Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.2.5 Administration Guide
    7.2.5
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Site-to-site IPv6 over IPv4 VPN example

    Site-to-site IPv6 over IPv4 VPN example

    In this example, IPv6-addressed networks communicate securely over IPv4 public infrastructure.

    The following topology is used for this example:

    • Port2 connects to the IPv4 public network and port3 connects to the IPv6 local network.

    • HQ1 port2 IPv4 address is 10.0.0.1 and port3 IPv6 address is 2001:db8:d0c:4::e.

    • HQ2 port2 IPv4 address is 10.0.1.1 and port3 IPv6 address is 2001:db8:d0c:3::e.

    Note

    Please note that the IPv6 addresses used in this example are for illustrative purposes only and should not be used in your environment.

    The 2001:db8::/32 prefix is a special IPv6 prefix designated for use in documentation examples. See RFC 3849 for more information.
    To configure the example in the GUI:

    1. Configure the HQ1 FortiGate.

      1. Configure the IPv4 address on port2 and IPv6 address on port3:

        1. Go to Network > Interfaces and edit port2.

        2. Set Addressing mode to Manual and enter the IP/Netmask.

          IP/Netmask 10.0.0.1/24

        3. Click OK.

        4. Go to Network > Interfaces and edit port3.

        5. Set IPv6 addressing mode to Manual and enter the IPv6 Address/Prefix.

          IPv6 Address/Prefix 2001:db8:d0c:4::e/64

      2. Configure IPsec settings:

        1. Go to VPN > IPsec Wizard and enter a VPN name.

        2. Set Template type to Custom.

        3. Click Next.

        4. Configure the following Network settings:

          IP Version IPv4
          Remote Gateway Static IP Address
          IP Address 10.0.1.1
          Interface port2

        5. Configure the following Authentication settings:

          Method Pre-shared Key
          Pre-shared Key sample

        6. Configure the following New Phase 2 settings:

          Local Address IPv6 Subnet
          Remote Address IPv6 Subnet

      3. Configure the IPv6 firewall policy to allow IPv6 traffic from port3 to the IPsec interface:

        1. Go to Policy & Objects > Firewall Policy.

        2. Click Create New.

        3. Name the policy and configure the following parameters:

          Incoming Interface port3
          Outgoing Interface to_HQ2
          Source all
          Destination all
          Schedule always
          Service ALL
          Action ACCEPT

        4. Click OK.

      4. Configure the IPv6 firewall policy to allow IPv6 traffic from the IPsec interface to port3:

        1. Go to Policy & Objects > Firewall Policy.

        2. Click Create New.

        3. Name the policy and configure the following parameters:

          Incoming Interface to_HQ2
          Outgoing Interface port3
          Source all
          Destination all
          Schedule always
          Service ALL
          Action ACCEPT

        4. Click OK.

      5. Configure the static routes:

        1. Go to Network > Static Routes.

        2. Click Create New > IPv4 Static Route.

        3. Configure the following settings for the default route to the remote VPN gateway:

          Destination 0.0.0.0/0.0.0.0
          Gateway Address 10.0.0.2
          Interface port2

        4. Select OK.

        5. Repeat the first two steps for IPv6 Static Route and configure the following settings for the route to the remote protected network:

          Destination 2001:db8:d0c:3::/64
          Interface to_HQ2

        6. Select OK.

        7. Repeat the first two steps for IPv6 Static Route and configure the following settings for the blackhole route:

          Destination 2001:db8:d0c:3::/64
          Interface Blackhole
          Administrative Distance 254

        8. Select OK.

    2. Configure the HQ2 FortiGate:

      1. Configure the IPv4 address on port2 and IPv6 address on port3:

        1. Go to Network > Interfaces and edit port2.

        2. Set Addressing mode to Manual and enter the IP/Netmask.

          IP/Netmask 10.0.1.1/24

        3. Click OK.

        4. Go to Network > Interfaces and edit port3.

        5. Set IPv6 addressing mode to Manual and enter the IPv6 Address/Prefix.

          IPv6 Address/Prefix 2001:db8:d0c:3::e/64

      2. Configure IPsec settings:

        1. Go to VPN > IPsec Wizard and enter a VPN name.

        2. Set Template type to Custom.

        3. Click Next.

        4. Configure the following Network settings:

          IP Version IPv4
          Remote Gateway Static IP Address
          IP Address 10.0.0.1
          Interface port2

        5. Configure the following Authentication settings:

          Method Pre-shared Key
          Pre-shared Key sample

        6. Configure the following New Phase 2 settings:

          Local Address IPv6 Subnet
          Remote Address IPv6 Subnet

      3. Configure the IPv6 firewall policy to allow IPv6 traffic from port3 to the IPsec interface:

        1. Go to Policy & Objects > Firewall Policy.

        2. Click Create New.

        3. Name the policy and configure the following parameters:

          Incoming Interface port3
          Outgoing Interface to_HQ1
          Source all
          Destination all
          Schedule always
          Service ALL
          Action ACCEPT

        4. Click OK.

      4. Configure the IPv6 firewall policy to allow IPv6 traffic from the IPsec interface to port3:

        1. Go to Policy & Objects > Firewall Policy.

        2. Click Create New.

        3. Name the policy and configure the following parameters:

          Incoming Interface to_HQ1
          Outgoing Interface port3
          Source all
          Destination all
          Schedule always
          Service ALL
          Action ACCEPT

        4. Click OK.

      5. Configure the static routes:

        1. Go to Network > Static Routes.

        2. Click Create New > IPv4 Static Route.

        3. Configure the following settings for the default route to the remote VPN gateway:

          Destination 0.0.0.0/0.0.0.0
          Gateway Address 10.0.1.2
          Interface port2

        4. Select OK.

        5. Repeat the first two steps for IPv6 Static Route and configure the following settings for the route to the remote protected network:

          Destination 2001:db8:d0c:4::/64
          Interface to_HQ1

        6. Select OK.

        7. Repeat the first two steps for IPv6 Static Route and configure the following settings for the blackhole route:

          Destination 2001:db8:d0c:4::/64
          Interface Blackhole
          Administrative Distance 254

        8. Select OK.

    To configure the example in the CLI:

    1. Configure the HQ1 FortiGate.

      1. Configure the IPv6 address on port2 and port3:

        config system interface
    edit port2
        set ip 10.0.0.1/24
    next
    edit port3
        config ipv6
            set ip6-address 2001:db8:d0c:4::e/64
        end
    next
end

      2. Configure IPsec settings:

        config vpn ipsec phase1-interface
    edit "to_HQ2"
        set interface port2
        set ip-version 4
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set remote-gw 10.0.1.1 
        set psksecret sample
    next
end
config vpn ipsec phase2-interface
    edit "to_HQ2"
        set phase1name "to_HQ2"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set src-addr-type subnet6
        set dst-addr-type subnet6
    next
end

      3. Configure the IPv6 firewall policy to allow IPv6 traffic between port3 to the IPsec interface:

        config firewall policy
    edit 1
        set srcintf "port3"
        set dstintf "to_HQ2"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic "all"
    next
    edit 2
        set srcintf "to_HQ2"
        set dstintf "port3"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic "all"
    next
end

      4. Configure the static routes:

        config router static
    edit 1
        set gateway 10.0.0.2
        set device "port2"
    next
end
config router static6
    edit 1
        set dst 2001:db8:d0c:3::/64
        set device "to_HQ2"
    next
    edit 2
        set dst 2001:db8:d0c:3::/64
        set device blackhole
        set distance 254
    next
end

    2. Configure the HQ2 FortiGate.

      1. Configure the IPv6 address on port2 and port3:

        config system interface
    edit port2
        set ip 10.0.1.1/24
    next
    edit port3
        config ipv6
            set ip6-address 2001:db8:d0c:3::e/64
        end
    next
end

      2. Configure IPsec settings:

        config vpn ipsec phase1-interface
    edit "to_HQ1"
        set interface port2
        set ip-version 4
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set remote-gw 10.0.0.1
        set psksecret sample
    next
end
config vpn ipsec phase2-interface
    edit "to_HQ2"
        set phase1name "to_HQ1"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set src-addr-type subnet6
        set dst-addr-type subnet6
    next
end

      3. Configure the IPv6 firewall policy to allow IPv6 traffic between port3 to the IPsec interface:

        config firewall policy
    edit 1
        set srcintf "port3"
        set dstintf "to_HQ1"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic "all"
    next
    edit 2
        set srcintf "to_HQ1"
        set dstintf "port3"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic "all"
    next
end

      4. Configure the static routes:

        config router static
    edit 1
        set gateway 10.0.1.2
        set device "port2"
    next
end
config router static6
    edit 1
        set dst 2001:db8:d0c:4::/64
        set device "to_HQ1"
    next
    edit 2
        set dst 2001:db8:d0c:4::/64
        set device blackhole
        set distance 254
    next
end

    Verification

    The following commands are useful to check IPsec phase1/phase2 interface status:

    1. Run the diagnose vpn ike gateway list command on HQ1. The system should return the following:

      vd: root/0
name: to_HQ2
version: 1
interface: port2 6
addr: 10.0.0.1:500 -> 10.0.0.2:500
tun_id: 10.0.0.2/::10.0.0.2
remote_location: 0.0.0.0
network-id: 0
created: 576319s ago
peer-id: 10.0.0.2
peer-id-auth: no
IKE SA: created 1/8  established 1/8  time 0/1127/9000 ms
IPsec SA: created 1/7  established 1/7  time 0/5/10 ms

  id/spi: 8 c04ab0ead989f579/267813e164d4ec22
  direction: initiator
  status: established 59710-59710s ago = 0ms
  proposal: aes128-sha256
  key: 034a0c3bf3deb551-8d647af9b6f76578
  lifetime/rekey: 86400/26389
  DPD sent/recv: 00000044/00000047
  peer-id: 10.0.0.2

    2. Run the diagnose vpn tunnel list command on HQ1. The system should return the following:

      list all ipsec tunnel in vd 0
------------------------------------------------------
name=to_HQ2 ver=1 serial=1 10.0.0.1:0->10.0.0.2:0 tun_id=10.0.0.2 tun_id6=::10.0.0.2 dst_mtu=1500 dpd-link=on weight=1
bound_if=6 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc  run_state=0 role=primary accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=4 ilast=27652 olast=27652 ad=/0
stat: rxp=198 txp=192 rxb=15840 txb=15360
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=68
natt: mode=none draft=0 interval=0 remote_port=0
fec: egress=0 ingress=0
proxyid=to_HQ2 proto=0 sa=1 ref=2 serial=1
  src: 0:::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff:0
  dst: 0:::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff:0
  SA:  ref=3 options=10202 type=00 soft=0 mtu=1438 expire=2709/0B replaywin=2048
       seqno=d esn=0 replaywin_lastseq=0000000c qat=0 rekey=0 hash_search_len=1
  life: type=01 bytes=0/0 timeout=42933/43200
  dec: spi=24fe1f3a esp=aes key=16 de482993279020176bb2709052ef0656
       ah=sha1 key=20 b6fe007aa8e2c587762c4f9808321ae5e015dc0a
  enc: spi=5989a2d9 esp=aes key=16 438c8d60ae9ca8400138965ff90a1384
       ah=sha1 key=20 a931ee4518c365dae630431b25edfe6d930e8075
  dec:pkts/bytes=22/1760, enc:pkts/bytes=24/2784
  npu_flag=00 npu_rgwy=10.0.0.2 npu_lgwy=10.0.0.1 npu_selid=0 dec_npuid=0 enc_npuid=0
    Previous
    Next

    Site-to-site IPv6 over IPv4 VPN example

    Site-to-site IPv6 over IPv4 VPN example

    In this example, IPv6-addressed networks communicate securely over IPv4 public infrastructure.

    The following topology is used for this example:

    • Port2 connects to the IPv4 public network and port3 connects to the IPv6 local network.

    • HQ1 port2 IPv4 address is 10.0.0.1 and port3 IPv6 address is 2001:db8:d0c:4::e.

    • HQ2 port2 IPv4 address is 10.0.1.1 and port3 IPv6 address is 2001:db8:d0c:3::e.

    Note

    Please note that the IPv6 addresses used in this example are for illustrative purposes only and should not be used in your environment.

    The 2001:db8::/32 prefix is a special IPv6 prefix designated for use in documentation examples. See RFC 3849 for more information.
    To configure the example in the GUI:

    1. Configure the HQ1 FortiGate.

      1. Configure the IPv4 address on port2 and IPv6 address on port3:

        1. Go to Network > Interfaces and edit port2.

        2. Set Addressing mode to Manual and enter the IP/Netmask.

          IP/Netmask 10.0.0.1/24

        3. Click OK.

        4. Go to Network > Interfaces and edit port3.

        5. Set IPv6 addressing mode to Manual and enter the IPv6 Address/Prefix.

          IPv6 Address/Prefix 2001:db8:d0c:4::e/64

      2. Configure IPsec settings:

        1. Go to VPN > IPsec Wizard and enter a VPN name.

        2. Set Template type to Custom.

        3. Click Next.

        4. Configure the following Network settings:

          IP Version IPv4
          Remote Gateway Static IP Address
          IP Address 10.0.1.1
          Interface port2

        5. Configure the following Authentication settings:

          Method Pre-shared Key
          Pre-shared Key sample

        6. Configure the following New Phase 2 settings:

          Local Address IPv6 Subnet
          Remote Address IPv6 Subnet

      3. Configure the IPv6 firewall policy to allow IPv6 traffic from port3 to the IPsec interface:

        1. Go to Policy & Objects > Firewall Policy.

        2. Click Create New.

        3. Name the policy and configure the following parameters:

          Incoming Interface port3
          Outgoing Interface to_HQ2
          Source all
          Destination all
          Schedule always
          Service ALL
          Action ACCEPT

        4. Click OK.

      4. Configure the IPv6 firewall policy to allow IPv6 traffic from the IPsec interface to port3:

        1. Go to Policy & Objects > Firewall Policy.

        2. Click Create New.

        3. Name the policy and configure the following parameters:

          Incoming Interface to_HQ2
          Outgoing Interface port3
          Source all
          Destination all
          Schedule always
          Service ALL
          Action ACCEPT

        4. Click OK.

      5. Configure the static routes:

        1. Go to Network > Static Routes.

        2. Click Create New > IPv4 Static Route.

        3. Configure the following settings for the default route to the remote VPN gateway:

          Destination 0.0.0.0/0.0.0.0
          Gateway Address 10.0.0.2
          Interface port2

        4. Select OK.

        5. Repeat the first two steps for IPv6 Static Route and configure the following settings for the route to the remote protected network:

          Destination 2001:db8:d0c:3::/64
          Interface to_HQ2

        6. Select OK.

        7. Repeat the first two steps for IPv6 Static Route and configure the following settings for the blackhole route:

          Destination 2001:db8:d0c:3::/64
          Interface Blackhole
          Administrative Distance 254

        8. Select OK.

    2. Configure the HQ2 FortiGate:

      1. Configure the IPv4 address on port2 and IPv6 address on port3:

        1. Go to Network > Interfaces and edit port2.

        2. Set Addressing mode to Manual and enter the IP/Netmask.

          IP/Netmask 10.0.1.1/24

        3. Click OK.

        4. Go to Network > Interfaces and edit port3.

        5. Set IPv6 addressing mode to Manual and enter the IPv6 Address/Prefix.

          IPv6 Address/Prefix 2001:db8:d0c:3::e/64

      2. Configure IPsec settings:

        1. Go to VPN > IPsec Wizard and enter a VPN name.

        2. Set Template type to Custom.

        3. Click Next.

        4. Configure the following Network settings:

          IP Version IPv4
          Remote Gateway Static IP Address
          IP Address 10.0.0.1
          Interface port2

        5. Configure the following Authentication settings:

          Method Pre-shared Key
          Pre-shared Key sample

        6. Configure the following New Phase 2 settings:

          Local Address IPv6 Subnet
          Remote Address IPv6 Subnet

      3. Configure the IPv6 firewall policy to allow IPv6 traffic from port3 to the IPsec interface:

        1. Go to Policy & Objects > Firewall Policy.

        2. Click Create New.

        3. Name the policy and configure the following parameters:

          Incoming Interface port3
          Outgoing Interface to_HQ1
          Source all
          Destination all
          Schedule always
          Service ALL
          Action ACCEPT

        4. Click OK.

      4. Configure the IPv6 firewall policy to allow IPv6 traffic from the IPsec interface to port3:

        1. Go to Policy & Objects > Firewall Policy.

        2. Click Create New.

        3. Name the policy and configure the following parameters:

          Incoming Interface to_HQ1
          Outgoing Interface port3
          Source all
          Destination all
          Schedule always
          Service ALL
          Action ACCEPT

        4. Click OK.

      5. Configure the static routes:

        1. Go to Network > Static Routes.

        2. Click Create New > IPv4 Static Route.

        3. Configure the following settings for the default route to the remote VPN gateway:

          Destination 0.0.0.0/0.0.0.0
          Gateway Address 10.0.1.2
          Interface port2

        4. Select OK.

        5. Repeat the first two steps for IPv6 Static Route and configure the following settings for the route to the remote protected network:

          Destination 2001:db8:d0c:4::/64
          Interface to_HQ1

        6. Select OK.

        7. Repeat the first two steps for IPv6 Static Route and configure the following settings for the blackhole route:

          Destination 2001:db8:d0c:4::/64
          Interface Blackhole
          Administrative Distance 254

        8. Select OK.

    To configure the example in the CLI:

    1. Configure the HQ1 FortiGate.

      1. Configure the IPv6 address on port2 and port3:

        config system interface
    edit port2
        set ip 10.0.0.1/24
    next
    edit port3
        config ipv6
            set ip6-address 2001:db8:d0c:4::e/64
        end
    next
end

      2. Configure IPsec settings:

        config vpn ipsec phase1-interface
    edit "to_HQ2"
        set interface port2
        set ip-version 4
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set remote-gw 10.0.1.1 
        set psksecret sample
    next
end
config vpn ipsec phase2-interface
    edit "to_HQ2"
        set phase1name "to_HQ2"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set src-addr-type subnet6
        set dst-addr-type subnet6
    next
end

      3. Configure the IPv6 firewall policy to allow IPv6 traffic between port3 to the IPsec interface:

        config firewall policy
    edit 1
        set srcintf "port3"
        set dstintf "to_HQ2"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic "all"
    next
    edit 2
        set srcintf "to_HQ2"
        set dstintf "port3"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic "all"
    next
end

      4. Configure the static routes:

        config router static
    edit 1
        set gateway 10.0.0.2
        set device "port2"
    next
end
config router static6
    edit 1
        set dst 2001:db8:d0c:3::/64
        set device "to_HQ2"
    next
    edit 2
        set dst 2001:db8:d0c:3::/64
        set device blackhole
        set distance 254
    next
end

    2. Configure the HQ2 FortiGate.

      1. Configure the IPv6 address on port2 and port3:

        config system interface
    edit port2
        set ip 10.0.1.1/24
    next
    edit port3
        config ipv6
            set ip6-address 2001:db8:d0c:3::e/64
        end
    next
end

      2. Configure IPsec settings:

        config vpn ipsec phase1-interface
    edit "to_HQ1"
        set interface port2
        set ip-version 4
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set remote-gw 10.0.0.1
        set psksecret sample
    next
end
config vpn ipsec phase2-interface
    edit "to_HQ2"
        set phase1name "to_HQ1"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set src-addr-type subnet6
        set dst-addr-type subnet6
    next
end

      3. Configure the IPv6 firewall policy to allow IPv6 traffic between port3 to the IPsec interface:

        config firewall policy
    edit 1
        set srcintf "port3"
        set dstintf "to_HQ1"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic "all"
    next
    edit 2
        set srcintf "to_HQ1"
        set dstintf "port3"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic "all"
    next
end

      4. Configure the static routes:

        config router static
    edit 1
        set gateway 10.0.1.2
        set device "port2"
    next
end
config router static6
    edit 1
        set dst 2001:db8:d0c:4::/64
        set device "to_HQ1"
    next
    edit 2
        set dst 2001:db8:d0c:4::/64
        set device blackhole
        set distance 254
    next
end

    Verification

    The following commands are useful to check IPsec phase1/phase2 interface status:

    1. Run the diagnose vpn ike gateway list command on HQ1. The system should return the following:

      vd: root/0
name: to_HQ2
version: 1
interface: port2 6
addr: 10.0.0.1:500 -> 10.0.0.2:500
tun_id: 10.0.0.2/::10.0.0.2
remote_location: 0.0.0.0
network-id: 0
created: 576319s ago
peer-id: 10.0.0.2
peer-id-auth: no
IKE SA: created 1/8  established 1/8  time 0/1127/9000 ms
IPsec SA: created 1/7  established 1/7  time 0/5/10 ms

  id/spi: 8 c04ab0ead989f579/267813e164d4ec22
  direction: initiator
  status: established 59710-59710s ago = 0ms
  proposal: aes128-sha256
  key: 034a0c3bf3deb551-8d647af9b6f76578
  lifetime/rekey: 86400/26389
  DPD sent/recv: 00000044/00000047
  peer-id: 10.0.0.2

    2. Run the diagnose vpn tunnel list command on HQ1. The system should return the following:

      list all ipsec tunnel in vd 0
------------------------------------------------------
name=to_HQ2 ver=1 serial=1 10.0.0.1:0->10.0.0.2:0 tun_id=10.0.0.2 tun_id6=::10.0.0.2 dst_mtu=1500 dpd-link=on weight=1
bound_if=6 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc  run_state=0 role=primary accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=4 ilast=27652 olast=27652 ad=/0
stat: rxp=198 txp=192 rxb=15840 txb=15360
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=68
natt: mode=none draft=0 interval=0 remote_port=0
fec: egress=0 ingress=0
proxyid=to_HQ2 proto=0 sa=1 ref=2 serial=1
  src: 0:::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff:0
  dst: 0:::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff:0
  SA:  ref=3 options=10202 type=00 soft=0 mtu=1438 expire=2709/0B replaywin=2048
       seqno=d esn=0 replaywin_lastseq=0000000c qat=0 rekey=0 hash_search_len=1
  life: type=01 bytes=0/0 timeout=42933/43200
  dec: spi=24fe1f3a esp=aes key=16 de482993279020176bb2709052ef0656
       ah=sha1 key=20 b6fe007aa8e2c587762c4f9808321ae5e015dc0a
  enc: spi=5989a2d9 esp=aes key=16 438c8d60ae9ca8400138965ff90a1384
       ah=sha1 key=20 a931ee4518c365dae630431b25edfe6d930e8075
  dec:pkts/bytes=22/1760, enc:pkts/bytes=24/2784
  npu_flag=00 npu_rgwy=10.0.0.2 npu_lgwy=10.0.0.1 npu_selid=0 dec_npuid=0 enc_npuid=0
    Previous
    Next