MAP-E support
On a customer edge (CE) FortiGate, an IPv4-over-IPv6 (MAP-E) tunnel can be created between the FortiGate and the border relay (BR) operating in an IPv6 network. A tunnel interface is created between the FortiGate and BR, which can be applied to firewall policies and IPsec VPN.
To configure a MAP-E tunnel between the FortiGate and the BR:
- Configure fixed IP mode.
- Configure IPv6 on the interface:
config system interface edit "wan1" config ipv6 set autoconf enable set unique-autoconf-addr enable set interface-identifier ::6f:6c1f:3400:0 end next end
The
interface-identifier
is an IPv6 address. Its last 64-bit will be kept and the rest will be cleared automatically. It will combine with the IPv6 prefix it gets from the IPv6 router to generate the IPv6 address of the interface.By default,
unique-autoconf-addr
is disabled. It must be enabled so it can handle IPv6 prefix changing. - Configure the VNE tunnel:
config system vne-tunnel set status enable set interface "wan1" set mode fixed-ip set ipv4-address 10.10.81.81 255.255.255.0 set br 2001:160::82 set update-url "http://qa.forosqa.com/update?user=xxxx&pass=yyyy" end
Initial sequence overview of VNE tunnel under fixed IP mode:
Once the IPv6 address of the FortiGate changes, the tunnel will be down because the BR does not know the FortiGate's new IPv6 address. The FortiGate uses
update-url
to update the new IPv6 address to the provisioning server. The provisioning server updates the FortiGate’s IPv6 address to the BR so the VNE tunnel can be re-established.Communication sequence overview of re-establishing VNE tunnel:
- Configure IPv6 on the interface:
- Configure the VNE tunnel to use MAP-E mode:
config system vne-tunnel