway IPv6 <-- Gateway IPv6.
ike 0: found IPv6 1::1 5 -> 1::2:500
ike 0:IPv6:11: DPD negotiated
ike 0:IPv6:11: peer is FortiGate/FortiOS (v0 b0)
ike 0:IPv6:11: selected NAT-T version: RFC 3947
ike 0:IPv6:11: cookie ca9443a195aa4c17/1d7807f2d447f6fa

ike 0: found IPv6 1::1 5 -> 1::2:500
ike 0:IPv6:11: DPD negotiated
ike 0:IPv6:11: peer is FortiGate/FortiOS (v0 b0)
ike 0:IPv6:11: selected NAT-T version: RFC 3947
ike 0:IPv6:11: cookie ca9443a195aa4c17/1d7807f2d447f6fa
ike 0:IPv6:11: sent IKE msg (ident_r1send): 1::1:500->1::2:500, len=192, vrf=0, id=ca9443a195aa4c17/1d7807f2d447f6fa
ike 0: comes 1::2:500->1::1:500,ifindex=5,vrf=0....
ike 0: IKEv1 exchange=Identity Protection id=ca9443a195aa4c17/1d7807f2d447f6fa len=380 vrf=0
ike 0:IPv6:11: responder:main mode get 2nd message...
ike 0:IPv6:11: received NAT-D payload type 20
ike 0:IPv6:11: received NAT-D payload type 20
ike 0:IPv6:11: NAT not detected
ike 0:IPv6:11: generate DH public value request queued
ike 0:IPv6:11: compute DH shared secret request queued
ike 0:IPv6:11: sent IKE msg (ident_r2send): 1::1:500->1::2:500, len=380, vrf=0, id=ca9443a195aa4c17/1d7807f2d447f6fa
ike 0:IPv6:11: ISAKMP SA ca9443a195aa4c17/1d7807f2d447f6fa key 16:79312CD552810480D510E4BA29D1C250
ike 0: comes 1::2:500->1::1:500,ifindex=5,vrf=0....
ike 0: IKEv1 exchange=Identity Protection id=ca9443a195aa4c17/1d7807f2d447f6fa len=124 vrf=0
ike 0:IPv6:11: responder: main mode get 3rd message...
ike 0:IPv6:11: received p1 notify type INITIAL-CONTACT
ike 0:IPv6:11: peer identifier IPV6_ADDR 1::2 <- Peer identifier IPv6_ADDR.
ike 0:IPv6:11: PSK authentication succeeded <-
ike 0:IPv6:11: authentication OK
ike 0:IPv6:11: sent IKE msg (ident_r3send): 1::1:500->1::2:500, len=92, vrf=0, id=ca9443a195aa4c17/1d7807f2d447f6fa
ike 0:IPv6:11: established IKE SA ca9443a195aa4c17/1d7807f2d447f6fa <-
ike 0:IPv6:11: check peer route: if_addr4_rcvd=0, if_addr6_rcvd=0, mode_cfg=0

ike 0:IPv6:11:384: responder received first quick-mode message
ike 0:IPv6:11:384: peer proposal is: peer:0:0.0.0.0-255.255.255.255:0, me:0:0.0.0.0-255.255.255.255:0
ike 0:IPv6:11:IPv6:384: trying
ike 0:IPv6:11:IPv6:384: matched phase2
ike 0:IPv6:11:IPv6:384: autokey
ike 0:IPv6:11:IPv6:384: my proposal:
ike 0:IPv6:11:IPv6:384: proposal id = 1:
ike 0:IPv6:11:IPv6:384: protocol id = IPSEC_ESP:
ike 0:IPv6:11:IPv6:384: PFS DH group = 14
ike 0:IPv6:11:IPv6:384: trans_id = ESP_AES_CBC (key_len = 128)
ike 0:IPv6:11:IPv6:384: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:IPv6:11:IPv6:384: type = AUTH_ALG, val=SHA1
ike 0:IPv6:11:IPv6:384: proposal id = 2:
ike 0:IPv6:11:IPv6:384: protocol id = IPSEC_ESP:
ike 0:IPv6:11:IPv6:384: PFS DH group = 5
ike 0:IPv6:11:IPv6:384: trans_id = ESP_AES_CBC (key_len = 128)
ike 0:IPv6:11:IPv6:384: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:IPv6:11:IPv6:384: type = AUTH_ALG, val=SHA1
ike 0:IPv6:11:IPv6:384: incoming proposal:
ike 0:IPv6:11:IPv6:384: proposal id = 1:
ike 0:IPv6:11:IPv6:384: protocol id = IPSEC_ESP:
ike 0:IPv6:11:IPv6:384: PFS DH group = 14
ike 0:IPv6:11:IPv6:384: trans_id = ESP_AES_CBC (key_len = 128)
ike 0:IPv6:11:IPv6:384: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:IPv6:11:IPv6:384: type = AUTH_ALG, val=SHA1
ike 0:IPv6:11:IPv6:384: negotiation result
ike 0:IPv6:11:IPv6:384: proposal id = 1:
ike 0:IPv6:11:IPv6:384: protocol id = IPSEC_ESP:
ike 0:IPv6:11:IPv6:384: PFS DH group = 14
ike 0:IPv6:11:IPv6:384: trans_id = ESP_AES_CBC (key_len = 128)
ike 0:IPv6:11:IPv6:384: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:IPv6:11:IPv6:384: type = AUTH_ALG, val=SHA1
ike 0:IPv6:11:IPv6:384: set pfs=MODP2048
ike 0:IPv6:11:IPv6:384: using tunnel mode.
ike 0:IPv6:11:IPv6:384: generate DH public value request queued
ike 0:IPv6:11:IPv6:384: compute DH shared secret request queued
ike 0:IPv6: schedule auto-negotiate
ike 0:IPv6:11:IPv6:384: replay protection enabled
ike 0:IPv6:11:IPv6:384: SA life soft seconds=42927.
ike 0:IPv6:11:IPv6:384: SA life hard seconds=43200.
ike 0:IPv6:11:IPv6:384: IPsec SA selectors #src=1 #dst=1
ike 0:IPv6:11:IPv6:384: src 0 7 0:0.0.0.0-255.255.255.255:0 <-
ike 0:IPv6:11:IPv6:384: dst 0 7 0:0.0.0.0-255.255.255.255:0 <-
ike 0:IPv6:11:IPv6:384: add IPsec SA: SPIs=07265fc6/3f1551f6
ike 0:IPv6:11:IPv6:384: IPsec SA dec spi 07265fc6 key 16:0FFD0428423B00AC2E89AD7CD80 auth 20:831C1DEDDE6D9977CEB4E5091FF038EF1
ike 0:IPv6:11:IPv6:384: IPsec SA enc spi 3f1551f6 key 16:C0B4649A9E2DB7ECF682459B041 auth 20:F2858B649574CD4D6BEF3E41E681283033
ike 0:IPv6:11:IPv6:384: added IPsec SA: SPIs=07265fc6/3f1551f6
ike 0:IPv6:11:IPv6:384: sending SNMP tunnel UP trap <-

PCAP:

Technical Tip: IPv4 over IPv6 IPSec Tunnel

Description

Scope

Solution

You are leaving our website