Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGuard
- FortiGate Cloud
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiToken
- FortiTester
- FortiWAN
- FortiVoice
- FortiWeb
- FortiWebCloud
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- ipv6 slaac
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ipv6 slaac
Hi
I am having issues getting slaac to work on a fortigate 60C
I have my wan interface set with a static address. I have no issues pinging services through ipv6 from the fortigate unit itself.
But it will not autoconfigure the units connected to the internal interface.
set ip6-allowaccess ping https ssh
set ip6-address 2001:000:000:1::1/64
set ip6-send-adv enable
set autoconf enable
Is the config for the internal side of it.
Then I have.
set ip6-allowaccess ping https ssh
set ip6-address 2001:000:000::2/64
set ip6-send-adv enable
set autoconf enable
For the wan interface.
with at default GW 2001:000:000::1/64
Any help would be greatly appreciated.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You config is missing a lot. Follow my blog on autconf function and ipv6 on FGT
http://socpuppet.blogspot.com/2012/12/ipv6-fortigate-style.html
But you need to assign the prefix for starter.
This one area most missed by fortigate configuration. Unlike cisco, it' s done automatically when you enable ipv6 on a interface.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply.
I have tried to change the config for the internal side so it matches your post.
config ipv6
set ip6-allowaccess ping https ssh
set ip6-address 2001:000:000:1::1/64
set ip6-send-adv enable
set autoconf enable
config ip6-prefix-list
edit 2001:000:000::/64
set autonomous-flag enable
set preferred-life-time 600
set valid-life-time 600
next
end
Still on the cisco in front i only see the fortigate itself, ant that registers as stale.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need something like this;
config ipv6
set ip6-address 2001:000:000:1::1/64
set ip6-allowaccess ping https ssh snmp
config ip6-prefix-list
edit 2001:000:000:1::/64
set autonomous-flag enable
set preferred-life-time 600
set valid-life-time 600
next
end
set ip6-retrans-time 4000
set ip6-send-adv enable
end
next
Does the cisco have ipv6 enable and auto for the address?
Does it have layer-2 connectivity to FGT ( temp assign it a static of eui64 address and test with a ipv6 ping ) ?
Does a host attached to a FGT pickup a stateless assign address ( MACOSX/LINUX/WINDOW/OpenBSD/etc.....)?
What does your debug output show if anything other than cisco get' s address?
If nothing get' s an address, once again start diagnostic and packet captures?
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There I got it working.
I used the config i had on the internal side.
But on the cisco in front I put up an ipv6 linknet, on the vlan to the fortigate.
So i assigned on the cisco side.
2001:0:0:0::1/64
Then on the fortigate
2001:0:0:0::2/64
I then used a static route for the 2001:0:0::/48 to the 2001:0:0:0::2/64
Then everything worked fine. As soon as i changed my fw policy to allow icmp6
this is not technically slaac is it. But it works.
Thank you so much.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Seems I was a bit quick there. It worked for a while.
Now I am not able to ping from the fortigate to ipv6 sites.
The fortigate replies to ping packets through ipv6 though.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What are you trying todo? Do you have a topology drawing of the inside/outside interfaces and where the autconf clients are located at?
Some how & from what your describing tells me , SLAAC is not what you want. SLAAC is trivial and a straight forward configuration
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can try and explain what I am after.
I have a /48 prefix assigned by my ISP.
This /48 prefix can be routed to me by putting it straight on the vlan that connects to me,
or by using a /64 link net. This link net is not a part of my initial prefix.
Right now it is setup using the link net configuration.
I would prefer for the prefix to be assigned to my vlan directly though.
And having the fortigate sit on a static ipv6 address for management.
While my internal units automatically picks up their ipv6 configuration using slaac.
I hope this was a better explanation of what I wanted.
Thanks again for the help.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why don' t you assign a /64 out of the /48 on the WAN link and divided the reminding 64k minus1 /64 for your internal vlans with SLAAC on the vlan interfaces.
You can assign multiple /64 prefixes on one interface if required and you can have multiple ipv6 address per interface.
Very simple see diagram;
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- IOS Native IPSEC full tunnel doesn't... 233 Views
- CHANGED SUBNET FROM LAN TO WAN 225 Views
- SSL VPN STUCK AT 98% 860 Views
- FortiClient is not connecting to Windows... 676 Views
- FortiAnalyzer don't show implicit deny log 223 Views
Labels
-
Fortigate
7,444 -
FortiClient
1,469 -
5.2
801 -
5.4
639 -
FortiManager
637 -
FortiAnalyzer
484 -
6.0
416 -
FortiSwitch
387 -
FortiAP
386 -
5.6
362 -
FortiClient EMS
312 -
FortiMail
287 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
181 -
FortiNAC
134 -
SSL-VPN
129 -
6.4
128 -
IPsec
124 -
FortiGuard
121 -
FortiGateCloud
97 -
FortiCloud Products
93 -
FortiSIEM
92 -
FortiToken
80 -
Customer Service
72 -
Wireless Controller
68 -
SD-WAN
65 -
4.0MR3
64 -
FortiProxy
52 -
FortiEDR
47 -
Fortivoice
46 -
FortiADC
46 -
FortiDNS
43 -
FortiAuthenticator
43 -
Firewall policy
40 -
FortiSandbox
38 -
VLAN
38 -
FortiExtender
37 -
FortiGate v5.4
36 -
FortiSwitch v6.4
32 -
High Availability
32 -
DNS
28 -
BGP
27 -
LDAP
27 -
FortiConnect
26 -
ZTNA
26 -
FortiGate v5.2
24 -
FortiWAN
24 -
FortiConverter
23 -
SAML
22 -
Interface
22 -
Authentication
21 -
Routing
21 -
Certificate
21 -
FortiSwitch v6.2
20 -
FortiLink
19 -
NAT
19 -
FortiPortal
18 -
VDOM
18 -
RADIUS
16 -
Logging
16 -
FortiMonitor
16 -
Virtual IP
16 -
Web profile
16 -
FortiGate v5.0
15 -
SSL SSH inspection
15 -
Fortigate Cloud
14 -
FortiDDoS
14 -
Application control
14 -
Traffic shaping
13 -
FortiManager v5.0
12 -
FortiCASB
12 -
SSO
12 -
IP address management - IPAM
11 -
FortiRecorder
10 -
SSID
10 -
Static route
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiAnalyzer v5.0
9 -
FortiSOAR
9 -
FortiWeb v5.0
9 -
SNMP
9 -
RMA Information and Announcements
9 -
OSPF
9 -
FortiAP profile
9 -
WAN optimization
9 -
FortiManager v4.0
8 -
FortiBridge
8 -
Admin
8 -
Security profile
8 -
Proxy policy
8 -
Web application firewall profile
8 -
4.0
7 -
FortiCache
7 -
Automation
7 -
trunk
6 -
IPS signature
6 -
Antivirus profile
6 -
Traffic shaping policy
6 -
System settings
6 -
FortiCarrier
5 -
FortiDirector
5 -
DNS Filter
5 -
Packet capture
5 -
FortiTester
5 -
Users
5 -
Port policy
5 -
Intrusion prevention
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiDeceptor
4 -
FortiScan
4 -
Explicit proxy
4 -
FortiPAM
4 -
Traffic shaping profile
4 -
Application signature
4 -
DLP sensor
4 -
DoS policy
4 -
Web rating
4 -
FortiInsight
3 -
FortiDB
3 -
FortiCWP
3 -
FortiToken Cloud
3 -
FortiHypervisor
3 -
NAC policy
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
DLP profile
3 -
Email filter profile
3 -
Fabric connector
3 -
File filter
3 -
Multicast routing
3 -
FortiAI
2 -
FortiNDR
2 -
Internet Service Database
2 -
Netflow
2 -
Protocol option
2 -
Replacement messages
2 -
Schedule
2 -
Service
2 -
VoIP profile
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
Kerberos
1 -
RIP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
SDN connector
1 -
Multicast policy
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1237 | |
| 932 | |
| 674 | |
| 441 | |
| 176 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.