Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Gab_FTNT
Staff
Staff

Created on ‎09-21-2023 11:43 AM

Article Id 275223

Technical Tip: how to configure Dialup IPsec remote access with Dual Stack IPv4 and IPv6 configuration.

Description

This article describes how to configure Dialup IPsec remote access with Dual Stack IPv4 and IPv6 configuration.

This article is intended to assist in setting up a Dialup tunnel to enable remote access using Dual Stack IPv4 and IPv6.

In this example FortiOS 7.2.5 and FortiClient 7.0.9 will be used.
Scope FortiGate.
Solution

Diagram:

Gab_FTNT_0-1695320525721.png

 



In order to enable IPv6 connectivity with the FortiGate, enable the built-in IPv6 feature. Go to System -> Feature visibility -> Enable IPv6 and Apply the change.


Gab_FTNT_1-1695320525722.png

 

Configuration of the Dialup Tunnel using IPv4.
If there already is a tunnel configured using IPv4, Skip to the IPv6 part below.

 

  1. Go to VPN  -> IPsec Tunnels -> Create New IPsec Tunnel.

Note that the Creating Wizard will only serve as a starting template to configure the IPv4 part of the config.
Enter the tunnel name and select Remote Access.

Gab_FTNT_2-1695320525723.png

 


  1. Select the Incoming Interface, Create a pre-shared key, and select the User Group.

 

Gab_FTNT_3-1695320525724.png

 

  1. Select the local IPv4 interface and the Local Address which could be ALL or an address object specifying the subnet of the local interface.
The Client Address Range is what IP address the users will be receiving when connecting to the tunnel.
   
Gab_FTNT_4-1695320525726.png

 

  1. The Client Options part is optional preference settings.

Gab_FTNT_5-1695320525726.png

 

  1. FortiGate will automatically creates the tunnel and Policies.
Review the Settings then hit Create.

Configuration of the Dialup Tunnel using IPv6.

  1. Go to VPN  à IPsec Tunnels à Edit the tunnel and Convert it to Custom.

 

Gab_FTNT_6-1695320525727.png

 

  1. Under the Network Tab, select Edit and add the IPv6 subnet address range under IPv6 mode config. This determines the range of IPv6 addresses the users will be receiving when connecting to the tunnel. In this example,  the following range: 2001:db8::1-2001:db8::10 with a prefix length of 128 will be used


Gab_FTNT_7-1695320525729.png

 

 

  1. The Authentication part can be kept as it is or changed based on preference.


Gab_FTNT_8-1695320525730.png

 

 

  1. In Phase-1 Proposal only one DH group is selected since aggressive mode is used.

    Gab_FTNT_9-1695320525731.png

 

  1. The XAUTH part has already been configured when we used the Wizard:


Gab_FTNT_10-1695320525732.png

 

  1. For Phase2-Selectors,  the Encryption and DH group have been changed on preference.

Gab_FTNT_11-1695320525735.png
After reviewing the tunnel configuration, make sure to save the settings at the bottom of this page.

  1. In order to achieve IPv6 connectivity, we have to add another Phase 2 for IPv6.

Open the CLI and edit your tunnel using the following command:

config vpn ipsec phase2-interface
    edit phase2_ipv6
        set phase1name Dialup_DualStck
        set proposal aes128-sha256 aes256-sha256
        set dhgrp 20
        set src-addr-type subnet6
        set dst-addr-type subnet6
    end


Gab_FTNT_12-1695320525737.png

 

  1. Go to VPN  -> IPsec Tunnels -> Edit the tunnel and Make sure to have two Phase 2 Selectors from the GUI like the following.

Gab_FTNT_13-1695320525737.png

 

Configuration of the FortiClient side.

 

  1. Edit the FortiClient XML file to enable IPv6. To do so, follow this Community Article here:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Not-receiving-an-IPv6-address-from-Dialup-...

 

  1. Configure the FortiClient VPN connection:


Gab_FTNT_14-1695320525739.png

 


Gab_FTNT_15-1695320525741.png
Gab_FTNT_16-1695320525742.png

 

Review the configuration and make sure it matches the FortiGate side.
It should be now connected successfully to FortiGate using DualStack.

Gab_FTNT_17-1695320525743.png

 

  1. In order to be able to reach an IPv6 subnet on the FortiGate side, we will need to create a policy. Go to Policy & Objects -> Firewall Policy and Create a New Policy.

 

Gab_FTNT_18-1695320525744.png

 

Verification:

  1. Verify connectivity by pinging an IPv6 address that resides on the FortiGate side.

 

Gab_FTNT_19-1695320525747.png

 

  1. Verify connectivity by pinging an IPv4 address that resides on the FortiGate side.


Gab_FTNT_20-1695320525750.png

 

If any problem occurs, feel free to contact Fortinet Support:

https://support.fortinet.com/welcome/#/
1283
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.