I want to have an IPv4 over IPv6 DialUP-IPSEC VPN.
I've enabled the IPv6 Feature on the FortiGate, set a default IPv6 route and a public IPv6-adress on the WAN Interface, wich is reachable with a ping from my testmachine.
When I enable the Forticlient VPN to the IPv4 Adress everything works fine. When I change the IPv4-Adress to the IPv6-Adress in the Forticlient i get the following error in the VPN Eventlog:
Log Description: IPsec phase 1 error
Action: negotiate
Status: negotiate_error
Reason: peer SA proposal not match local policy
I don`t have a clue what i`ve missed.
The Dialup Tunnel was originaly created withe the VPN-Wizard. The options to customize the tunnel are limited.
Created on 01-05-2022 03:09 PM
Hello MVZLab,
Compared with IPv4 IPsec VPN functionality, there are some limitations:
Except for IPv6 over IPv4, remote gateways with Dynamic DNS are not supported.
Selectors cannot be firewall address names. Only IP address, address range and subnet are supported.
Redundant IPv6 tunnels are not supported.
To complete the VPN configuration, you need a security policy in each direction to permit traffic between the protected network’s port and the IPsec interface. You need IPv6 policies unless the VPN is IPv4 over IPv6.
By default IPv6 configurations do not appear in the GUI. You need to enable the feature first.
To enable IPv6:
1. Go to System > Features.
2. Select IPv6 and click Apply.
Let me know if this helps.
Hello Mohit_S,
thanks for your reply, but it doesn`t helps me.
I`ve tried to replace the public IPv4 adress with the public IPv6 adress on the Forti-Client. I have alredy some IPv4-policies on the fortigate, which already work. Here are my settings:
SpoilerFW01 # show vpn ipsec phase1-interface User-VPN
config vpn ipsec phase1-interface
edit "User-VPN"
set type dynamic
set interface "port1"
set mode aggressive
set peertype any
set mode-cfg enable
set ipv4-dns-server1 10.0.x.x
set ipv4-dns-server2 10.0.x.x
set ipv4-dns-server3 10.0.x.x
set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1
set comments "VPN: User-VPN (Created by VPN wizard)"
set wizard-type dialup-forticlient
set xauthtype auto
set authusrgrp "VPN-User"
set net-device enable
set ipv4-start-ip 10.0.x.x
set ipv4-end-ip 10.0.x.x
set ipv4-netmask 255.255.255.0
set ipv4-split-include "AG_VPN_VPN-User Freigabe"
set save-password enable
set client-auto-negotiate enable
set client-keep-alive enable
set psksecret xxx
next
endFW01 # show vpn ipsec phase2-interface User-VPN
config vpn ipsec phase2-interface
edit "User-VPN"
set phase1name "User-VPN"
set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
set comments "VPN: User-VPN (Created by VPN wizard)"
next
endFW01 # show system interface User-VPN
config system interface
edit "User-VPN"
set vdom "root"
set ip 169.254.1.1 255.255.255.255
set type tunnel
set scan-botnet-connections block
set remote-ip 169.254.1.1 255.255.255.255
set fortiheartbeat enable
set snmp-index 55
config ipv6
set ip6-address fe80::7645:6de2:ff:1/128
end
set interface "port1"
next
endSo I want that the FortiClient, which has an IPv6 Adress, enable VPN to our public IPv6-Adress to connect to our internal IPv4 Network.
I thought it is enough to replace the IPv4 address with an IPv6 address in the FortiClient, but maybe that's the problem?
Created on 11-15-2022 10:58 AM Edited on 11-15-2022 11:04 AM
Hi MVZLAB,
as this is a dynamic tunnel which uses IPv6 between gateways, I recommend to enable ip-version 6 in the phase1-interface configuration. With this the tunnel actually knows that it is running with IPv6 instead of IPv4(default).
Hope this helps.
Best Regards
Nils
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1738 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.