Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MVZLab
New Contributor

IPv4 over IPv6 DialUP-IPSEC VPN

I want to have an IPv4 over IPv6 DialUP-IPSEC VPN.

 

I've enabled the IPv6 Feature on the FortiGate, set a default IPv6 route and a public IPv6-adress on the WAN Interface, wich is reachable with a ping from my testmachine.

 

When I enable the Forticlient VPN to the IPv4 Adress everything works fine. When I change the IPv4-Adress to the IPv6-Adress in the Forticlient i get the following error in the VPN Eventlog:

 

Log Description: IPsec phase 1 error

Action: negotiate
Status: negotiate_error
Reason: peer SA proposal not match local policy

 

I don`t have a clue what i`ve missed.

 

The Dialup Tunnel was originaly created withe the VPN-Wizard. The options to customize the tunnel are limited.

3 REPLIES 3
Anonymous
Not applicable

Hello MVZLab,

 

Compared with IPv4 IPsec VPN functionality, there are some limitations:

Except for IPv6 over IPv4, remote gateways with Dynamic DNS are not supported.
Selectors cannot be firewall address names. Only IP address, address range and subnet are supported.
Redundant IPv6 tunnels are not supported.

 

To complete the VPN configuration, you need a security policy in each direction to permit traffic between the protected network’s port and the IPsec interface. You need IPv6 policies unless the VPN is IPv4 over IPv6.

 

By default IPv6 configurations do not appear in the GUI. You need to enable the feature first.
To enable IPv6:
1. Go to System > Features.
2. Select IPv6 and click Apply.

 

Let me know if this helps.

MVZLab

Hello Mohit_S,

 

thanks for your reply, but it doesn`t helps me. 

 

I`ve tried to replace the public IPv4 adress with the public IPv6 adress on the Forti-Client. I have alredy some IPv4-policies on the fortigate, which already work. Here are my settings: 


Spoiler

FW01 # show vpn ipsec phase1-interface User-VPN
config vpn ipsec phase1-interface
edit "User-VPN"
set type dynamic
set interface "port1"
set mode aggressive
set peertype any
set mode-cfg enable
set ipv4-dns-server1 10.0.x.x
set ipv4-dns-server2 10.0.x.x
set ipv4-dns-server3 10.0.x.x
set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1
set comments "VPN: User-VPN (Created by VPN wizard)"
set wizard-type dialup-forticlient
set xauthtype auto
set authusrgrp "VPN-User"
set net-device enable
set ipv4-start-ip 10.0.x.x
set ipv4-end-ip 10.0.x.x
set ipv4-netmask 255.255.255.0
set ipv4-split-include "AG_VPN_VPN-User Freigabe"
set save-password enable
set client-auto-negotiate enable
set client-keep-alive enable
set psksecret xxx
next
end

FW01 # show vpn ipsec phase2-interface User-VPN
config vpn ipsec phase2-interface
edit "User-VPN"
set phase1name "User-VPN"
set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
set comments "VPN: User-VPN (Created by VPN wizard)"
next
end

FW01 # show system interface User-VPN
config system interface
edit "User-VPN"
set vdom "root"
set ip 169.254.1.1 255.255.255.255
set type tunnel
set scan-botnet-connections block
set remote-ip 169.254.1.1 255.255.255.255
set fortiheartbeat enable
set snmp-index 55
config ipv6
set ip6-address fe80::7645:6de2:ff:1/128
end
set interface "port1"
next
end

So I want that the FortiClient, which has an IPv6 Adress, enable VPN to our public IPv6-Adress to connect to our internal IPv4 Network.

 

I thought it is enough to replace the IPv4 address with an IPv6 address in the FortiClient, but maybe that's the problem?

nilmoe
New Contributor II

Hi MVZLAB,

 

as this is a dynamic tunnel which uses IPv6 between gateways, I recommend to enable ip-version 6 in the phase1-interface configuration. With this the tunnel actually knows that it is running with IPv6 instead of IPv4(default).

 

Hope this helps.

 

Best Regards

Nils

Top Kudoed Authors