FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 14 - IPsec VPN > IPv6 IPsec VPNs > Site-to-site IPv6 over IPv6 VPN example

Site-to-site IPv6 over IPv6 VPN example

In this example, computers on IPv6-addressed private networks communicate securely over public IPv6 infrastructure.

By default IPv6 configurations to not appear on the Web-based Manager. You need to enable the feature first.

To enable IPv6

1.  Go to System > Admin > Settings.
2.  In the Display Options on GUI section, select IPv6.
3.  Select Apply.
Example IPv6-over-IPv6 VPN topology

Configure FortiGate A interfaces

Port 2 connects to the public network and port 3 connects to the local network.

config system interface

edit port2

config ipv6

set ip6-address fec0::0001:209:0fff:fe83:25f2/64

end

next

edit port3

config ipv6

set ip6-address fec0::0000:209:0fff:fe83:25f3/64

end

next

end

 

Configure FortiGate A IPsec settings

The Phase 1 configuration creates a virtual IPsec interface on port 2 and sets the remote gateway to the public IP address FortiGate B. This configuration is the same as for an IPv4 route-based VPN, except that ip-version is set to 6 and the remote-gw6 keyword is used to specify an IPv6 remote gateway address.

config vpn ipsec phase1-interface

edit toB

set ip-version 6

set interface port2

set remote-gw6 fec0:0000:0000:0003:209:0fff:fe83:25c7

set dpd enable

set psksecret maryhadalittlelamb

set proposal 3des-md5 3des-sha1

end

By default, Phase 2 selectors are set to accept all subnet addresses for source and destination. The default setting for src-addr-type and dst-addr-type is subnet. The IPv6 equivalent is subnet6. The default subnet addresses are 0.0.0.0/0 for IPv4, ::/0 for IPv6.

config vpn ipsec phase2-interface

edit toB2

set phase1name toB

set proposal 3des-md5 3des-sha1

set pfs enable

set replay enable

set src-addr-type subnet6

set dst-addr-type subnet6

end

Configure FortiGate A security policies

Security policies are required to allow traffic between port3 and the IPsec interface toB in each direction. The address all6 must be defined using the firewall address6 command as ::/0.

config firewall policy6

edit 1

set srcintf port3

set dstintf toB

set srcaddr all6

set dstaddr all6

set action accept

set service ANY

set schedule always

next

edit 2

set srcintf toB

set dstintf port3

set srcaddr all6

set dstaddr all6

set action accept

set service ANY

set schedule always

end

Configure FortiGate A routing

This simple example requires just two static routes. Traffic to the protected network behind FortiGate B is routed via the virtual IPsec interface toB. A default route sends all IPv6 traffic out on port2.

config router static6

edit 1

set device port2

set dst 0::/0

next

edit 2

set device toB

set dst fec0:0000:0000:0004::/64

end

Configure FortiGate B

The configuration of FortiGate B is very similar to that of FortiGate A. A virtual IPsec interface toA is configured on port2 and its remote gateway is the public IP address of FortiGate A. Security policies enable traffic to pass between the private network and the IPsec interface. Routing ensures traffic for the private network behind FortiGate A goes through the VPN and that all IPv6 packets are routed to the public network.

config system interface

edit port2

config ipv6

set ip6-address fec0::0003:209:0fff:fe83:25c7/64

end

next

edit port3

config ipv6

set ip6-address fec0::0004:209:0fff:fe83:2569/64

end

end

config vpn ipsec phase1-interface

edit toA

set ip-version 6

set interface port2

set remote-gw6 fec0:0000:0000:0001:209:0fff:fe83:25f2

set dpd enable

set psksecret maryhadalittlelamb

set proposal 3des-md5 3des-sha1

end

config vpn ipsec phase2-interface

edit toA2

set phase1name toA

set proposal 3des-md5 3des-sha1

set pfs enable

set replay enable

set src-addr-type subnet6

set dst-addr-type subnet6

end

config firewall policy6

edit 1

set srcintf port3

set dstintf toA

set srcaddr all6

set dstaddr all6

set action accept

set service ANY

set schedule always

next

edit 2

set srcintf toA

set dstintf port3

set srcaddr all6

set dstaddr all6

set action accept

set service ANY

set schedule always

end

config router static6

edit 1

set device port2

set dst 0::/0

next

edit 2

set device toA

set dst fec0:0000:0000:0000::/64

end