Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nikolsko
New Contributor

ipv6 slaac

Hi I am having issues getting slaac to work on a fortigate 60C I have my wan interface set with a static address. I have no issues pinging services through ipv6 from the fortigate unit itself. But it will not autoconfigure the units connected to the internal interface. set ip6-allowaccess ping https ssh set ip6-address 2001:000:000:1::1/64 set ip6-send-adv enable set autoconf enable Is the config for the internal side of it. Then I have. set ip6-allowaccess ping https ssh set ip6-address 2001:000:000::2/64 set ip6-send-adv enable set autoconf enable For the wan interface. with at default GW 2001:000:000::1/64 Any help would be greatly appreciated.
8 REPLIES 8
emnoc
Esteemed Contributor III

You config is missing a lot. Follow my blog on autconf function and ipv6 on FGT http://socpuppet.blogspot.com/2012/12/ipv6-fortigate-style.html But you need to assign the prefix for starter. This one area most missed by fortigate configuration. Unlike cisco, it' s done automatically when you enable ipv6 on a interface.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
nikolsko
New Contributor

Thanks for the reply. I have tried to change the config for the internal side so it matches your post. config ipv6 set ip6-allowaccess ping https ssh set ip6-address 2001:000:000:1::1/64 set ip6-send-adv enable set autoconf enable config ip6-prefix-list edit 2001:000:000::/64 set autonomous-flag enable set preferred-life-time 600 set valid-life-time 600 next end Still on the cisco in front i only see the fortigate itself, ant that registers as stale.
emnoc
Esteemed Contributor III

You need something like this; config ipv6 set ip6-address 2001:000:000:1::1/64 set ip6-allowaccess ping https ssh snmp config ip6-prefix-list edit 2001:000:000:1::/64 set autonomous-flag enable set preferred-life-time 600 set valid-life-time 600 next end set ip6-retrans-time 4000 set ip6-send-adv enable end next Does the cisco have ipv6 enable and auto for the address? Does it have layer-2 connectivity to FGT ( temp assign it a static of eui64 address and test with a ipv6 ping ) ? Does a host attached to a FGT pickup a stateless assign address ( MACOSX/LINUX/WINDOW/OpenBSD/etc.....)? What does your debug output show if anything other than cisco get' s address? If nothing get' s an address, once again start diagnostic and packet captures?

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
nikolsko
New Contributor

There I got it working. I used the config i had on the internal side. But on the cisco in front I put up an ipv6 linknet, on the vlan to the fortigate. So i assigned on the cisco side. 2001:0:0:0::1/64 Then on the fortigate 2001:0:0:0::2/64 I then used a static route for the 2001:0:0::/48 to the 2001:0:0:0::2/64 Then everything worked fine. As soon as i changed my fw policy to allow icmp6 this is not technically slaac is it. But it works. Thank you so much.
nikolsko
New Contributor

Seems I was a bit quick there. It worked for a while. Now I am not able to ping from the fortigate to ipv6 sites. The fortigate replies to ping packets through ipv6 though.
emnoc
Esteemed Contributor III

What are you trying todo? Do you have a topology drawing of the inside/outside interfaces and where the autconf clients are located at? Some how & from what your describing tells me , SLAAC is not what you want. SLAAC is trivial and a straight forward configuration

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
nikolsko
New Contributor

I can try and explain what I am after. I have a /48 prefix assigned by my ISP. This /48 prefix can be routed to me by putting it straight on the vlan that connects to me, or by using a /64 link net. This link net is not a part of my initial prefix. Right now it is setup using the link net configuration. I would prefer for the prefix to be assigned to my vlan directly though. And having the fortigate sit on a static ipv6 address for management. While my internal units automatically picks up their ipv6 configuration using slaac. I hope this was a better explanation of what I wanted. Thanks again for the help.
emnoc
Esteemed Contributor III

Why don' t you assign a /64 out of the /48 on the WAN link and divided the reminding 64k minus1 /64 for your internal vlans with SLAAC on the vlan interfaces. You can assign multiple /64 prefixes on one interface if required and you can have multiple ipv6 address per interface. Very simple see diagram;

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors