FortiOS supports route-based IPv6 IPsec, but not policy-based. This section describes how IPv6 IPsec support differs from IPv4 IPsec support. FortiOS 5.2 is IPv6 Ready Logo Program Phase 2 certified.
Where both the gateways and the protected networks use IPv6 addresses, sometimes called IPv6 over IPv6, you can create either an auto-keyed or manually-keyed VPN. You can combine IPv6 and IPv4 addressing in an auto-keyed VPN in the following ways:
|IPv4 over IPv6||The VPN gateways have IPv6 addresses.
The protected networks have IPv4 addresses. The Phase 2 configurations at either end use IPv4 selectors.
|IPv6 over IPv4||The VPN gateways have IPv4 addresses.
The protected networks use IPv6 addresses. The Phase 2 configurations at either end use IPv6 selectors.
Compared with IPv4 IPsec VPN functionality, there are some limitations:
- Except for IPv6 over IPv4, remote gateways with Dynamic DNS are not supported.
- Selectors cannot be firewall address names. Only IP address, address range and subnet are supported.
- Redundant IPv6 tunnels are not supported.
On a VPN with IPv6 Phase 1 configuration, you can authenticate using VPN certificates in which the common name (cn) is an IPv6 address. The
cn-type keyword of the
user peer command has an option,
ipv6, to support this.