- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Possible to do site to site VPN for ipv4 & ipv6 with only ipv4 service in between?
Hi all, I'm wanting to give a remote site IPv6 service by way of VPN since the local ISP sucks. I have a pre-existing IPv4 site to site (fortigate to fortigate) VPN defined with the 0.0.0.0/0 phase 2 selectors so the firewalls can do their thing themselves. I was hoping perhaps I could set up a second tunnel for IPv6 packets by defining the same remote IPv4 destination on the remote side, a different key and different local ID so the target could tell the tunnels apart, but I'm getting a "-34: Duplicate remote gateway" error when trying to add it.
Is there a way around this issue? I could easily add a second IP address on one side, but not the v4-only side.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi There!!
According to this: http://docs.fortinet.com/uploaded/files/1086/fortigate-ipsec-vpn-50.pdf (Page 173)
"...IPv6 over IPv4 The VPN gateways have IPv4 addresses. The protected networks use IPv6 addresses. The phase 2 configurations at either end use IPv6 selectors..."
I never try it, but i think if you add a phase2 selector with something like this may be work (of course, you have to set address, routes and policys too):
config vpn ipsec phase2-interface
edit tunnel6_p2
set phase1name tunnel6
set proposal 3des-md5
set src-addr-type subnet6
set dst-addr-type subnet6
end
In page 183 in the same doc you have an example :)
Hope it helps!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks so much; your tip got me to a working config. I didn't realize you could have an ipv4 and ipv6 phase 2 side by side on the same phase 1. I simply added a new phase 2 and everything began working. I was trying to add a duplicate phase 1 with different settings previously.