MAP-E support

On a customer edge (CE) FortiGate, an IPv4-over-IPv6 (MAP-E) tunnel can be created between the FortiGate and the border relay (BR) operating in an IPv6 network. A tunnel interface is created between the FortiGate and BR, which can be applied to firewall policies and IPsec VPN.

To configure a MAP-E tunnel between the FortiGate and the BR:
  1. Configure fixed IP mode.
    1. Configure IPv6 on the interface:
      config system interface
          edit "wan1"
              config ipv6
                  set autoconf enable
                  set unique-autoconf-addr enable
                  set interface-identifier ::6f:6c1f:3400:0

      The interface-identifier is an IPv6 address. Its last 64-bit will be kept and the rest will be cleared automatically. It will combine with the IPv6 prefix it gets from the IPv6 router to generate the IPv6 address of the interface.

      By default, unique-autoconf-addr is disabled. It must be enabled so it can handle IPv6 prefix changing.

    2. Configure the VNE tunnel:
      config system vne-tunnel
          set status enable
          set interface "wan1"
          set mode fixed-ip
          set ipv4-address
          set br 2001:160::82
          set update-url ""

    Initial sequence overview of VNE tunnel under fixed IP mode:

    Once the IPv6 address of the FortiGate changes, the tunnel will be down because the BR does not know the FortiGate's new IPv6 address. The FortiGate uses update-url to update the new IPv6 address to the provisioning server. The provisioning server updates the FortiGate’s IPv6 address to the BR so the VNE tunnel can be re-established.

    Communication sequence overview of re-establishing VNE tunnel:

  2. Configure the VNE tunnel to use MAP-E mode:
    config system vne-tunnel