I have a working remote access VPN that I created using the VPN iOS wizard on the Fortigate 60E version 6.4.
I am trying to add IPv6 support.
The Fortinet is behind a dual-stack Comcast Business connection and has a working IPv6 prefix delegation setup on it. It gets a /56 subnet from Comcast.
Here is the current phase1/phase2 configs:
config vpn ipsec phase1-interface edit "RA-iOS" set type dynamic set interface "wan1" set ike-version 2 set authmethod signature set peertype any set net-device disable set mode-cfg enable set ipv4-dns-server1 192.168.223.1 set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256 set localid "DOMAINNAME" set localid-type fqdn set comments "VPN: RA-iOS [Created by VPN wizard]" set dhgrp 14 5 2 set cert-id-validation disable set certificate "1176_2021_req" set ipv4-start-ip 192.168.222.33 set ipv4-end-ip 192.168.222.38 set ipv4-netmask 255.255.255.248 next end
config vpn ipsec phase2-interface edit "RA-iOS" set phase1name "RA-iOS" set proposal aes256-sha256 aes256-md5 aes256-sha1 set pfs disable set keepalive enable set comments "VPN: RA-iOS [Created by VPN wizard]" next
I tried adding ipv6-start-ip and ipv6-end-ip using the delegated prefix and host bits of ::200 - ::299. This lets connected devices receive an IPv6 address, but they report no valid IPv6 route. The devices I have tested are an iPhone 8 and a 2015 Macbook Pro both with latest updates, and both using the built-in VPN ipsec clients.
What is the recommended way to do this? I have found no documentation on this kind of scenario anywhere.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.