Description

This article describes how to deploy ADVPN Hub and Spoke in an IPv6 network.

Scope

FortiOS: 6.4,7.0,7.2 and above.

Solution

Topology:

ADVPN Hub Configuration:

1) Tunnel Configuration:

# config vpn ipsec phase1-interface
    edit "ipv6-advpn"
        set type dynamic
        set interface "port4"
        set ip-version 6
        set ike-version 2
        set peertype any
        set net-device disable
        set proposal aes128-sha256
        set add-route disable
        set dpd on-idle
        set auto-discovery-sender enable
        set network-overlay enable
        set network-id 1
        set psksecret <psk>
        set dpd-retryinterval 60
    next
end

# config vpn ipsec phase2-interface
    edit "ipv6-advpn"
        set phase1name "ipv6-advpn"
        set proposal aes128-sha1
        set keepalive enable
        set src-addr-type subnet6
        set dst-addr-type subnet6
    next
end

2) Configure IPv6 address on the tunnel interface:

# config system interface
    edit "ipv6-advpn"
        set vdom "root"
        set type tunnel
        set snmp-index 10
            # config ipv6
                set ip6-address 2001:db7::100:1/64
                set ip6-allowaccess ping
            end
        set interface "port4"
    next
end

3) Configure IPv6 firewall policy:

# config firewall policy
    edit 1
        set name "advpn-to-lan"
        set srcintf "ipv6-advpn"
        set dstintf "plan"
        set action accept
        set srcaddr6 "all"
        set dstaddr6 "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
    edit 2
        set name "lan-to-advpn"
        set srcintf "lan"
        set dstintf "ipv6-advpn"
        set action accept
        set srcaddr6 "all"
        set dstaddr6 "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
    edit 3
        set name "advpn-to-advpn"
        set srcintf "ipv6-advpn"
        set dstintf "ipv6-advpn"
        set action accept
        set srcaddr6 "all"
        set dstaddr6 "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
end

4) Configure BGP:

# config router bgp
    set as 6500
    set router-id 1.1.1.1
        # config neighbor
            edit "2001:db7::100:2"
                set activate disable
                set capability-graceful-restart6 enable
                set soft-reconfiguration6 enable
                set remote-as 6500
                set route-reflector-client6 enable
            next
            edit "2001:db7::100:3"
                set activate disable
                set capability-graceful-restart6 enable
                set soft-reconfiguration6 enable
                set remote-as 6500
                set route-reflector-client enable
            next
        end
        # config network6
            edit 1
                set prefix6 2001:db8:1111:2000::/64
            next
        end
end

ADVPN Spoke Configuration:

1) Tunnel Configuration:

# config vpn ipsec phase1-interface
    edit "ipv6-advpn"
        set interface "port4"
        set ip-version 6
        set ike-version 2
        set peertype any
        set net-device enable
        set proposal aes128-sha256
        set add-route disable
        set auto-discovery-receiver enable
        set network-overlay enable
        set network-id 1
        set remote-gw6 2001:db8::1
        set psksecret <psk>
    next
end

# config vpn ipsec phase2-interface
    edit "ipv6-advpn"
        set phase1name "ipv6-advpn"
        set proposal aes128-sha1
        set src-addr-type subnet6
        set dst-addr-type subnet6
    next
end

2) Configure IPv6 address on the tunnel interface (change ipv6 address while configuring spoke2):

# config system interface
    edit "ipv6-advpn"
        set vdom "root"
        set type tunnel
        set snmp-index 10
            # config ipv6
                set ip6-address 2001:db7::100:2/64 <-
                set ip6-allowaccess ping
            end
        set interface "port4"
    next
end

3) Configure IPv6 firewall policy:

# config firewall policy
    edit 1
        set name "ipsec-to-lan"
        set srcintf "ipv6-advpn"
        set dstintf "lan"
        set action accept
        set srcaddr6 "all"
        set dstaddr6 "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
    edit 2
        set name "lan-to-ipsec"
        set srcintf "lan"
        set dstintf "ipv6-advpn"
        set action accept
        set srcaddr6 "all"
        set dstaddr6 "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
end

4) Configure BGP  (Change the router-id and prefix6 while configuring Spoke2):

# config router bgp
    set as 6500
    set router-id 2.2.2.2 <-
        # config neighbor
            edit "2001:db7::100:1"
                set activate disable
                set capability-graceful-restart6 enable
                set soft-reconfiguration6 enable
                set remote-as 6500
            next
        end
        # config network6
            edit 1
                set prefix6 2001:db8:1111:2100::/64 <-
            next
        end
end

In this article, Spoke2 configuration is not shown since it is almost similar to the Spoke1 configuration. 

Verification :

Spoke1 # exe ping6-options source6 2001:db8:1111:2100::1

Spoke1 # exe ping6 2001:db8:1111:2200::1
PING 2001:db8:1111:2200::1(2001:db8:1111:2200::1) from 2001:db8:1111:2100::1 : 56 data bytes
64 bytes from 2001:db8:1111:2200::1: icmp_seq=1 ttl=63 time=2.51 ms
64 bytes from 2001:db8:1111:2200::1: icmp_seq=2 ttl=64 time=0.982 ms
...
--- 2001:db8:1111:2200::1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss, time 4002ms
rtt min/avg/max/mdev = 0.788/1.285/2.516/0.645 ms

Spoke1 # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
----------------------------Tunnel to Hub----------------------------------

name=ipv6-advpn ver=2 serial=3 2001:db8::2:0->2001:db8::1:0 tun_id=10.0.0.3 tun_id6=::10.0.0.3 dst_mtu=1500 dpd-link=on weight=1
bound_if=6 lgwy=static/1 tun=intf mode=auto/1 encap=none/568 options[0238]=npu create_dev frag-rfc role=primary accept_traffic=1 overlay_id=1

proxyid_num=1 child_num=1 refcnt=5 ilast=7 olast=7 ad=r/2
stat: rxp=25 txp=24 rxb=2426 txb=2269
....
dec: spi=816ab042 esp=aes key=16 99d19d1b1ff39fc132dbbc3f3292c8da
ah=sha1 key=20 1d1f9e79eb86b81f177cf5f278dc5e0db5fe1ef7
enc: spi=3b3ed98f esp=aes key=16 c32d1c58e0c441573cf733109e6c3e68
ah=sha1 key=20 07b42df05371d92286e140beea9a6adb34a3b166
dec:pkts/bytes=38/3716, enc:pkts/bytes=36/4925
npu_flag=00 npu_rgwy=2001:db8::1 npu_lgwy=2001:db8::2 npu_selid=4 dec_npuid=0 enc_npuid=0

------------------------------Tunnel to Spoke2----------------------------------

name=ipv6-advpn_0 ver=2 serial=4 2001:db8::2:0->2001:db8::3:0 tun_id=10.0.0.4 tun_id6=2001:db8::3 dst_mtu=1500 dpd-link=on weight=1
bound_if=6 lgwy=static/1 tun=intf mode=dial_inst/3 encap=none/66232 options[102b8]=npu create_dev rgwy-chg frag-rfc role=primary accept_traffic=1 overlay_id=1

parent=ipv6-advpn index=0
proxyid_num=1 child_num=0 refcnt=5 ilast=3 olast=3 ad=r/2
stat: rxp=6 txp=6 rxb=568 txb=568
....
dec: spi=816ab043 esp=aes key=16 8a3fd23db9a7a5262be7d8a35e98de5e
ah=sha1 key=20 e2533840e7cedfa10719eefc8a773dae66e2dfcc
enc: spi=cb1155cd esp=aes key=16 3ac7cb5179f01c7962cca94dd49f7283
ah=sha1 key=20 cfb7c3e7715ef07f9967b1ac5d479e3af443942c
dec:pkts/bytes=12/1136, enc:pkts/bytes=12/1632
npu_flag=00 npu_rgwy=2001:db8::3 npu_lgwy=2001:db8::2 npu_selid=5 dec_npuid=0 enc_npuid=0