| Description |
This article describes that when SSL VPN is configured to run in dual-stack mode, it becomes necessary to apply IPv6 in objects that involve the SSL VPN interface such as SSL VPN policies, and SSL VPN Portal.
For firewall policies, FortiGate will immediately warn regarding the missing configuration if IPv6 object is not present for source and destination addresses:
After the IPv6 address is applied, the policy will be created successfully:
When trying to connect to the VPN, one may face the following issue:
|
| Scope | FortiGate, FortiClient, Dual-stack SSL VPN. |
| Solution |
To run SSL VPN debug:
diagnose debug enable diagnose vpn ssl debug-filter src-addr4 <Source_Public_IP> diagnose debug application sslvpn -1
Checking the logs, one may find similar message:
"[1189:root:36]sslvpn_prepare_tun_link:1336 portal full-access does not have IPv6 tunnel defined." "[1189:root:36]sslvpn_send_ctrl_msg:1266 0x7fddda23c200 message: svrhello-tun fail <Public_IP>"
Currently, FortiGate doesn't warn in the GUI that the IPv6 object was not yet configured on the SSL VPN portal, even when configuring a new portal.
To enable the IPv6 feature:
After, enable the IPv6 tunnel on the SSL VPN portal:
To conclude, test the SSL VPN:
|
