Compared with IPv4 IPsec VPN functionality, there are some limitations:
Except for IPv6 over IPv4, remote gateways with Dynamic DNS are not supported. Selectors cannot be firewall address names. Only IP address, address range and subnet are supported. Redundant IPv6 tunnels are not supported.
To complete the VPN configuration, you need a security policy in each direction to permit traffic between the protected network’s port and the IPsec interface. You need IPv6 policies unless the VPN is IPv4 over IPv6.
By default IPv6 configurations do not appear in the GUI. You need to enable the feature first. To enable IPv6: 1. Go to System > Features. 2. Select IPv6 and click Apply.
FW01 # show vpn ipsec phase1-interface User-VPN config vpn ipsec phase1-interface edit "User-VPN" set type dynamic set interface "port1" set mode aggressive set peertype any set mode-cfg enable set ipv4-dns-server1 10.0.x.x set ipv4-dns-server2 10.0.x.x set ipv4-dns-server3 10.0.x.x set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1 set comments "VPN: User-VPN (Created by VPN wizard)" set wizard-type dialup-forticlient set xauthtype auto set authusrgrp "VPN-User" set net-device enable set ipv4-start-ip 10.0.x.x set ipv4-end-ip 10.0.x.x set ipv4-netmask 255.255.255.0 set ipv4-split-include "AG_VPN_VPN-User Freigabe" set save-password enable set client-auto-negotiate enable set client-keep-alive enable set psksecret xxx next end
FW01 # show vpn ipsec phase2-interface User-VPN config vpn ipsec phase2-interface edit "User-VPN" set phase1name "User-VPN" set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256 set comments "VPN: User-VPN (Created by VPN wizard)" next end
FW01 # show system interface User-VPN config system interface edit "User-VPN" set vdom "root" set ip 169.254.1.1 255.255.255.255 set type tunnel set scan-botnet-connections block set remote-ip 169.254.1.1 255.255.255.255 set fortiheartbeat enable set snmp-index 55 config ipv6 set ip6-address fe80::7645:6de2:ff:1/128 end set interface "port1" next end
So I want that the FortiClient, which has an IPv6 Adress, enable VPN to our public IPv6-Adress to connect to our internal IPv4 Network.
I thought it is enough to replace the IPv4 address with an IPv6 address in the FortiClient, but maybe that's the problem?
as this is a dynamic tunnel which uses IPv6 between gateways, I recommend to enable ip-version 6 in the phase1-interface configuration. With this the tunnel actually knows that it is running with IPv6 instead of IPv4(default).
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.