Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor III

Adding IPv6 to IPsec remote-access VPN

I have a working remote access VPN that I created using the VPN iOS wizard on the Fortigate 60E version 6.4.


I am trying to add IPv6 support.


The Fortinet is behind a dual-stack Comcast Business connection and has a working IPv6 prefix delegation setup on it. It gets a /56 subnet from Comcast.


Here is the current phase1/phase2 configs:


config vpn ipsec phase1-interface
    edit "RA-iOS"
        set type dynamic
        set interface "wan1"
        set ike-version 2
        set authmethod signature
        set peertype any
        set net-device disable
        set mode-cfg enable
        set ipv4-dns-server1
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set localid "DOMAINNAME"
        set localid-type fqdn
        set comments "VPN: RA-iOS [Created by VPN wizard]"
        set dhgrp 14 5 2
        set cert-id-validation disable
        set certificate "1176_2021_req"
        set ipv4-start-ip
        set ipv4-end-ip
        set ipv4-netmask

config vpn ipsec phase2-interface
    edit "RA-iOS"
        set phase1name "RA-iOS"
        set proposal aes256-sha256 aes256-md5 aes256-sha1
        set pfs disable
        set keepalive enable
        set comments "VPN: RA-iOS [Created by VPN wizard]"


I tried adding ipv6-start-ip and ipv6-end-ip using the delegated prefix and host bits of ::200 - ::299. This lets connected devices receive an IPv6 address, but they report no valid IPv6 route. The devices I have tested are an iPhone 8 and a 2015 Macbook Pro both with latest updates, and both using the built-in VPN ipsec clients.


What is the recommended way to do this? I have found no documentation on this kind of scenario anywhere.