Fortinet white logo
Fortinet white logo

New Features

Configuring IPv4 over IPv6 DS-Lite service

Configuring IPv4 over IPv6 DS-Lite service

IPv4 over IPv6 DS-Lite service can be configured on a virtual network enabler (VNE) tunnel. In addition, VNE tunnel fixed IP mode supports username and password authentication.

config system vne-tunnel
    set status enable
    set mode {map-e | fixed-ip | ds-lite}
    set ipv4-address <IPv4_address>
    set br <IPv6_address or FQDN>
    set http-username <string>
    set http-password <password>
end

mode {map-e | fixed-ip | ds-lite}

Set the VNE tunnel mode:

  • map-e: MAP-E
  • fixed-ip: fixed IP
  • ds-lite: DS-Lite

ipv4-address <IPv4_address>

Enter the tunnel IPv4 address and netmask. This setting is optional.

br <IPv6_address or FQDN>

Enter the IPv6 or FQDN of the border relay.

http-username <string>

Enter the HTTP authentication user name.

http-password <password>

Enter the HTTP authentication password.

DS-Lite allows applications using IPv4 to access the internet with IPv6. DS-Lite is supported by internet providers that do not have enough public IPv4 addresses for their customers, so DS-Lite is used for IPv6 internet connections. When a DS-Lite internet connections is used, the FortiGate encapsulates all data from IPv4 applications into IPv6 packets. The packets are then transmitted to the internet service provider using the IPv6 connection. Next, a dedicated server unpacks the IPv6 packets and forwards the IPv4 data to the actual destination on the internet.

DS-Lite example

In this example, DS-Lite VNE tunnel mode is used between the FortiGate and the BR.

To configure a DS-Lite tunnel between the FortiGate and the BR:
  1. Configure the IPv6 interface:
    config system interface
        edit "wan1"
            set vdom "root"
            set mode dhcp
            set allowaccess ping fgfm
            set type physical
            set role wan
            set snmp-index 1
            config ipv6
                set ip6-allowaccess ping
                set dhcp6-information-request enable
                set autoconf enable
                set unique-autoconf-addr enable
            end
        next
    end
  2. Configure the VNE tunnel:
    config system vne-tunnel
        set status enable
        set interface "wan1"
        set ssl-certificate "Fortinet_Factory"
        set auto-asic-offload enable
        set ipv4-address 192.168.1.99 255.255.255.255
        set br "dgw.xxxxx.jp"
        set mode ds-lite
    end
  3. View the wan1 IPv6 configuration details:

    config system interface
        edit "wan1"
            config ipv6
                get
                    ip6-mode            : static
                    nd-mode             : basic
                    ip6-address         : 2001:f70:2880:xxxx:xxxx:xxxx:fe39:ccd2/64
                    ip6-allowaccess     : ping
                    icmp6-send-redirect : enable
                    ra-send-mtu         : enable
                    ip6-reachable-time  : 0
                    ip6-retrans-time    : 0
                    ip6-hop-limit       : 0
                    dhcp6-information-request: enable
                    cli-conn6-status    : 1
                    vrrp-virtual-mac6   : disable
                    vrip6_link_local    : ::
                    ip6-dns-server-override: enable
                    Acquired DNS1       : 2001:f70:2880:xxxx:xxxx:xxxx:fe40:9082
                    Acquired DNS2       : ::
                    ip6-extra-addr:
                    ip6-send-adv        : disable
                    autoconf            : enable
                    prefix      : 2001:f70:2880:xxxx::/64
                    preferred-life-time         : 942735360
                    valid-life-time     : 1077411840
                    unique-autoconf-addr: enable
                    interface-identifier: ::
                    dhcp6-relay-service : disable
            end
        next
    end
  4. Verify the IPv6 address list:

    # diagnose ipv6 address list
    dev=5 devname=wan1 flag= scope=0 prefix=64 addr=2001:f70:2880:xxxx:xxxx:xxxx:fe39:ccd2 preferred=11525 valid=13325 cstamp=6520 tstamp=6892
    dev=5 devname=wan1 flag=P scope=253 prefix=64 addr=fe80::xxxx:xxxx:fe39:ccd2 preferred=4294967295 valid=4294967295 cstamp=6373 tstamp=6373
    dev=18 devname=root flag=P scope=254 prefix=128 addr=::1 preferred=4294967295 valid=4294967295 cstamp=3531 tstamp=3531
    dev=25 devname=vsys_ha flag=P scope=254 prefix=128 addr=::1 preferred=4294967295 valid=4294967295 cstamp=5604 tstamp=5604
    dev=27 devname=vsys_fgfm flag=P scope=254 prefix=128 addr=::1 preferred=4294967295 valid=4294967295 cstamp=6377 tstamp=6377
  5. Test the tunnel connection by pinging the Google public DNS IPv6 address:

    # execute ping6 2001:4860:4860::8888
    PING 2001:4860:4860::8888(2001:4860:4860::8888) 56 data bytes
    64 bytes from 2001:4860:4860::8888: icmp_seq=1 ttl=114 time=6.89 ms
    64 bytes from 2001:4860:4860::8888: icmp_seq=2 ttl=114 time=3.39 ms
    64 bytes from 2001:4860:4860::8888: icmp_seq=3 ttl=114 time=3.46 ms
    64 bytes from 2001:4860:4860::8888: icmp_seq=4 ttl=114 time=3.34 ms
    64 bytes from 2001:4860:4860::8888: icmp_seq=5 ttl=114 time=3.39 ms
    --- 2001:4860:4860::8888 ping statistics ---
    5 packets transmitted, 5 packets received, 0% packet loss, time 4079ms
    rtt min/avg/max/mdev = 3.340/4.097/6.895/1.400 ms

Fixed IP mode example

In this example, fixed IP VNE tunnel mode with HTTP authentication is used between the FortiGate and the BR.

To configure a fixed IP mode with HTTP authentication between the FortiGate and the BR:
  1. Configure the IPv6 interface:
    config system interface
        edit "wan1"
            set vdom "root"
            set mode dhcp
            set allowaccess ping fgfm
            set type physical
            set role wan
            set snmp-index 1
            config ipv6
                set ip6-allowaccess ping
                set dhcp6-information-request enable
                set autoconf enable
            end
        next
    end
  2. Configure the VNE tunnel:
    config system vne-tunnel
        set status enable
        set interface "wan1"
        set ipv4-address 120.51.xxx.xxx1 255.255.255.255
        set br "2001:f60:xxxx:xxxx::1"
        set update-url "https://ddnsweb1.ddns.xxxxxx.jp/cgi-bin/ddns_api.cgi?d=xxxxxx.v4v6.xxxxx.jp&p=**********&a=[IP6]&u=xxxxxx.v4v6.xxxxx.jp"
        set mode fixed-ip
        set http-username "laptop-1"
        set http-password **********
    end
  3. Verify the wan1 IPv6 configuration details:
    config system interface
        edit "wan1"
            config ipv6
                get
                    ....
  4. Verify the VNE daemon:

    # diagnose test application vned 1
    ----------------------------------------------------------------------------
    vdom: root/0, is master, devname=wan1 link=0 tun=vne.root mode=fixed-ip ssl_cert=Fortinet_Factory
    end user ipv6 perfix: 2001:f70:2880:xxxx::/64
    interface ipv6 addr: 2001:f70:2880:xxxx:xxxx:xxxx:fe39:ccd2
    config ipv4 perfix: 120.51.xxx.xxx/255.255.255.255
    config br: 2001:f60:xxxx:xxxx::1
    HTTP username: laptop-1
    update url: https://ddnsweb1.ddns.xxxxxx.jp/cgi-bin/ddns_api.cgi?d=xxxxxx.v4v6.xxxxx.jp&p=**********&a=[IP6]&u=xxxxxx.v4v6.xxxxx.jp
    host: ddnsweb1.ddns.xxxxxx.jp path: /cgi-bin/ddns_api.cgi?d=xxxxxx.v4v6.xxxxx.jp&p=**********&a=[IP6]&u=xxxxxx.v4v6.xxxxx.jp port:443 ssl: 1
    tunnel br: 2001:f60:xxxx:xxxx::1
    tunnel ipv6 addr: 2001:f70:2880:xxxx:xxxx:xxxx:fe39:ccd2
    tunnel ipv4 addr: 120.51.xxx.xxx1/255.255.255.255
    update result: <H1>DDNS API</H1><HR><H2>* Query parameter check : OK</H2>FQDN=xxxxxx.v4v6.xxxxx.jp<BR>Password=**********<BR>IPv6=2001:f70:2880:xxxx:xxxx:xxxx:fe39:ccd2<BR>UID=xxxxxx.v4v6.xxxxx.jp<BR>Address=2001:f70:2880:xxxx:xxxx:xxxx:fe39:ccd2<BR><H2>* routerinfo check : OK</H2><H2>* records check : OK</H2><H2>* routerinfo update : OK</H2><H2>* records update : OK</H2><H2>* DDNS API update : Success [2022-01-18 18:37:58 1642498678]</H2>
    Fixed IP rule client: state=succeed retries=0 interval=0 expiry=0 reply_code=0
    fqdn=2001:f60:xxxx:xxxx::1 num=1 cur=0 ttl=4294967295 expiry=0
    2001:f60:xxxx:xxxx::1
    Fixed IP DDNS client: state=succeed retries=0 interval=10 expiry=0 reply_code=200
    fqdn=ddnsweb1.ddns.xxxxxx.jp num=1 cur=0 ttl=6 expiry=0
    2001:f61:0:2a::18
  5. Test the tunnel connection by pinging the Google public DNS IPv4 and IPv6 addresses:

    # execute ping 8.8.8.8
    PING 8.8.8.8 (8.8.8.8): 56 data bytes
    64 bytes from 8.8.8.8: icmp_seq=0 ttl=119 time=3.7 ms
    64 bytes from 8.8.8.8: icmp_seq=1 ttl=119 time=3.6 ms
    64 bytes from 8.8.8.8: icmp_seq=2 ttl=119 time=3.6 ms
    64 bytes from 8.8.8.8: icmp_seq=3 ttl=119 time=3.6 ms
    64 bytes from 8.8.8.8: icmp_seq=4 ttl=119 time=3.5 ms
    --- 8.8.8.8 ping statistics ---
    5 packets transmitted, 5 packets received, 0% packet loss
    round-trip min/avg/max = 3.5/3.6/3.7 ms
    
    # execute ping6 2001:4860:4860::8888
    PING 2001:4860:4860::8888(2001:4860:4860::8888) 56 data bytes
    64 bytes from 2001:4860:4860::8888: icmp_seq=1 ttl=114 time=6.99 ms
    64 bytes from 2001:4860:4860::8888: icmp_seq=2 ttl=114 time=3.61 ms
    64 bytes from 2001:4860:4860::8888: icmp_seq=3 ttl=114 time=3.34 ms
    64 bytes from 2001:4860:4860::8888: icmp_seq=4 ttl=114 time=3.27 ms
    64 bytes from 2001:4860:4860::8888: icmp_seq=5 ttl=114 time=3.75 ms
    --- 2001:4860:4860::8888 ping statistics ---
    5 packets transmitted, 5 packets received, 0% packet loss, time 4039ms
    rtt min/avg/max/mdev = 3.276/4.195/6.992/1.409 ms

Configuring IPv4 over IPv6 DS-Lite service

Configuring IPv4 over IPv6 DS-Lite service

IPv4 over IPv6 DS-Lite service can be configured on a virtual network enabler (VNE) tunnel. In addition, VNE tunnel fixed IP mode supports username and password authentication.

config system vne-tunnel
    set status enable
    set mode {map-e | fixed-ip | ds-lite}
    set ipv4-address <IPv4_address>
    set br <IPv6_address or FQDN>
    set http-username <string>
    set http-password <password>
end

mode {map-e | fixed-ip | ds-lite}

Set the VNE tunnel mode:

  • map-e: MAP-E
  • fixed-ip: fixed IP
  • ds-lite: DS-Lite

ipv4-address <IPv4_address>

Enter the tunnel IPv4 address and netmask. This setting is optional.

br <IPv6_address or FQDN>

Enter the IPv6 or FQDN of the border relay.

http-username <string>

Enter the HTTP authentication user name.

http-password <password>

Enter the HTTP authentication password.

DS-Lite allows applications using IPv4 to access the internet with IPv6. DS-Lite is supported by internet providers that do not have enough public IPv4 addresses for their customers, so DS-Lite is used for IPv6 internet connections. When a DS-Lite internet connections is used, the FortiGate encapsulates all data from IPv4 applications into IPv6 packets. The packets are then transmitted to the internet service provider using the IPv6 connection. Next, a dedicated server unpacks the IPv6 packets and forwards the IPv4 data to the actual destination on the internet.

DS-Lite example

In this example, DS-Lite VNE tunnel mode is used between the FortiGate and the BR.

To configure a DS-Lite tunnel between the FortiGate and the BR:
  1. Configure the IPv6 interface:
    config system interface
        edit "wan1"
            set vdom "root"
            set mode dhcp
            set allowaccess ping fgfm
            set type physical
            set role wan
            set snmp-index 1
            config ipv6
                set ip6-allowaccess ping
                set dhcp6-information-request enable
                set autoconf enable
                set unique-autoconf-addr enable
            end
        next
    end
  2. Configure the VNE tunnel:
    config system vne-tunnel
        set status enable
        set interface "wan1"
        set ssl-certificate "Fortinet_Factory"
        set auto-asic-offload enable
        set ipv4-address 192.168.1.99 255.255.255.255
        set br "dgw.xxxxx.jp"
        set mode ds-lite
    end
  3. View the wan1 IPv6 configuration details:

    config system interface
        edit "wan1"
            config ipv6
                get
                    ip6-mode            : static
                    nd-mode             : basic
                    ip6-address         : 2001:f70:2880:xxxx:xxxx:xxxx:fe39:ccd2/64
                    ip6-allowaccess     : ping
                    icmp6-send-redirect : enable
                    ra-send-mtu         : enable
                    ip6-reachable-time  : 0
                    ip6-retrans-time    : 0
                    ip6-hop-limit       : 0
                    dhcp6-information-request: enable
                    cli-conn6-status    : 1
                    vrrp-virtual-mac6   : disable
                    vrip6_link_local    : ::
                    ip6-dns-server-override: enable
                    Acquired DNS1       : 2001:f70:2880:xxxx:xxxx:xxxx:fe40:9082
                    Acquired DNS2       : ::
                    ip6-extra-addr:
                    ip6-send-adv        : disable
                    autoconf            : enable
                    prefix      : 2001:f70:2880:xxxx::/64
                    preferred-life-time         : 942735360
                    valid-life-time     : 1077411840
                    unique-autoconf-addr: enable
                    interface-identifier: ::
                    dhcp6-relay-service : disable
            end
        next
    end
  4. Verify the IPv6 address list:

    # diagnose ipv6 address list
    dev=5 devname=wan1 flag= scope=0 prefix=64 addr=2001:f70:2880:xxxx:xxxx:xxxx:fe39:ccd2 preferred=11525 valid=13325 cstamp=6520 tstamp=6892
    dev=5 devname=wan1 flag=P scope=253 prefix=64 addr=fe80::xxxx:xxxx:fe39:ccd2 preferred=4294967295 valid=4294967295 cstamp=6373 tstamp=6373
    dev=18 devname=root flag=P scope=254 prefix=128 addr=::1 preferred=4294967295 valid=4294967295 cstamp=3531 tstamp=3531
    dev=25 devname=vsys_ha flag=P scope=254 prefix=128 addr=::1 preferred=4294967295 valid=4294967295 cstamp=5604 tstamp=5604
    dev=27 devname=vsys_fgfm flag=P scope=254 prefix=128 addr=::1 preferred=4294967295 valid=4294967295 cstamp=6377 tstamp=6377
  5. Test the tunnel connection by pinging the Google public DNS IPv6 address:

    # execute ping6 2001:4860:4860::8888
    PING 2001:4860:4860::8888(2001:4860:4860::8888) 56 data bytes
    64 bytes from 2001:4860:4860::8888: icmp_seq=1 ttl=114 time=6.89 ms
    64 bytes from 2001:4860:4860::8888: icmp_seq=2 ttl=114 time=3.39 ms
    64 bytes from 2001:4860:4860::8888: icmp_seq=3 ttl=114 time=3.46 ms
    64 bytes from 2001:4860:4860::8888: icmp_seq=4 ttl=114 time=3.34 ms
    64 bytes from 2001:4860:4860::8888: icmp_seq=5 ttl=114 time=3.39 ms
    --- 2001:4860:4860::8888 ping statistics ---
    5 packets transmitted, 5 packets received, 0% packet loss, time 4079ms
    rtt min/avg/max/mdev = 3.340/4.097/6.895/1.400 ms

Fixed IP mode example

In this example, fixed IP VNE tunnel mode with HTTP authentication is used between the FortiGate and the BR.

To configure a fixed IP mode with HTTP authentication between the FortiGate and the BR:
  1. Configure the IPv6 interface:
    config system interface
        edit "wan1"
            set vdom "root"
            set mode dhcp
            set allowaccess ping fgfm
            set type physical
            set role wan
            set snmp-index 1
            config ipv6
                set ip6-allowaccess ping
                set dhcp6-information-request enable
                set autoconf enable
            end
        next
    end
  2. Configure the VNE tunnel:
    config system vne-tunnel
        set status enable
        set interface "wan1"
        set ipv4-address 120.51.xxx.xxx1 255.255.255.255
        set br "2001:f60:xxxx:xxxx::1"
        set update-url "https://ddnsweb1.ddns.xxxxxx.jp/cgi-bin/ddns_api.cgi?d=xxxxxx.v4v6.xxxxx.jp&p=**********&a=[IP6]&u=xxxxxx.v4v6.xxxxx.jp"
        set mode fixed-ip
        set http-username "laptop-1"
        set http-password **********
    end
  3. Verify the wan1 IPv6 configuration details:
    config system interface
        edit "wan1"
            config ipv6
                get
                    ....
  4. Verify the VNE daemon:

    # diagnose test application vned 1
    ----------------------------------------------------------------------------
    vdom: root/0, is master, devname=wan1 link=0 tun=vne.root mode=fixed-ip ssl_cert=Fortinet_Factory
    end user ipv6 perfix: 2001:f70:2880:xxxx::/64
    interface ipv6 addr: 2001:f70:2880:xxxx:xxxx:xxxx:fe39:ccd2
    config ipv4 perfix: 120.51.xxx.xxx/255.255.255.255
    config br: 2001:f60:xxxx:xxxx::1
    HTTP username: laptop-1
    update url: https://ddnsweb1.ddns.xxxxxx.jp/cgi-bin/ddns_api.cgi?d=xxxxxx.v4v6.xxxxx.jp&p=**********&a=[IP6]&u=xxxxxx.v4v6.xxxxx.jp
    host: ddnsweb1.ddns.xxxxxx.jp path: /cgi-bin/ddns_api.cgi?d=xxxxxx.v4v6.xxxxx.jp&p=**********&a=[IP6]&u=xxxxxx.v4v6.xxxxx.jp port:443 ssl: 1
    tunnel br: 2001:f60:xxxx:xxxx::1
    tunnel ipv6 addr: 2001:f70:2880:xxxx:xxxx:xxxx:fe39:ccd2
    tunnel ipv4 addr: 120.51.xxx.xxx1/255.255.255.255
    update result: <H1>DDNS API</H1><HR><H2>* Query parameter check : OK</H2>FQDN=xxxxxx.v4v6.xxxxx.jp<BR>Password=**********<BR>IPv6=2001:f70:2880:xxxx:xxxx:xxxx:fe39:ccd2<BR>UID=xxxxxx.v4v6.xxxxx.jp<BR>Address=2001:f70:2880:xxxx:xxxx:xxxx:fe39:ccd2<BR><H2>* routerinfo check : OK</H2><H2>* records check : OK</H2><H2>* routerinfo update : OK</H2><H2>* records update : OK</H2><H2>* DDNS API update : Success [2022-01-18 18:37:58 1642498678]</H2>
    Fixed IP rule client: state=succeed retries=0 interval=0 expiry=0 reply_code=0
    fqdn=2001:f60:xxxx:xxxx::1 num=1 cur=0 ttl=4294967295 expiry=0
    2001:f60:xxxx:xxxx::1
    Fixed IP DDNS client: state=succeed retries=0 interval=10 expiry=0 reply_code=200
    fqdn=ddnsweb1.ddns.xxxxxx.jp num=1 cur=0 ttl=6 expiry=0
    2001:f61:0:2a::18
  5. Test the tunnel connection by pinging the Google public DNS IPv4 and IPv6 addresses:

    # execute ping 8.8.8.8
    PING 8.8.8.8 (8.8.8.8): 56 data bytes
    64 bytes from 8.8.8.8: icmp_seq=0 ttl=119 time=3.7 ms
    64 bytes from 8.8.8.8: icmp_seq=1 ttl=119 time=3.6 ms
    64 bytes from 8.8.8.8: icmp_seq=2 ttl=119 time=3.6 ms
    64 bytes from 8.8.8.8: icmp_seq=3 ttl=119 time=3.6 ms
    64 bytes from 8.8.8.8: icmp_seq=4 ttl=119 time=3.5 ms
    --- 8.8.8.8 ping statistics ---
    5 packets transmitted, 5 packets received, 0% packet loss
    round-trip min/avg/max = 3.5/3.6/3.7 ms
    
    # execute ping6 2001:4860:4860::8888
    PING 2001:4860:4860::8888(2001:4860:4860::8888) 56 data bytes
    64 bytes from 2001:4860:4860::8888: icmp_seq=1 ttl=114 time=6.99 ms
    64 bytes from 2001:4860:4860::8888: icmp_seq=2 ttl=114 time=3.61 ms
    64 bytes from 2001:4860:4860::8888: icmp_seq=3 ttl=114 time=3.34 ms
    64 bytes from 2001:4860:4860::8888: icmp_seq=4 ttl=114 time=3.27 ms
    64 bytes from 2001:4860:4860::8888: icmp_seq=5 ttl=114 time=3.75 ms
    --- 2001:4860:4860::8888 ping statistics ---
    5 packets transmitted, 5 packets received, 0% packet loss, time 4039ms
    rtt min/avg/max/mdev = 3.276/4.195/6.992/1.409 ms