Dual stack IPv4 and IPv6 support for SSL VPN

Dual stack IPv4 and IPv6 support for SSL VPN servers and clients enables a client to establish a dual stack tunnel to allow both IPv4 and IPv6 traffic to pass through. FortiGate SSL VPN clients also support dual stack, which allows it to establish dual stack tunnels with other FortiGates.

Users connecting in web mode can connect to the web portal over IPv4 or IPv6. They can access bookmarks in either IPv4 or IPv6, depending on the preferred DNS setting of the web portal.

Example

In this example, FortiGate B works as an SSL VPN server with dual stack enabled. A test portal is configured to support tunnel mode and web mode SSL VPN.

FortiGate A is an SSL VPN client that connects to FortiGate B to establish an SSL VPN tunnel connection. It attempts to access www.bing.com and www.apple.com via separate IPv4 and IPv6 connections. Two addresses are configured on FortiGate B:

  • bing.com uses IPv4 FQDN and resolves to 13.107.21.200 and 204.79.197.200.
  • apple_v6 uses IPv6 FQDN and resolves to 2600:140a:c000:385::1aca and 2600:140a:c000:398::1aca.

The server certificate used is fgt_gui_automation, and the CN is *.fos.automation.com.

A PC serves as a client to connect to FortiGate B in SSL VPN web mode. The PC can connect to the SSL VPN server over IPv4 or IPv6. Based on the preferred DNS setting, it will access the destination website over IPv4 or IPv6.

Note

Dual stack tunnel mode support requires a supported client. In 7.0.0, a FortiGate in SSL VPN client mode can support dual stack tunnels. FortiClient 7.0.1 and later releases support dual stack.

To configure an SSL VPN server in tunnel and web mode with dual stack support in the GUI:
  1. Create a local user:

    1. Go to User & Authentication > User Definition and click Create New. The Users/Groups Creation Wizard opens.

    2. Set the User Type to Local User and click Next.

    3. Enter the Username (client2) and password, then click Next.

    4. Optionally, configure the contact information and click Next.

    5. Click Submit.

  2. Configure the addresses:

    1. Go to Policy & Objects > Addresses and click Create New > Address.

    2. Enter the following for the IPv4 address:

      Category

      Address

      Name

      bing.com

      Type

      FQDN

      FQDN

      www.bing.com

    3. Click OK.

    4. Click Create New > Address and enter the following for the IPv6 address:

      Category

      IPv6 Address

      Name

      apple_v6

      Type

      FQDN

      FQDN

      www.apple.com

    5. Click OK.

  3. Configure the SSL VPN portal:

    1. Go to VPN > SSL-VPN Portals and click Create New.

    2. Enter a name (testportal1).

    3. Enable Tunnel Mode and for Enable Split Tunneling, select Enable Based on Policy Destination.

    4. For Source IP Pools, add SSLVPN_TUNNEL_ADDR1.

    5. Enable IPv6 Tunnel Mode and for Enable Split Tunneling, select Enable Based on Policy Destination.

    6. For Source IP Pools, add SSLVPN_TUNNEL_IPv6_ADDR1.

    7. Enable Enable Web Mode.

    8. Click OK.

  4. Configure the SSL VPN settings:

    1. Go to VPN > SSL-VPN Settings and configure the following:

      Listen on Interface(s)

      port1

      Listen on Port

      1443

      Restrict Access

      Allow access from any host