Configuring IPv6 IPsec VPNs
Configuration of an IPv6 IPsec VPN follows the same sequence as for an IPv4 route-based VPN: Phase 1 settings, Phase 2 settings, security policies and routing.
By default IPv6 configurations to not appear on the Web-based Manager. You need to enable the feature first. To enable IPv6 1. Go to System > Admin > Settings. 2. In the Display Options on GUI section, select IPv6. 3. Select Apply. |
Phase 1 configuration
In the web-based manager, you define the Phase 1 as IPv6 in the Advanced settings. Enable the IPv6 Version check box. You can then enter an IPv6 address for the remote gateway.
In the CLI, you define an IPsec Phase 1 configuration as IPv6 by setting ip‑version
to 6
. Its default value is 4
. Then, the local-gw
and remote-gw
keywords are hidden and the corresponding local-gw6
and remote-gw6
keywords are available. The values for local-gw6
and remote-gw6
must be IPv6 addresses. For example:
config vpn ipsec phase1-interface
edit tunnel6
set ip-version 6
set remote-gw6 0:123:4567::1234
set interface port3
set proposal 3des-md5
end
Phase 2 configuration
To create an IPv6 IPsec Phase 2 configuration in the web-based manager, you need to define IPv6 selectors in the Advanced settings. Change the default “0.0.0.0/0” address for Source address and Destination address to the IPv6 value “::/0”. If needed, enter specific IPv6 addresses, address ranges, or subnet addresses in these fields.
In the CLI, set src‑addr‑type
and dst‑addr‑type
to ip6
, range6
or subnet6
to specify IPv6 selectors. By default, zero selectors are entered, “::/0” for the subnet6
address type, for example. The simplest IPv6 Phase 2 configuration looks like this:
config vpn ipsec phase2-interface
edit tunnel6_p2
set phase1name tunnel6
set proposal 3des-md5
set src-addr-type subnet6
set dst-addr-type subnet6
end
The management of static selector rules is performed by the IKE daemon, which allows named selectors to be reloaded if any named address or address groups are changed, without requiring the FortiGate unit to be rebooted before applying changes.
Security policies
To complete the VPN configuration, you need a security policy in each direction to permit traffic between the protected network’s port and the IPsec interface. You need IPv6 policies unless the VPN is IPv4 over IPv6.
Routing
Appropriate routing is needed for both the IPsec packets and the encapsulated traffic within them. You need a route, which could be the default route, to the remote VPN gateway via the appropriate interface. You also need a route to the remote protected network via the IPsec interface.
To create a static route in the web-based manager
- Go to Router > Static > Static Routes.
On low-end FortiGate units, go to System > Network > Routing.
- Select the drop-down arrow on the Create New button and select IPv6 Route.
- Enter the information and select OK.
In the CLI, use the router static6
command. For example, where the remote network is fec0:0000:0000:0004::/64 and the IPsec interface is toB:
config router static6
edit 1
set device port2
set dst 0::/0
next
edit 2
set device toB
set dst fec0:0000:0000:0004::/64
next
end
If the VPN is IPV4 over IPv6, the route to the remote protected network is an IPv4 route. If the VPN is IPv6 over IPv4, the route to the remote VPN gateway is an IPv4 route.