This article describes how to deploy ADVPN Hub and Spoke in an IPv6 network.
FortiOS: 6.4,7.0,7.2 and above.
Topology:
ADVPN Hub Configuration:
1) Tunnel Configuration:
# config vpn ipsec phase1-interface
edit "ipv6-advpn"
set type dynamic
set interface "port4"
set ip-version 6
set ike-version 2
set peertype any
set net-device disable
set proposal aes128-sha256
set add-route disable
set dpd on-idle
set auto-discovery-sender enable
set network-overlay enable
set network-id 1
set psksecret <psk>
set dpd-retryinterval 60
next
end
# config vpn ipsec phase2-interface
edit "ipv6-advpn"
set phase1name "ipv6-advpn"
set proposal aes128-sha1
set keepalive enable
set src-addr-type subnet6
set dst-addr-type subnet6
next
end
2) Configure IPv6 address on the tunnel interface:
# config system interface
edit "ipv6-advpn"
set vdom "root"
set type tunnel
set snmp-index 10
# config ipv6
set ip6-address 2001:db7::100:1/64
set ip6-allowaccess ping
end
set interface "port4"
next
end
3) Configure IPv6 firewall policy:
# config firewall policy
edit 1
set name "advpn-to-lan"
set srcintf "ipv6-advpn"
set dstintf "plan"
set action accept
set srcaddr6 "all"
set dstaddr6 "all"
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 2
set name "lan-to-advpn"
set srcintf "lan"
set dstintf "ipv6-advpn"
set action accept
set srcaddr6 "all"
set dstaddr6 "all"
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 3
set name "advpn-to-advpn"
set srcintf "ipv6-advpn"
set dstintf "ipv6-advpn"
set action accept
set srcaddr6 "all"
set dstaddr6 "all"
set schedule "always"
set service "ALL"
set logtraffic all
next
end
4) Configure BGP:
# config router bgp
set as 6500
set router-id 1.1.1.1
# config neighbor
edit "2001:db7::100:2"
set activate disable
set capability-graceful-restart6 enable
set soft-reconfiguration6 enable
set remote-as 6500
set route-reflector-client6 enable
next
edit "2001:db7::100:3"
set activate disable
set capability-graceful-restart6 enable
set soft-reconfiguration6 enable
set remote-as 6500
set route-reflector-client enable
next
end
# config network6
edit 1
set prefix6 2001:db8:1111:2000::/64
next
end
end
ADVPN Spoke Configuration:
1) Tunnel Configuration:
# config vpn ipsec phase1-interface
edit "ipv6-advpn"
set interface "port4"
set ip-version 6
set ike-version 2
set peertype any
set net-device enable
set proposal aes128-sha256
set add-route disable
set auto-discovery-receiver enable
set network-overlay enable
set network-id 1
set remote-gw6 2001:db8::1
set psksecret <psk>
next
end
# config vpn ipsec phase2-interface
edit "ipv6-advpn"
set phase1name "ipv6-advpn"
set proposal aes128-sha1
set src-addr-type subnet6
set dst-addr-type subnet6
next
end
2) Configure IPv6 address on the tunnel interface (change ipv6 address while configuring spoke2):
# config system interface
edit "ipv6-advpn"
set vdom "root"
set type tunnel
set snmp-index 10
# config ipv6
set ip6-address 2001:db7::100:2/64 <-
set ip6-allowaccess ping
end
set interface "port4"
next
end
3) Configure IPv6 firewall policy:
# config firewall policy
edit 1
set name "ipsec-to-lan"
set srcintf "ipv6-advpn"
set dstintf "lan"
set action accept
set srcaddr6 "all"
set dstaddr6 "all"
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 2
set name "lan-to-ipsec"
set srcintf "lan"
set dstintf "ipv6-advpn"
set action accept
set srcaddr6 "all"
set dstaddr6 "all"
set schedule "always"
set service "ALL"
set logtraffic all
next
end
4) Configure BGP (Change the router-id and prefix6 while configuring Spoke2):
# config router bgp
set as 6500
set router-id 2.2.2.2 <-
# config neighbor
edit "2001:db7::100:1"
set activate disable
set capability-graceful-restart6 enable
set soft-reconfiguration6 enable
set remote-as 6500
next
end
# config network6
edit 1
set prefix6 2001:db8:1111:2100::/64 <-
next
end
end
In this article, Spoke2 configuration is not shown since it is almost similar to the Spoke1 configuration.
Verification :
Spoke1 # exe ping6-options source6 2001:db8:1111:2100::1
Spoke1 # exe ping6 2001:db8:1111:2200::1
PING 2001:db8:1111:2200::1(2001:db8:1111:2200::1) from 2001:db8:1111:2100::1 : 56 data bytes
64 bytes from 2001:db8:1111:2200::1: icmp_seq=1 ttl=63 time=2.51 ms
64 bytes from 2001:db8:1111:2200::1: icmp_seq=2 ttl=64 time=0.982 ms
...
--- 2001:db8:1111:2200::1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss, time 4002ms
rtt min/avg/max/mdev = 0.788/1.285/2.516/0.645 ms
Spoke1 # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
----------------------------Tunnel to Hub----------------------------------
name=ipv6-advpn ver=2 serial=3 2001:db8::2:0->2001:db8::1:0 tun_id=10.0.0.3 tun_id6=::10.0.0.3 dst_mtu=1500 dpd-link=on weight=1
bound_if=6 lgwy=static/1 tun=intf mode=auto/1 encap=none/568 options[0238]=npu create_dev frag-rfc role=primary accept_traffic=1 overlay_id=1
proxyid_num=1 child_num=1 refcnt=5 ilast=7 olast=7 ad=r/2
stat: rxp=25 txp=24 rxb=2426 txb=2269
....
dec: spi=816ab042 esp=aes key=16 99d19d1b1ff39fc132dbbc3f3292c8da
ah=sha1 key=20 1d1f9e79eb86b81f177cf5f278dc5e0db5fe1ef7
enc: spi=3b3ed98f esp=aes key=16 c32d1c58e0c441573cf733109e6c3e68
ah=sha1 key=20 07b42df05371d92286e140beea9a6adb34a3b166
dec:pkts/bytes=38/3716, enc:pkts/bytes=36/4925
npu_flag=00 npu_rgwy=2001:db8::1 npu_lgwy=2001:db8::2 npu_selid=4 dec_npuid=0 enc_npuid=0
------------------------------Tunnel to Spoke2----------------------------------
name=ipv6-advpn_0 ver=2 serial=4 2001:db8::2:0->2001:db8::3:0 tun_id=10.0.0.4 tun_id6=2001:db8::3 dst_mtu=1500 dpd-link=on weight=1
bound_if=6 lgwy=static/1 tun=intf mode=dial_inst/3 encap=none/66232 options[102b8]=npu create_dev rgwy-chg frag-rfc role=primary accept_traffic=1 overlay_id=1
parent=ipv6-advpn index=0
proxyid_num=1 child_num=0 refcnt=5 ilast=3 olast=3 ad=r/2
stat: rxp=6 txp=6 rxb=568 txb=568
....
dec: spi=816ab043 esp=aes key=16 8a3fd23db9a7a5262be7d8a35e98de5e
ah=sha1 key=20 e2533840e7cedfa10719eefc8a773dae66e2dfcc
enc: spi=cb1155cd esp=aes key=16 3ac7cb5179f01c7962cca94dd49f7283
ah=sha1 key=20 cfb7c3e7715ef07f9967b1ac5d479e3af443942c
dec:pkts/bytes=12/1136, enc:pkts/bytes=12/1632
npu_flag=00 npu_rgwy=2001:db8::3 npu_lgwy=2001:db8::2 npu_selid=5 dec_npuid=0 enc_npuid=0
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.