Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ipranger
Contributor

Created on ‎12-25-2014 02:17 PM

IPSEC Tunnel Side2Side with IPV6 is not working with an IPV6 Tunnelbroker

Hello, 

i would like to generate an IPV6 side2side. It is available for all Interfaces but not for the HE Inerface. It is not available in the configuration. Is there a other way to do IPV6 Side2Side? (Fortigate 60C Wifi, actually OS)

edit "vl_3115_VPN"
set interface "wan1"
set ip-version 6
set ike-version 2
set mode-cfg enable
set comments "Connection to Corenet"
set remote-gw6 2001:470:729a:ac1::1
set mode-cfg-ip-version 6
set psksecret ENC secret
next
end

 

Thanks a lot

Fortigate 60E v7.x (GA)

Fortigate 60E v7.x (GA)
3265
0 Kudos
3 REPLIES 3
emnoc
Esteemed Contributor III

Created on ‎12-26-2014 01:44 AM

when you say side2side, do you mean LAN-2-LAN or SITE-2-SITE? Fortinet has numerous cookbook examples of ipv6  vpns  for  lan2lan.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
1497
0 Kudos
ipranger
Contributor

Created on ‎12-26-2014 09:17 AM

Hmm, ok... i mean:

 

VPN from ein local IPV6 Network to another network in an other town. So i think this is lan2lan? What are the differences between lan2lan and side2side? Is this not the same?

 

Best Regards

Fortigate 60E v7.x (GA)

Fortigate 60E v7.x (GA)
1497
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎12-26-2014 11:46 PM

Never heard of lan2lan called side2side and  be 100% sure  I under stood you.

 

Okay you will be surprised to know that configuring ipv6 lan2lan vpns are no different than ipv4 lan2lan. You will be best served imho to use a route-base vpn if your looking for easy at diagnose, qos, packet capturing,etc...

 

just define the type as ip6 which you already did under phase1 and then define the proposal, psk, and last define the phase2-interface using the earlier defined  phase1 name

 

e.g

 

config vpn ipsec phase1-interface     edit "FGT90-FGTHQ"         set interface "OUT01"         set ip-version 6         set proposal aes128-sha1         set dhgrp 14         set remote-gw6 2001xxxxxxxxxxxxxxxxxxxxxxxxx         set psksecret ENC IHRvbzct6k1FSarFl6TAe9E50/+9cEyTkYwyeevSGMavc5+OWtLG/hGG6O3/Q9gGmm0wCLhO2pI5f02c3g95DuwBBYOqtbKYJpEJPWgh/TjEbFP/qcIt3SSVAdi4XROHopBQSZ6YuN/KbgCvfrhFjO8QtXe5G0oZyJGiTm/DbTR3HoideykaoHIrG6aXcbTUJloGUg==     next end

 

config vpn ipsec phase2-interface     edit "FGT90-FGTHQp2"         set phase1name "FGT90-FGTHQ"         set proposal aes128-sha1         set dhgrp 14         set auto-negotiate enable         set keylifeseconds 2600     next end

 

The above is a ipv6 ipsec vpn over ipv6. You can also use ipv4 on the end-points. The above works for a Fortigate to Fortigate/Juniper SRX, but with your setup you will probably need to set specific "src-subnet  dst-subnet " entries for the local and remote subnets

 

And lastly, if your doing a route-based vpn you need a  config router static6  entry for the remote subnet(s) and lastly your firewall policies for ipv6

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
1497
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.