Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
train_wreck
New Contributor III

Adding IPv6 to IPsec remote-access VPN

I have a working remote access VPN that I created using the VPN iOS wizard on the Fortigate 60E version 6.4.

 

I am trying to add IPv6 support.

 

The Fortinet is behind a dual-stack Comcast Business connection and has a working IPv6 prefix delegation setup on it. It gets a /56 subnet from Comcast.

 

Here is the current phase1/phase2 configs:

 

config vpn ipsec phase1-interface
    edit "RA-iOS"
        set type dynamic
        set interface "wan1"
        set ike-version 2
        set authmethod signature
        set peertype any
        set net-device disable
        set mode-cfg enable
        set ipv4-dns-server1 192.168.223.1
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set localid "DOMAINNAME"
        set localid-type fqdn
        set comments "VPN: RA-iOS [Created by VPN wizard]"
        set dhgrp 14 5 2
        set cert-id-validation disable
        set certificate "1176_2021_req"
        set ipv4-start-ip 192.168.222.33
        set ipv4-end-ip 192.168.222.38
        set ipv4-netmask 255.255.255.248
    next
end

config vpn ipsec phase2-interface
    edit "RA-iOS"
        set phase1name "RA-iOS"
        set proposal aes256-sha256 aes256-md5 aes256-sha1
        set pfs disable
        set keepalive enable
        set comments "VPN: RA-iOS [Created by VPN wizard]"
    next

 

I tried adding ipv6-start-ip and ipv6-end-ip using the delegated prefix and host bits of ::200 - ::299. This lets connected devices receive an IPv6 address, but they report no valid IPv6 route. The devices I have tested are an iPhone 8 and a 2015 Macbook Pro both with latest updates, and both using the built-in VPN ipsec clients.

 

What is the recommended way to do this? I have found no documentation on this kind of scenario anywhere.

1 REPLY 1
best-username
New Contributor

This is a two year old question about what should be a very basic feature.  I have also not been able to find documentation on how to accomplish a **FUNCTIONING** dual stack IPSec VPN elsewhere.  Does anyone at Fortinet know how to do this??  This is embarrassing.

Labels
Top Kudoed Authors