Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
train_wreck
New Contributor III

Adding IPv6 to IPsec remote-access VPN

I have a working remote access VPN that I created using the VPN iOS wizard on the Fortigate 60E version 6.4.

 

I am trying to add IPv6 support.

 

The Fortinet is behind a dual-stack Comcast Business connection and has a working IPv6 prefix delegation setup on it. It gets a /56 subnet from Comcast.

 

Here is the current phase1/phase2 configs:

 

config vpn ipsec phase1-interface
    edit "RA-iOS"
        set type dynamic
        set interface "wan1"
        set ike-version 2
        set authmethod signature
        set peertype any
        set net-device disable
        set mode-cfg enable
        set ipv4-dns-server1 192.168.223.1
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set localid "DOMAINNAME"
        set localid-type fqdn
        set comments "VPN: RA-iOS [Created by VPN wizard]"
        set dhgrp 14 5 2
        set cert-id-validation disable
        set certificate "1176_2021_req"
        set ipv4-start-ip 192.168.222.33
        set ipv4-end-ip 192.168.222.38
        set ipv4-netmask 255.255.255.248
    next
end

config vpn ipsec phase2-interface
    edit "RA-iOS"
        set phase1name "RA-iOS"
        set proposal aes256-sha256 aes256-md5 aes256-sha1
        set pfs disable
        set keepalive enable
        set comments "VPN: RA-iOS [Created by VPN wizard]"
    next

 

I tried adding ipv6-start-ip and ipv6-end-ip using the delegated prefix and host bits of ::200 - ::299. This lets connected devices receive an IPv6 address, but they report no valid IPv6 route. The devices I have tested are an iPhone 8 and a 2015 Macbook Pro both with latest updates, and both using the built-in VPN ipsec clients.

 

What is the recommended way to do this? I have found no documentation on this kind of scenario anywhere.

1 REPLY 1
best-username
New Contributor

This is a two year old question about what should be a very basic feature.  I have also not been able to find documentation on how to accomplish a **FUNCTIONING** dual stack IPSec VPN elsewhere.  Does anyone at Fortinet know how to do this??  This is embarrassing.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors