Fortinet black logo

Administration Guide

Home FortiGate / FortiOS 7.0.14 Administration Guide
7.0.14
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0

IPv6 IPsec VPN

IPv6 IPsec VPN

This topic describes how to configure the IPv6 IPsec VPN feature on your FortiGate device.

Note

You can configure IPv6 using the CLI. To configure IPv6 using GUI, ensure IPv6 is enabled by going to System > Feature Visibility and enabling IPv6.

Overview

FortiOS supports route-based IPv6 IPsec, but not policy-based. This section describes different ways IPv6 IPsec can be used:

IPv4 over IPv6

The VPN gateways have IPv6 addresses.

The protected networks have IPv4 addresses. The phase 2 configurations at either end use IPv4 selectors. See Site-to-site IPv4 over IPv6 VPN example for sample configuration.
IPv6 over IPv4

The VPN gateways have IPv4 addresses.

The protected networks use IPv6 addresses. The phase 2 configurations at either end use IPv6 selectors. See Site-to-site IPv6 over IPv4 VPN example for sample configuration.
IPv6 over IPv6 Both the VPN gateways and the protected networks use IPv6 addresses. The phase 2 configurations at either end use IPv6 selectors. See Site-to-site IPv6 over IPv6 VPN example for sample configuration.

Configuring IPv6 IPsec VPNs

Configuration of an IPv6 IPsec VPN follows the same sequence as for an IPv4 route-based VPN:

Phase 1 and Phase 2 settings The configuration is the same as for an IPv4 route-based VPN, except that ip-version is set to 6 and the remote-gw6 keyword is used to specify an IPv6 remote gateway address. See Phase 1 configuration and Phase 2 configuration for more information.
Security policies To complete the VPN configuration, you need a security policy in each direction to permit traffic between the protected network’s port and the IPsec interface. You need IPv6 policies unless the VPN is IPv4 over IPv6. See VPN security policies for more information.
Routing

Appropriate routing is needed for both the IPsec packets and the encapsulated traffic within them:

  • You need a route, which could be the default route, to the remote VPN gateway via the appropriate interface.

  • You need a route to the remote protected network via the IPsec interface.

  • You need a blackhole route to the remote protected network to ensure that IPsec traffic doesn’t match the default route when the IPsec tunnel is down.

Routing is dependent on the method:

  • IPv4 over IPv6: The route to the remote VPN gateway is an IPv6 route. The route to the remote protected network is an IPv4 route.

  • IPv6 over IPv4: The route to the remote VPN gateways is an IPv4 route. The route to the remote protected network is an IPv6 route.

  • IPv6 over IPv6: Routes to both the remote VPN gateway and the remote protected network are IPv6 routes.

Note

You can create a new IPv6 static route from Network > Static Routes.

You can configure Phase 1 and Phase 2 settings from VPN > IPsec Wizard.

To configure Phase 1 and phase 2 settings:

  1. Go to VPN > IPsec Wizard.

  2. Enter a name and set Template type to Custom.

  3. Click Next.

  4. Under Network, set IP Version to IPv6 .

  5. Configure the rest of phase 1 and phase 2 settings as required and click OK.

Previous
Next

IPv6 IPsec VPN

This topic describes how to configure the IPv6 IPsec VPN feature on your FortiGate device.

Note

You can configure IPv6 using the CLI. To configure IPv6 using GUI, ensure IPv6 is enabled by going to System > Feature Visibility and enabling IPv6.

Overview

FortiOS supports route-based IPv6 IPsec, but not policy-based. This section describes different ways IPv6 IPsec can be used:

IPv4 over IPv6

The VPN gateways have IPv6 addresses.

The protected networks have IPv4 addresses. The phase 2 configurations at either end use IPv4 selectors. See Site-to-site IPv4 over IPv6 VPN example for sample configuration.
IPv6 over IPv4

The VPN gateways have IPv4 addresses.

The protected networks use IPv6 addresses. The phase 2 configurations at either end use IPv6 selectors. See Site-to-site IPv6 over IPv4 VPN example for sample configuration.
IPv6 over IPv6 Both the VPN gateways and the protected networks use IPv6 addresses. The phase 2 configurations at either end use IPv6 selectors. See Site-to-site IPv6 over IPv6 VPN example for sample configuration.

Configuring IPv6 IPsec VPNs

Configuration of an IPv6 IPsec VPN follows the same sequence as for an IPv4 route-based VPN:

Phase 1 and Phase 2 settings The configuration is the same as for an IPv4 route-based VPN, except that ip-version is set to 6 and the remote-gw6 keyword is used to specify an IPv6 remote gateway address. See Phase 1 configuration and Phase 2 configuration for more information.
Security policies To complete the VPN configuration, you need a security policy in each direction to permit traffic between the protected network’s port and the IPsec interface. You need IPv6 policies unless the VPN is IPv4 over IPv6. See VPN security policies for more information.
Routing

Appropriate routing is needed for both the IPsec packets and the encapsulated traffic within them:

  • You need a route, which could be the default route, to the remote VPN gateway via the appropriate interface.

  • You need a route to the remote protected network via the IPsec interface.

  • You need a blackhole route to the remote protected network to ensure that IPsec traffic doesn’t match the default route when the IPsec tunnel is down.

Routing is dependent on the method:

  • IPv4 over IPv6: The route to the remote VPN gateway is an IPv6 route. The route to the remote protected network is an IPv4 route.

  • IPv6 over IPv4: The route to the remote VPN gateways is an IPv4 route. The route to the remote protected network is an IPv6 route.

  • IPv6 over IPv6: Routes to both the remote VPN gateway and the remote protected network are IPv6 routes.

Note

You can create a new IPv6 static route from Network > Static Routes.

You can configure Phase 1 and Phase 2 settings from VPN > IPsec Wizard.

To configure Phase 1 and phase 2 settings:

  1. Go to VPN > IPsec Wizard.

  2. Enter a name and set Template type to Custom.

  3. Click Next.

  4. Under Network, set IP Version to IPv6 .

  5. Configure the rest of phase 1 and phase 2 settings as required and click OK.

Previous
Next