Configuring IPv4 over IPv6 DS-Lite service
IPv4 over IPv6 DS-Lite service can be configured on a virtual network enabler (VNE) tunnel. In addition, VNE tunnel fixed IP mode supports username and password authentication.
config system vne-tunnel set status enable set mode {map-e | fixed-ip | ds-lite} set ipv4-address <IPv4_address> set br <IPv6_address or FQDN> set http-username <string> set http-password <password> end
mode {map-e | fixed-ip | ds-lite} |
Set the VNE tunnel mode:
|
ipv4-address <IPv4_address> |
Enter the tunnel IPv4 address and netmask. This setting is optional. |
br <IPv6_address or FQDN> |
Enter the IPv6 or FQDN of the border relay. |
http-username <string> |
Enter the HTTP authentication user name. |
http-password <password> |
Enter the HTTP authentication password. |
DS-Lite allows applications using IPv4 to access the internet with IPv6. DS-Lite is supported by internet providers that do not have enough public IPv4 addresses for their customers, so DS-Lite is used for IPv6 internet connections. When a DS-Lite internet connections is used, the FortiGate encapsulates all data from IPv4 applications into IPv6 packets. The packets are then transmitted to the internet service provider using the IPv6 connection. Next, a dedicated server unpacks the IPv6 packets and forwards the IPv4 data to the actual destination on the internet.
DS-Lite example
In this example, DS-Lite VNE tunnel mode is used between the FortiGate and the BR.
To configure a DS-Lite tunnel between the FortiGate and the BR:
- Configure the IPv6 interface:
config system interface edit "wan1" set vdom "root" set mode dhcp set allowaccess ping fgfm set type physical set role wan set snmp-index 1 config ipv6 set ip6-allowaccess ping set dhcp6-information-request enable set autoconf enable set unique-autoconf-addr enable end next end
- Configure the VNE tunnel:
config system vne-tunnel set status enable set interface "wan1" set ssl-certificate "Fortinet_Factory" set auto-asic-offload enable set ipv4-address 192.168.1.99 255.255.255.255 set br "dgw.xxxxx.jp" set mode ds-lite end
-
View the wan1 IPv6 configuration details:
config system interface edit "wan1" config ipv6 get ip6-mode : static nd-mode : basic ip6-address : 2001:f70:2880:xxxx:xxxx:xxxx:fe39:ccd2/64 ip6-allowaccess : ping icmp6-send-redirect : enable ra-send-mtu : enable ip6-reachable-time : 0 ip6-retrans-time : 0 ip6-hop-limit : 0 dhcp6-information-request: enable cli-conn6-status : 1 vrrp-virtual-mac6 : disable vrip6_link_local : :: ip6-dns-server-override: enable Acquired DNS1 : 2001:f70:2880:xxxx:xxxx:xxxx:fe40:9082 Acquired DNS2 : :: ip6-extra-addr: ip6-send-adv : disable autoconf : enable prefix : 2001:f70:2880:xxxx::/64 preferred-life-time : 942735360 valid-life-time : 1077411840 unique-autoconf-addr: enable interface-identifier: :: dhcp6-relay-service : disable end next end
-
Verify the IPv6 address list:
# diagnose ipv6 address list dev=5 devname=wan1 flag= scope=0 prefix=64 addr=2001:f70:2880:xxxx:xxxx:xxxx:fe39:ccd2 preferred=11525 valid=13325 cstamp=6520 tstamp=6892 dev=5 devname=wan1 flag=P scope=253 prefix=64 addr=fe80::xxxx:xxxx:fe39:ccd2 preferred=4294967295 valid=4294967295 cstamp=6373 tstamp=6373 dev=18 devname=root flag=P scope=254 prefix=128 addr=::1 preferred=4294967295 valid=4294967295 cstamp=3531 tstamp=3531 dev=25 devname=vsys_ha flag=P scope=254 prefix=128 addr=::1 preferred=4294967295 valid=4294967295 cstamp=5604 tstamp=5604 dev=27 devname=vsys_fgfm flag=P scope=254 prefix=128 addr=::1 preferred=4294967295 valid=4294967295 cstamp=6377 tstamp=6377
-
Test the tunnel connection by pinging the Google public DNS IPv6 address:
# execute ping6 2001:4860:4860::8888 PING 2001:4860:4860::8888(2001:4860:4860::8888) 56 data bytes 64 bytes from 2001:4860:4860::8888: icmp_seq=1 ttl=114 time=6.89 ms 64 bytes from 2001:4860:4860::8888: icmp_seq=2 ttl=114 time=3.39 ms 64 bytes from 2001:4860:4860::8888: icmp_seq=3 ttl=114 time=3.46 ms 64 bytes from 2001:4860:4860::8888: icmp_seq=4 ttl=114 time=3.34 ms 64 bytes from 2001:4860:4860::8888: icmp_seq=5 ttl=114 time=3.39 ms --- 2001:4860:4860::8888 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss, time 4079ms rtt min/avg/max/mdev = 3.340/4.097/6.895/1.400 ms
Fixed IP mode example
In this example, fixed IP VNE tunnel mode with HTTP authentication is used between the FortiGate and the BR.
To configure a fixed IP mode with HTTP authentication between the FortiGate and the BR:
- Configure the IPv6 interface:
config system interface edit "wan1" set vdom "root" set mode dhcp set allowaccess ping fgfm set type physical set role wan set snmp-index 1 config ipv6 set ip6-allowaccess ping set dhcp6-information-request enable set autoconf enable end next end
- Configure the VNE tunnel:
config system vne-tunnel set status enable set interface "wan1" set ipv4-address 120.51.xxx.xxx1 255.255.255.255 set br "2001:f60:xxxx:xxxx::1" set update-url "https://ddnsweb1.ddns.xxxxxx.jp/cgi-bin/ddns_api.cgi?d=xxxxxx.v4v6.xxxxx.jp&p=**********&a=[IP6]&u=xxxxxx.v4v6.xxxxx.jp" set mode fixed-ip set http-username "laptop-1" set http-password ********** end
-
Verify the wan1 IPv6 configuration details:
config system interface edit "wan1" config ipv6 get ....
-
Verify the VNE daemon:
# diagnose test application vned 1 ---------------------------------------------------------------------------- vdom: root/0, is master, devname=wan1 link=0 tun=vne.root mode=fixed-ip ssl_cert=Fortinet_Factory end user ipv6 perfix: 2001:f70:2880:xxxx::/64 interface ipv6 addr: 2001:f70:2880:xxxx:xxxx:xxxx:fe39:ccd2 config ipv4 perfix: 120.51.xxx.xxx/255.255.255.255 config br: 2001:f60:xxxx:xxxx::1 HTTP username: laptop-1 update url: https://ddnsweb1.ddns.xxxxxx.jp/cgi-bin/ddns_api.cgi?d=xxxxxx.v4v6.xxxxx.jp&p=**********&a=[IP6]&u=xxxxxx.v4v6.xxxxx.jp host: ddnsweb1.ddns.xxxxxx.jp path: /cgi-bin/ddns_api.cgi?d=xxxxxx.v4v6.xxxxx.jp&p=**********&a=[IP6]&u=xxxxxx.v4v6.xxxxx.jp port:443 ssl: 1 tunnel br: 2001:f60:xxxx:xxxx::1 tunnel ipv6 addr: 2001:f70:2880:xxxx:xxxx:xxxx:fe39:ccd2 tunnel ipv4 addr: 120.51.xxx.xxx1/255.255.255.255 update result: <H1>DDNS API</H1><HR><H2>* Query parameter check : OK</H2>FQDN=xxxxxx.v4v6.xxxxx.jp<BR>Password=**********<BR>IPv6=2001:f70:2880:xxxx:xxxx:xxxx:fe39:ccd2<BR>UID=xxxxxx.v4v6.xxxxx.jp<BR>Address=2001:f70:2880:xxxx:xxxx:xxxx:fe39:ccd2<BR><H2>* routerinfo check : OK</H2><H2>* records check : OK</H2><H2>* routerinfo update : OK</H2><H2>* records update : OK</H2><H2>* DDNS API update : Success [2022-01-18 18:37:58 1642498678]</H2> Fixed IP rule client: state=succeed retries=0 interval=0 expiry=0 reply_code=0 fqdn=2001:f60:xxxx:xxxx::1 num=1 cur=0 ttl=4294967295 expiry=0 2001:f60:xxxx:xxxx::1 Fixed IP DDNS client: state=succeed retries=0 interval=10 expiry=0 reply_code=200 fqdn=ddnsweb1.ddns.xxxxxx.jp num=1 cur=0 ttl=6 expiry=0 2001:f61:0:2a::18
-
Test the tunnel connection by pinging the Google public DNS IPv4 and IPv6 addresses:
# execute ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 56 data bytes 64 bytes from 8.8.8.8: icmp_seq=0 ttl=119 time=3.7 ms 64 bytes from 8.8.8.8: icmp_seq=1 ttl=119 time=3.6 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=119 time=3.6 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=119 time=3.6 ms 64 bytes from 8.8.8.8: icmp_seq=4 ttl=119 time=3.5 ms --- 8.8.8.8 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 3.5/3.6/3.7 ms
# execute ping6 2001:4860:4860::8888 PING 2001:4860:4860::8888(2001:4860:4860::8888) 56 data bytes 64 bytes from 2001:4860:4860::8888: icmp_seq=1 ttl=114 time=6.99 ms 64 bytes from 2001:4860:4860::8888: icmp_seq=2 ttl=114 time=3.61 ms 64 bytes from 2001:4860:4860::8888: icmp_seq=3 ttl=114 time=3.34 ms 64 bytes from 2001:4860:4860::8888: icmp_seq=4 ttl=114 time=3.27 ms 64 bytes from 2001:4860:4860::8888: icmp_seq=5 ttl=114 time=3.75 ms --- 2001:4860:4860::8888 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss, time 4039ms rtt min/avg/max/mdev = 3.276/4.195/6.992/1.409 ms