FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nprakash
Staff
Staff
Article Id 253196
Description

 

This article describes how to deploy ADVPN Hub and Spoke in an IPv6 network.

 

Scope

 

FortiOS: 6.4,7.0,7.2 and above.

 

Solution

 

Topology:

                     v6-advpn-topo-un.png                                       

            v6-advpn-topo-ov.png

 

ADVPN Hub Configuration:

 

1) Tunnel Configuration:

 

# config vpn ipsec phase1-interface
    edit "ipv6-advpn"
        set type dynamic
        set interface "port4"
        set ip-version 6
        set ike-version 2
        set peertype any
        set net-device disable
        set proposal aes128-sha256
        set add-route disable
        set dpd on-idle
        set auto-discovery-sender enable
        set network-overlay enable
        set network-id 1
        set psksecret <psk>
        set dpd-retryinterval 60
    next
end

 

# config vpn ipsec phase2-interface
    edit "ipv6-advpn"
        set phase1name "ipv6-advpn"
        set proposal aes128-sha1
        set keepalive enable
        set src-addr-type subnet6
        set dst-addr-type subnet6
    next
end

 

2) Configure IPv6 address on the tunnel interface:

 

# config system interface
    edit "ipv6-advpn"
        set vdom "root"
        set type tunnel
        set snmp-index 10
            # config ipv6
                set ip6-address 2001:db7::100:1/64
                set ip6-allowaccess ping
            end
        set interface "port4"
    next
end

 

3) Configure IPv6 firewall policy:

 

# config firewall policy
    edit 1
        set name "advpn-to-lan"
        set srcintf "ipv6-advpn"
        set dstintf "plan"
        set action accept
        set srcaddr6 "all"
        set dstaddr6 "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
    edit 2
        set name "lan-to-advpn"
        set srcintf "lan"
        set dstintf "ipv6-advpn"
        set action accept
        set srcaddr6 "all"
        set dstaddr6 "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
    edit 3
        set name "advpn-to-advpn"
        set srcintf "ipv6-advpn"
        set dstintf "ipv6-advpn"
        set action accept
        set srcaddr6 "all"
        set dstaddr6 "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
end

 

4) Configure BGP:

 

# config router bgp
    set as 6500
    set router-id 1.1.1.1
        # config neighbor
            edit "2001:db7::100:2"
                set activate disable
                set capability-graceful-restart6 enable
                set soft-reconfiguration6 enable
                set remote-as 6500
                set route-reflector-client6 enable
            next
            edit "2001:db7::100:3"
                set activate disable
                set capability-graceful-restart6 enable
                set soft-reconfiguration6 enable
                set remote-as 6500
                set route-reflector-client enable
            next
        end
        # config network6
            edit 1
                set prefix6 2001:db8:1111:2000::/64
            next
        end
end

 

ADVPN Spoke Configuration:

 

1) Tunnel Configuration:

 

# config vpn ipsec phase1-interface
    edit "ipv6-advpn"
        set interface "port4"
        set ip-version 6
        set ike-version 2
        set peertype any
        set net-device enable
        set proposal aes128-sha256
        set add-route disable
        set auto-discovery-receiver enable
        set network-overlay enable
        set network-id 1
        set remote-gw6 2001:db8::1
        set psksecret <psk>
    next
end

 

# config vpn ipsec phase2-interface
    edit "ipv6-advpn"
        set phase1name "ipv6-advpn"
        set proposal aes128-sha1
        set src-addr-type subnet6
        set dst-addr-type subnet6
    next
end

 

2) Configure IPv6 address on the tunnel interface (change ipv6 address while configuring spoke2):

 

# config system interface
    edit "ipv6-advpn"
        set vdom "root"
        set type tunnel
        set snmp-index 10
            # config ipv6
                set ip6-address 2001:db7::100:2/64 <-
                set ip6-allowaccess ping
            end
        set interface "port4"
    next
end

 

3) Configure IPv6 firewall policy:

 

# config firewall policy
    edit 1
        set name "ipsec-to-lan"
        set srcintf "ipv6-advpn"
        set dstintf "lan"
        set action accept
        set srcaddr6 "all"
        set dstaddr6 "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
    edit 2
        set name "lan-to-ipsec"
        set srcintf "lan"
        set dstintf "ipv6-advpn"
        set action accept
        set srcaddr6 "all"
        set dstaddr6 "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
end

 

4) Configure BGP  (Change the router-id and prefix6 while configuring Spoke2):

 

# config router bgp
    set as 6500
    set router-id 2.2.2.2 <-
        # config neighbor
            edit "2001:db7::100:1"
                set activate disable
                set capability-graceful-restart6 enable
                set soft-reconfiguration6 enable
                set remote-as 6500
            next
        end
        # config network6
            edit 1
                set prefix6 2001:db8:1111:2100::/64 <-
            next
        end
end

 

In this article, Spoke2 configuration is not shown since it is almost similar to the Spoke1 configuration. 

 

Verification :

 

Spoke1 # exe ping6-options source6 2001:db8:1111:2100::1

Spoke1 # exe ping6 2001:db8:1111:2200::1
PING 2001:db8:1111:2200::1(2001:db8:1111:2200::1) from 2001:db8:1111:2100::1 : 56 data bytes
64 bytes from 2001:db8:1111:2200::1: icmp_seq=1 ttl=63 time=2.51 ms
64 bytes from 2001:db8:1111:2200::1: icmp_seq=2 ttl=64 time=0.982 ms
...
--- 2001:db8:1111:2200::1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss, time 4002ms
rtt min/avg/max/mdev = 0.788/1.285/2.516/0.645 ms


Spoke1 # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
----------------------------Tunnel to Hub----------------------------------

name=ipv6-advpn ver=2 serial=3 2001:db8::2:0->2001:db8::1:0 tun_id=10.0.0.3 tun_id6=::10.0.0.3 dst_mtu=1500 dpd-link=on weight=1
bound_if=6 lgwy=static/1 tun=intf mode=auto/1 encap=none/568 options[0238]=npu create_dev frag-rfc role=primary accept_traffic=1 overlay_id=1

proxyid_num=1 child_num=1 refcnt=5 ilast=7 olast=7 ad=r/2
stat: rxp=25 txp=24 rxb=2426 txb=2269
....
dec: spi=816ab042 esp=aes key=16 99d19d1b1ff39fc132dbbc3f3292c8da
ah=sha1 key=20 1d1f9e79eb86b81f177cf5f278dc5e0db5fe1ef7
enc: spi=3b3ed98f esp=aes key=16 c32d1c58e0c441573cf733109e6c3e68
ah=sha1 key=20 07b42df05371d92286e140beea9a6adb34a3b166
dec:pkts/bytes=38/3716, enc:pkts/bytes=36/4925
npu_flag=00 npu_rgwy=2001:db8::1 npu_lgwy=2001:db8::2 npu_selid=4 dec_npuid=0 enc_npuid=0

------------------------------Tunnel to Spoke2----------------------------------

name=ipv6-advpn_0 ver=2 serial=4 2001:db8::2:0->2001:db8::3:0 tun_id=10.0.0.4 tun_id6=2001:db8::3 dst_mtu=1500 dpd-link=on weight=1
bound_if=6 lgwy=static/1 tun=intf mode=dial_inst/3 encap=none/66232 options[102b8]=npu create_dev rgwy-chg frag-rfc role=primary accept_traffic=1 overlay_id=1

parent=ipv6-advpn index=0
proxyid_num=1 child_num=0 refcnt=5 ilast=3 olast=3 ad=r/2
stat: rxp=6 txp=6 rxb=568 txb=568
....
dec: spi=816ab043 esp=aes key=16 8a3fd23db9a7a5262be7d8a35e98de5e
ah=sha1 key=20 e2533840e7cedfa10719eefc8a773dae66e2dfcc
enc: spi=cb1155cd esp=aes key=16 3ac7cb5179f01c7962cca94dd49f7283
ah=sha1 key=20 cfb7c3e7715ef07f9967b1ac5d479e3af443942c
dec:pkts/bytes=12/1136, enc:pkts/bytes=12/1632
npu_flag=00 npu_rgwy=2001:db8::3 npu_lgwy=2001:db8::2 npu_selid=5 dec_npuid=0 enc_npuid=0