Fortinet Document Library

Version:

Version:


Table of Contents

Administration Guide

Download PDF
Copy Link

MAP-E support

On a customer edge (CE) FortiGate, an IPv4-over-IPv6 (MAP-E) tunnel can be created between the FortiGate and the border relay (BR) operating in an IPv6 network. A tunnel interface is created between the FortiGate and BR, which can be applied to firewall policies and IPsec VPN.

To configure a MAP-E tunnel between the FortiGate and the BR:
  1. Configure fixed IP mode.
    1. Configure IPv6 on the interface:
      config system interface
          edit "wan1"
              config ipv6
                  set autoconf enable
                  set unique-autoconf-addr enable
                  set interface-identifier ::6f:6c1f:3400:0
              end
          next
      end

      The interface-identifier is an IPv6 address. Its last 64-bit will be kept and the rest will be cleared automatically. It will combine with the IPv6 prefix it gets from the IPv6 router to generate the IPv6 address of the interface.

      By default, unique-autoconf-addr is disabled. It must be enabled so it can handle IPv6 prefix changing.

    2. Configure the VNE tunnel:
      config system vne-tunnel
          set status enable
          set interface "wan1"
          set mode fixed-ip
          set ipv4-address 10.10.81.81 255.255.255.0
          set br 2001:160::82
          set update-url "http://qa.forosqa.com/update?user=xxxx&pass=yyyy"
      end

    Initial sequence overview of VNE tunnel under fixed IP mode:

    Once the IPv6 address of the FortiGate changes, the tunnel will be down because the BR does not know the FortiGate's new IPv6 address. The FortiGate uses update-url to update the new IPv6 address to the provisioning server. The provisioning server updates the FortiGate’s IPv6 address to the BR so the VNE tunnel can be re-established.

    Communication sequence overview of re-establishing VNE tunnel:

  2. Configure the VNE tunnel to use MAP-E mode:
    config system vne-tunnel
        set status enable
        set interface 'wan1'
        set ssl-certificate "Fortinet_Factory"
        set bmr-hostname ********
        set auto-asic-offload enable
        set mode map-e
    end

    Initial sequence overview of VNE tunnel under MAP-E mode:

    The FortiGate sends a MAP rule request to the MAP distribution server once the IPv6 address is configured on the FortiGate by RS/RA. Next, the FortiGate will send an AAAA query to get the IPv6 address of the MAP distribution server. After sending the BMR request to the MAP distribution server, the FortiGate will get the IPv4 address, port set, BR IPv6 address, and hostname of the address resolution server from the BMR reply. The VNE tunnel between the FortiGate and BR is now established.

    The address resolution server is actually a dynamic DNS. The hostname is used for the FortiGate to maintain an IPv6 address when it changes.

    The FortiGate updates the DDNS server with its IPv6 address whenever it updates, which in turn provides the update to the MAP distribution server and BR so they know how to resolve the FortiGate by hostname.

    Once the VNE tunnel is established, a tunnel interface is created (vne.root), and an IPv4-over-IPv6 tunnel is set up between the FortiGate and BR. The route, firewall policy, and DNS server can now be configured to let the traffic go through the VNE tunnel and the and protect the end-user. The VNE tunnel can also be used in IPsec phase 1.

  3. Configure the route:
    config router static
        edit 1
            set device "vne.root"
        next
    end
  4. Configure the firewall policy:
    config firewall policy
        edit 111
            set name "ff"
            set srcintf "port2"
            set dstintf "vne.root"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set ssl-ssh-profile "certificate-inspection"
            set av-profile "default"
            set nat enable
        next
    end
  5. Configure the DNS server:
    config system dns-server
        edit "port2"
        next
    end

MAP-E support

On a customer edge (CE) FortiGate, an IPv4-over-IPv6 (MAP-E) tunnel can be created between the FortiGate and the border relay (BR) operating in an IPv6 network. A tunnel interface is created between the FortiGate and BR, which can be applied to firewall policies and IPsec VPN.

To configure a MAP-E tunnel between the FortiGate and the BR:
  1. Configure fixed IP mode.
    1. Configure IPv6 on the interface:
      config system interface
          edit "wan1"
              config ipv6
                  set autoconf enable
                  set unique-autoconf-addr enable
                  set interface-identifier ::6f:6c1f:3400:0
              end
          next
      end

      The interface-identifier is an IPv6 address. Its last 64-bit will be kept and the rest will be cleared automatically. It will combine with the IPv6 prefix it gets from the IPv6 router to generate the IPv6 address of the interface.

      By default, unique-autoconf-addr is disabled. It must be enabled so it can handle IPv6 prefix changing.

    2. Configure the VNE tunnel:
      config system vne-tunnel
          set status enable
          set interface "wan1"
          set mode fixed-ip
          set ipv4-address 10.10.81.81 255.255.255.0
          set br 2001:160::82
          set update-url "http://qa.forosqa.com/update?user=xxxx&pass=yyyy"
      end

    Initial sequence overview of VNE tunnel under fixed IP mode:

    Once the IPv6 address of the FortiGate changes, the tunnel will be down because the BR does not know the FortiGate's new IPv6 address. The FortiGate uses update-url to update the new IPv6 address to the provisioning server. The provisioning server updates the FortiGate’s IPv6 address to the BR so the VNE tunnel can be re-established.

    Communication sequence overview of re-establishing VNE tunnel:

  2. Configure the VNE tunnel to use MAP-E mode:
    config system vne-tunnel
        set status enable
        set interface 'wan1'
        set ssl-certificate "Fortinet_Factory"
        set bmr-hostname ********
        set auto-asic-offload enable
        set mode map-e
    end

    Initial sequence overview of VNE tunnel under MAP-E mode:

    The FortiGate sends a MAP rule request to the MAP distribution server once the IPv6 address is configured on the FortiGate by RS/RA. Next, the FortiGate will send an AAAA query to get the IPv6 address of the MAP distribution server. After sending the BMR request to the MAP distribution server, the FortiGate will get the IPv4 address, port set, BR IPv6 address, and hostname of the address resolution server from the BMR reply. The VNE tunnel between the FortiGate and BR is now established.

    The address resolution server is actually a dynamic DNS. The hostname is used for the FortiGate to maintain an IPv6 address when it changes.

    The FortiGate updates the DDNS server with its IPv6 address whenever it updates, which in turn provides the update to the MAP distribution server and BR so they know how to resolve the FortiGate by hostname.

    Once the VNE tunnel is established, a tunnel interface is created (vne.root), and an IPv4-over-IPv6 tunnel is set up between the FortiGate and BR. The route, firewall policy, and DNS server can now be configured to let the traffic go through the VNE tunnel and the and protect the end-user. The VNE tunnel can also be used in IPsec phase 1.

  3. Configure the route:
    config router static
        edit 1
            set device "vne.root"
        next
    end
  4. Configure the firewall policy:
    config firewall policy
        edit 111
            set name "ff"
            set srcintf "port2"
            set dstintf "vne.root"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set ssl-ssh-profile "certificate-inspection"
            set av-profile "default"
            set nat enable
        next
    end
  5. Configure the DNS server:
    config system dns-server
        edit "port2"
        next
    end