Dual stack IPv4 and IPv6 support for SSL VPN

Dual stack IPv4 and IPv6 support for SSL VPN servers and clients enables a client to establish a dual stack tunnel to allow both IPv4 and IPv6 traffic to pass through. FortiGate SSL VPN clients also support dual stack, which allows it to establish dual stack tunnels with other FortiGates.

Users connecting in web mode can connect to the web portal over IPv4 or IPv6. They can access bookmarks in either IPv4 or IPv6, depending on the preferred DNS setting of the web portal.

Example

In this example, FortiGate B works as an SSL VPN server with dual stack enabled. A test portal is configured to support tunnel mode and web mode SSL VPN.

FortiGate A is an SSL VPN client that connects to FortiGate B to establish an SSL VPN tunnel connection. It attempts to access www.bing.com and www.apple.com via separate IPv4 and IPv6 connections. Two addresses are configured on FortiGate B:

• bing.com uses IPv4 FQDN and resolves to 13.107.21.200 and 204.79.197.200.
• apple_v6 uses IPv6 FQDN and resolves to 2600:140a:c000:385::1aca and 2600:140a:c000:398::1aca.

The server certificate used is fgt_gui_automation, and the CN is *.fos.automation.com.

A PC serves as a client to connect to FortiGate B in SSL VPN web mode. The PC can connect to the SSL VPN server over IPv4 or IPv6. Based on the preferred DNS setting, it will access the destination website over IPv4 or IPv6.

Dual stack tunnel mode support requires a supported client. In 7.0.0, a FortiGate in SSL VPN client mode can support dual stack tunnels. FortiClient 7.0.1 and later releases support dual stack.

To configure an SSL VPN server in tunnel and web mode with dual stack support in the GUI:

1. Create a local user:

   1. Go to User & Authentication > User Definition and click Create New. The Users/Groups Creation Wizard opens.

   2. Set the User Type to Local User and click Next.

   3. Enter the Username (client2) and password, then click Next.

   4. Optionally, configure the contact information and click Next.

   5. Click Submit.

2. Configure the addresses:

   1. Go to Policy & Objects > Addresses and select Address.

   2. Click Create new.

   3. Enter the following for the IPv4 address:

      Name	bing.com
      Type	FQDN
      FQDN	www.bing.com

   4. Click OK.

   5. Select IPv6 Address.

   6. Click Create new and enter the following for the IPv6 address:

      Name	apple_v6
      Type	IPv6 FQDN
      FQDN	www.apple.com

   7. Click OK.

3. Configure the SSL VPN portal:

   1. Go to VPN > SSL-VPN Portals and click Create New.

   2. Enter a name (testportal1).

   3. Enable Tunnel Mode and for Enable Split Tunneling, select Enable Based on Policy Destination.

   4. For Source IP Pools, add SSLVPN_TUNNEL_ADDR1.

   5. Enable IPv6 Tunnel Mode and for Enable Split Tunneling, select Enable Based on Policy Destination.

   6. For Source IP Pools, add SSLVPN_TUNNEL_IPv6_ADDR1.

   7. Enable Enable Web Mode.

      

   8. Click OK.

4. Configure the SSL VPN settings:

   1. Go to VPN > SSL-VPN Settings and configure the following:

      Listen on Interface(s)	port1
      Listen on Port	1443
      Restrict Access	Allow access from any host
      Server Certificate	fgt_gui_automation
      Address Range	Automatically assign addresses
      DNS Server	Same as client system DNS
      Authentication/Portal Mapping	Edit the All Other Users/Groups entry to use testportal1.

      

   2. Click Apply.

   3. Enable dual stack in the CLI:

      config vpn ssl settings
          set dual-stack-mode enable
      end

5. Configure the firewall policy:

   1. Go to Policy & Objects > Firewall Policy and click Create New.

   2. Enter the following:

      Name	sslvpn
      Incoming Interface	ssl.root
      Outgoing Interface	port2
      Source	all (IPv4), all (IPv6), client2
      Destination	bing.com, apple_v6
      Schedule	Always
      Service	All
      NAT	Enabled

   3. Click OK.

To configure FortiGate A as an SSL VPN client in the GUI:

1. Create a peer to verify the server certificate:

   The PKI menu is only available in the GUI (User & Authentication > PKI) after a PKI user has been created using the CLI, and a CN can only be configured in the CLI. If the CA is not known or is public, import the CA that signed the server certificate.

   1. Go to User & Authentication > PKI and click Create New.

   2. Set the Name to fgt_gui_automation.

   3. Set CA to the CA certificate that is used to verify the server certificate.

   4. Click OK.

   5. In the CLI, specify the CN that must be matched:

      config user peer
          edit "fgt_gui_automation"
              set ca "GUI_CA"
              set cn "*.fos.automation.com"
          next
      end

2. Configure the SSL VPN client:

   1. Go to VPN > SSL-VPN Clients and click Create New.

   2. In the Interface dropdown, click Create.

      1. Enter a Name (sslclient_port2).

      2. Set Interface to port2.

      3. Set Role to LAN.

         

      4. Click OK.

   3. Configure the SSL VPN client:

      Name	sslclientTo9
      Interface	sslclient_port2
      Server	Either IPv4 address 10.1.100.9 or IPv6 address 2000:10:1:100::9 can be used and will have the same results.
      Port	1443
      Username	client2
      Pre-shared Key	******
      Peer	fgt_gui_automation
      Status	Enabled

   4. Click OK.

To configure FortiClient and connect to the VPN:

1. On the Remote Access tab and click Configure VPN, or if other connections have already been configured, click the sandwich icon and select Add a new connection.

2. Set Connection Name to FGT2500E, and Remote Gateway to 10.1.100.9.

3. Enable Customize port and enter the port number 1443.

4. Set Username to client2.

5. Enable Enable Dual-stack IPv6/IPv6 address.

   

6. Click Save.

7. Enter the password, then click Connect.

To configure an SSL VPN server in tunnel and web mode with dual stack support in the CLI:

1. Create a local user:

   config user local
       edit "client1"
           set type password
           set passwd ******
       next  
   end

2. Configure the addresses:

   config firewall address
       edit "bing.com"
           set type fqdn
           set fqdn "www.bing.com"
       next
   end
   

   config firewall address6
       edit "apple_v6"
           set type fqdn
           set fqdn "www.apple.com"
       next
   end

3. Configure the SSL VPN portal:

   config vpn ssl web portal
       edit "testportal1"
           set tunnel-mode enable
           set ipv6-tunnel-mode enable
           set web-mode enable
           set ip-pools "SSLVPN_TUNNEL_ADDR1"
           set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
           set split-tunneling enable
           set ipv6-split-tunneling enable
       next
   end

4. Configure the SSL VPN settings:

   config vpn ssl settings
       set servercert "fgt_gui_automation"
       set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
       set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
       set port 1443
       set source-interface "port1"
       set source-address "all"
       set source-address6 "all"
       set default-portal "testportal1"
       set dual-stack-mode enable
   end

5. Configure the firewall policy:

   config firewall policy
       edit 1
           set name "sslvpn"
           set srcintf "ssl.root"
           set dstintf "port2"
           set srcaddr "all"
           set dstaddr "bing.com"
           set srcaddr6 "all"
           set dstaddr6 "apple_v6"
           set action accept
           set schedule "always"
           set service "ALL"
           set nat enable
           set users "client2"
       next
   end

To configure FortiGate A as an SSL VPN client in the CLI:

1. Create a peer to verify the server certificate:

   config user peer
       edit "fgt_gui_automation"
           set ca "GUI_CA"
           set cn "*.fos.automation.com"
       next
   end

2. Configure the interface:

   config system interface
       edit "sslclient_port2"
           set vdom "vdom1"
           set type ssl
           set role lan
           set snmp-index 46
           set interface "port2"
       next
   end

3. Configure the SSL VPN client. Either IPv4 address 10.1.100.9 or IPv6 address 2000:10:1:100::9 can be used and will have the same results:

   config vpn ssl client
       edit "sslclientTo9"
           set interface "sslclient_port2"
           set user "client2"
           set psk ******
           set peer "fgt_gui_automation"
           set server {10.1.100.9 | 2000:10:1:100::9}
           set port 1443
       next
   end

Testing dual stack with tunnel mode

To verify the SSL VPN tunnel connection in the GUI:

1. On FortiGate B, go to Dashboard > Network.

2. Expand the SSL-VPN widget.

   

To verify the SSL VPN tunnel connection in the CLI:

1. On FortiGate B, verify that the client is assigned with both IPv4 and IPv6 addresses:

   (root) # get vpn ssl monitor 
   SSL VPN Login Users:
    Index   User    Group   Auth Type      Timeout         Auth-Timeout    From     HTTP in/out    HTTPS in/out    Two-factor Auth
    0       client2                1(1)             292    2147483647       10.1.100.2     0/0     0/0     0
   
   SSL VPN sessions:
    Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP 
    0       client2                10.1.100.2       5427    1756/1772      10.212.134.200,fdff:ffff::1

2. On FortiGate A, verify the routing tables.

   1. IPv4 with resolved addresses for www.bing.com:

      (vdom1) # get router info routing-table database 
      ...
      Routing table for VRF=0
      S    *> 0.0.0.0/0 [10/0] via 172.16.200.254, port1
      C    *> 10.0.1.0/24 is directly connected, link_11
      C    *> 10.1.100.0/24 is directly connected, port2
      C    *> 10.212.134.200/32 is directly connected, sslclient_port2
      S    *> 13.107.21.200/32 [10/0] is directly connected, sslclient_port2
      C    *> 172.16.200.0/24 is directly connected, port1
      S    *> 204.79.197.200/32 [10/0] is directly connected, sslclient_port2

   2. IPv6 with resolved addresses for www.apple.com:

      (vdom1) # get router info6 routing-table database 
      ...
      S    *> ::/0 [10/0] via 2000:172:16:200::254, port1, 01:57:23, [1024/0]
      C    *> ::1/128 via ::, vdom1, 06:12:54
      C    *> 2000:10:0:1::/64 via ::, link_11, 06:12:54
      C    *> 2000:10:1:100::/64 via ::, port2, 06:12:54
      C    *> 2000:172:16:200::/64 via ::, port1, 06:12:54
      S    *> 2600:140a:c000:385::1aca/128 [10/0] via ::, sslclient_port2, 01:33:08, [1024/0]
      S    *> 2600:140a:c000:398::1aca/128 [10/0] via ::, sslclient_port2, 01:33:08, [1024/0]
      C    *> fdff:ffff::/120 via ::, sslclient_port2, 01:33:08
      C    *> fe80::/64 via ::, port2, 06:12:54

To test the address connections using ping:

1. On FortiGate A, ping www.bing.com using IPv4 ping:

   # execute ping www.bing.com
   PING www-bing-com.dual-a-0001.a-msedge.net (13.107.21.200): 56 data bytes
   64 bytes from 13.107.21.200: icmp_seq=0 ttl=117 time=1.8 ms
   ...

2. On FortiGate B, sniff for IPv4 ICMP packets and observe the results:

   # diagnose sniffer packet any icmp 4
   interfaces=[any] 
   filters=[icmp] 
   9.675101 ssl.root in 10.212.134.200 -> 13.107.21.200: icmp: echo request 
   9.675219 port2 out 172.16.200.9 -> 13.107.21.200: icmp: echo request 
   9.676698 port2 in 13.107.21.200 -> 172.16.200.9: icmp: echo reply 
   9.676708 ssl.root out 13.107.21.200 -> 10.212.134.200: icmp: echo reply
   ...

3. On FortiGate A, ping www.apple.com using IPv6 ping:

   # execute ping6 www.apple.com
   PING www.apple.com (2600:140a:c000:385::1aca): 56 data bytes
   64 bytes from 2600:140a:c000:385::1aca: icmp_seq=1 ttl=52 time=1.88 ms
   ...

4. On FortiGate B, sniff for IPv6 ICMP packets and observe the results:

   # diagnose sniffer packet any icmp6 4
   interfaces=[any] 
   filters=[icmp6] 
   3.564296 ssl.root in fdff:fff::1 -> 2600:140a:c000:385::1aca: icmp6: echo request seq 1
   3.564435 port2 out 2000:172:16:200::9 -> 2600:140a:c000:385::1aca: icmp6: echo request seq 1
   3.565929 port2 in 2600:140a:c000:385::1aca -> 2000:172:16:200::9: icmp6: echo reply seq 1 [flowlabel 0x1fdff]
   3.565953 ssl.root out 2600:140a:c000:385::1aca -> fdff:fff::1: icmp6: echo reply seq 1 [flowlabel 0x1fdff]
   ...

Testing dual stack with web mode

In SSL VPN web mode, users can access both IPv4 and IPv6 bookmarks in the portal. The attribute, prefer-ipv6-dns can be enabled to prefer querying IPv6 DNS first, or disabled to prefer querying IPv4.

To test an IPv4 connection to the web portal and access www.bing.com over IPv6:

1. On FortiGate B, prioritize resolving IPv6 addresses:

   config vpn ssl web portal
       edit "testportal1"
           set prefer-ipv6-dns enable
       next
   end

2. Log in to the web portal in the browser over the IPv4 address 10.1.100.9.

3. Create a new HTTP/HTTPS bookmark named bing for the URL www.bing.com.

4. Click the bing bookmark. The bing page will open over IPv6.

   

To test an IPv6 connection to the web portal and access www.apple.com over IPv4:

1. On FortiGate B, prioritize resolving IPv4 addresses:

   config vpn ssl web portal
       edit "testportal1"
           set prefer-ipv6-dns disable
       next
   end

2. Log in to the web portal in the browser over the IPv6 address [2000:10:1:100::9].

3. Create a new HTTP/HTTPS bookmark named apple for the URL www.apple.com.

4. Click the apple bookmark. The apple page will open over IPv4.