Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.4.5 Administration Guide
    7.4.5
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Site-to-site IPv6 over IPv6 VPN example

    Site-to-site IPv6 over IPv6 VPN example

    In this example, clients on IPv6-addressed networks communicate securely over public IPv6 infrastructure.

    The following topology is used for this example:

    • Port2 connects to the public network and port3 connects to the local network.

    • The IPv6 address for HQ1 port2 and port3 is 2001:db8:d0c:1::e and 2001:db8:d0c:4::e, respectively.

    • The IPv6 address for HQ2 port2 and port3 is 2001:db8:d0c:2::e and 2001:db8:d0c:3::e, respectively.

    Note

    Please note that the IPv6 addresses used in this example are for illustrative purposes only and should not be used in your environment.

    The 2001:db8::/32 prefix is a special IPv6 prefix designated for use in documentation examples. See RFC 3849 for more information.
    To configure the example in the GUI:

    1. Configure the HQ1 FortiGate.

      1. Configure the IPv6 address on port2 and port3:

        1. Go to Network > Interfaces and edit port2.

        2. Set IPv6 addressing mode to Manual and enter the IPv6 Address/Prefix.

          IPv6 Address/Prefix 2001:db8:d0c:1::e/64

        3. Click OK.

        4. Repeat these steps for port3.

          IPv6 Address/Prefix 2001:db8:d0c:4::e/64

      2. Configure IPsec settings:

        1. Go to VPN > IPsec Wizard and enter a VPN name.

        2. Set Template type to Custom.

        3. Click Next.

        4. Configure the following Network settings:

          IP Version IPv6
          Remote Gateway Static IP Address
          IP Address 2001:db8:d0c:2::e
          Interface port2

        5. Configure the following Authentication settings:

          Method Pre-shared Key
          Pre-shared Key sample

        6. Configure the following New Phase 2 settings:

          Local Address IPv6 Subnet
          Remote Address IPv6 Subnet

      3. Configure the IPv6 firewall policy to allow IPv6 traffic from port3 to the IPsec interface:

        1. Go to Policy & Objects > Firewall Policy.

        2. Click Create New.

        3. Name the policy and configure the following parameters:

          Incoming Interface port3
          Outgoing Interface to_HQ2
          Source all
          Destination all
          Schedule always
          Service ALL
          Action ACCEPT

        4. Click OK.

      4. Configure the IPv6 firewall policy to allow IPv6 traffic from the IPsec interface to port3:

        1. Go to Policy & Objects > Firewall Policy.

        2. Click Create New.

        3. Name the policy and configure the following parameters:

          Incoming Interface to_HQ2
          Outgoing Interface port3
          Source all
          Destination all
          Schedule always
          Service ALL
          Action ACCEPT

        4. Click OK.

      5. Configure the static routes:

        1. Go to Network > Static Routes.

        2. Click Create New > IPv6 Static Route.

        3. Configure the following settings for the default route to the remote VPN gateway:

          Destination ::/0
          Gateway Address 2001:db8:d0c:1::f
          Interface port2

        4. Select OK.

        5. Repeat the first two steps and configure the following settings for the route to the remote protected network:

          Destination 2001:db8:d0c:3::/64
          Interface to_HQ2

        6. Select OK.

        7. Repeat the first two steps and configure the following settings for the blackhole route:

          Destination 2001:db8:d0c:3::/64
          Interface Blackhole
          Administrative Distance 254

        8. Select OK.

    2. Configure the HQ2 FortiGate:

      1. Configure the IPv6 address on port2 and port3:

        1. Go to Network > Interfaces and edit port2.

        2. Set IPv6 addressing mode to Manual and enter the IPv6 Address/Prefix.

          IPv6 Address/Prefix 2001:db8:d0c:2::e/64

        3. Click OK.

        4. Repeat these steps for port3.

          IPv6 Address/Prefix 2001:db8:d0c:3::e/64

      2. Configure IPsec settings:

        1. Go to VPN > IPsec Wizard and enter a VPN name.

        2. Set Template type to Custom.

        3. Click Next.

        4. Configure the following Network settings:

          IP Version IPv6
          Remote Gateway Static IP Address
          IP Address 2001:db8:d0c:1::e
          Interface port2

        5. Configure the following Authentication settings:

          Method Pre-shared Key
          Pre-shared Key sample

        6. Configure the following New Phase 2 settings:

          Local Address IPv6 Subnet
          Remote Address IPv6 Subnet

      3. Configure the IPv6 firewall policy to allow IPv6 traffic from port3 to the IPsec interface:

        1. Go to Policy & Objects > Firewall Policy.

        2. Click Create New.

        3. Name the policy and configure the following parameters:

          Incoming Interface port3
          Outgoing Interface to_HQ1
          Source all
          Destination all
          Schedule always
          Service ALL
          Action ACCEPT

        4. Click OK.

      4. Configure the IPv6 firewall policy to allow IPv6 traffic from the IPsec interface to port3:

        1. Go to Policy & Objects > Firewall Policy.

        2. Click Create New.

        3. Name the policy and configure the following parameters:

          Incoming Interface to_HQ1
          Outgoing Interface port3
          Source all
          Destination all
          Schedule always
          Service ALL
          Action ACCEPT

        4. Click OK.

      5. Configure the static routes:

        1. Go to Network > Static Routes.

        2. Click Create New > IPv6 Static Route.

        3. Configure the following settings for the default route to the remote VPN gateway:

          Destination ::/0
          Gateway Address 2001:db8:d0c:2::f
          Interface port2

        4. Select OK.

        5. Repeat the first two steps and configure the following settings for the route to the remote protected network:

          Destination 2001:db8:d0c:4::/64
          Interface to_HQ1

        6. Select OK.

        7. Repeat the first two steps and configure the following settings for the blackhole route:

          Destination 2001:db8:d0c:4::/64
          Interface Blackhole
          Administrative Distance 254

        8. Select OK.

    To configure the example in the CLI:

    1. Configure the HQ1 FortiGate.

      1. Configure the IPv6 address on port2 and port3:

        config system interface
    edit port2
        config ipv6
            set ip6-address 2001:db8:d0c:1::e/64
        end
    next
    edit port3
        config ipv6
            set ip6-address 2001:db8:d0c:4::e/64
        end
    next
end

      2. Configure IPsec settings:

        config vpn ipsec phase1-interface
    edit "to_HQ2"
        set interface port2
        set ip-version 6
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set remote-gw6 2001:db8:d0c:2::e 
        set psksecret sample
    next
end
config vpn ipsec phase2-interface
    edit "to_HQ2"
        set phase1name "to_HQ2"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set src-addr-type subnet6
        set dst-addr-type subnet6
    next
end

      3. Configure the IPv6 firewall policy to allow IPv6 traffic between port3 to the IPsec interface:

        config firewall policy
    edit 1
        set srcintf "port3"
        set dstintf "to_HQ2"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic "all"
    next
    edit 2
        set srcintf "to_HQ2"
        set dstintf "port3"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic "all"
    next
end

      4. Configure the static routes:

        config router static6
    edit 1
        set gateway 2001:db8:d0c:1::f
        set device "port2"
    next
    edit 2
        set dst 2001:db8:d0c:3::/64
        set device "to_HQ2"
    next
    edit 3
        set dst 2001:db8:d0c:3::/64
        set blackhole enable 
        set distance 254
    next
end

    2. Configure the HQ2 FortiGate.

      1. Configure the IPv6 address on port2 and port3:

        config system interface
    edit port2
        config ipv6
            set ip6-address 2001:db8:d0c:2::e/64
        end
    next
    edit port3
        config ipv6
            set ip6-address 2001:db8:d0c:3::e/64
        end
    next
end

      2. Configure IPsec settings:

        config vpn ipsec phase1-interface
    edit "to_HQ1"
        set interface port2
        set ip-version 6
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set remote-gw6 2001:db8:d0c:1::e 
        set psksecret sample
    next
end
config vpn ipsec phase2-interface
    edit "to_HQ2"
        set phase1name "to_HQ1"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set src-addr-type subnet6
        set dst-addr-type subnet6
    next
end

      3. Configure the IPv6 firewall policy to allow IPv6 traffic between port3 to the IPsec interface:

        config firewall policy
    edit 1
        set srcintf "port3"
        set dstintf "to_HQ1"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic "all"
    next
    edit 2
        set srcintf "to_HQ1"
        set dstintf "port3"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic "all"
    next
end

      4. Configure the static routes:

        config router static6
    edit 1
        set gateway 2001:db8:d0c:2::f
        set device "port2"
    next
    edit 2
        set dst 2001:db8:d0c:4::/64
        set device "to_HQ1"
    next
    edit 3
        set dst 2001:db8:d0c:4::/64
        set blackhole enable
        set distance 254
    next
end

    Verification

    The following commands are useful to check IPsec phase1/phase2 interface status:

    1. Run the diagnose vpn ike gateway list command on HQ1. The system should return the following:

      vd: root/0
name: to_HQ2
version: 1
interface: port2 6
addr: 2001:db8:d0c:1::e:500 -> 2001:db8:d0c:2::e:500
tun_id: 10.0.0.1/::10.0.0.1
remote_location: 0.0.0.0
network-id: 0
created: 1537s ago
peer-id: 2001:db8:d0c:2::e
peer-id-auth: no
IKE SA: created 1/1  established 1/1  time 0/0/0 ms
IPsec SA: created 1/1  established 1/1  time 0/0/0 ms

  id/spi: 160 8d7231820bb5ffd9/6c840a4c11b57927
  direction: initiator
  status: established 1537-1537s ago = 0ms
  proposal: aes128-sha256
  key: 32d8521a77d98529-5fe4b67914d30f87
  lifetime/rekey: 86400/84562
  DPD sent/recv: 00000007/00000003
  peer-id: 2001:db8:d0c:2::e

    2. Run the diagnose vpn tunnel list command on HQ1. The system should return the following:

      list all ipsec tunnel in vd 0
------------------------------------------------------
name=to_HQ2 ver=1 serial=1 2001:db8:d0c:1::e:0->2001:db8:d0c:2::e:0 tun_id=10.0.0.1 tun_id6=::10.0.0.1 dst_mtu=1500 dpd-link=on weight=1
bound_if=6 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc  run_state=0 role=primary accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=4 ilast=416 olast=416 ad=/0
stat: rxp=28 txp=51 rxb=76440 txb=274972
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=7
natt: mode=none draft=0 interval=0 remote_port=0
fec: egress=0 ingress=0
proxyid=to_HQ2 proto=0 sa=1 ref=2 serial=1
  src: 0:::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff:0
  dst: 0:::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff:0
  SA:  ref=3 options=10202 type=00 soft=0 mtu=1422 expire=41332/0B replaywin=2048
       seqno=34 esn=0 replaywin_lastseq=0000001d qat=0 rekey=0 hash_search_len=1
  life: type=01 bytes=0/0 timeout=42897/43200
  dec: spi=97511f0c esp=aes key=16 3b65a0121f54e07101d7b7a84b0ce243
       ah=sha1 key=20 c64cdcb40949573383c2c9f26d5af5d63776b1ce
  enc: spi=0f65cc64 esp=aes key=16 3de2f282167bac00d0a9dd942359cff3
       ah=sha1 key=20 e80e31d277f045053950e56db9eec5b6e529ea1a
  dec:pkts/bytes=56/152880, enc:pkts/bytes=99/357420
  npu_flag=00 npu_rgwy=2001:db8:d0c:2::e npu_lgwy=2001:db8:d0c:1::e npu_selid=0 dec_npuid=0 enc_npuid=0
run_tally=0
    Previous
    Next

    Site-to-site IPv6 over IPv6 VPN example

    Site-to-site IPv6 over IPv6 VPN example

    In this example, clients on IPv6-addressed networks communicate securely over public IPv6 infrastructure.

    The following topology is used for this example:

    • Port2 connects to the public network and port3 connects to the local network.

    • The IPv6 address for HQ1 port2 and port3 is 2001:db8:d0c:1::e and 2001:db8:d0c:4::e, respectively.

    • The IPv6 address for HQ2 port2 and port3 is 2001:db8:d0c:2::e and 2001:db8:d0c:3::e, respectively.

    Note

    Please note that the IPv6 addresses used in this example are for illustrative purposes only and should not be used in your environment.

    The 2001:db8::/32 prefix is a special IPv6 prefix designated for use in documentation examples. See RFC 3849 for more information.
    To configure the example in the GUI:

    1. Configure the HQ1 FortiGate.

      1. Configure the IPv6 address on port2 and port3:

        1. Go to Network > Interfaces and edit port2.

        2. Set IPv6 addressing mode to Manual and enter the IPv6 Address/Prefix.

          IPv6 Address/Prefix 2001:db8:d0c:1::e/64

        3. Click OK.

        4. Repeat these steps for port3.

          IPv6 Address/Prefix 2001:db8:d0c:4::e/64

      2. Configure IPsec settings:

        1. Go to VPN > IPsec Wizard and enter a VPN name.

        2. Set Template type to Custom.

        3. Click Next.

        4. Configure the following Network settings:

          IP Version IPv6
          Remote Gateway Static IP Address
          IP Address 2001:db8:d0c:2::e
          Interface port2

        5. Configure the following Authentication settings:

          Method Pre-shared Key
          Pre-shared Key sample

        6. Configure the following New Phase 2 settings:

          Local Address IPv6 Subnet
          Remote Address IPv6 Subnet

      3. Configure the IPv6 firewall policy to allow IPv6 traffic from port3 to the IPsec interface:

        1. Go to Policy & Objects > Firewall Policy.

        2. Click Create New.

        3. Name the policy and configure the following parameters:

          Incoming Interface port3
          Outgoing Interface to_HQ2
          Source all
          Destination all
          Schedule always
          Service ALL
          Action ACCEPT

        4. Click OK.

      4. Configure the IPv6 firewall policy to allow IPv6 traffic from the IPsec interface to port3:

        1. Go to Policy & Objects > Firewall Policy.

        2. Click Create New.

        3. Name the policy and configure the following parameters:

          Incoming Interface to_HQ2
          Outgoing Interface port3
          Source all
          Destination all
          Schedule always
          Service ALL
          Action ACCEPT

        4. Click OK.

      5. Configure the static routes:

        1. Go to Network > Static Routes.

        2. Click Create New > IPv6 Static Route.

        3. Configure the following settings for the default route to the remote VPN gateway:

          Destination ::/0
          Gateway Address 2001:db8:d0c:1::f
          Interface port2

        4. Select OK.

        5. Repeat the first two steps and configure the following settings for the route to the remote protected network:

          Destination 2001:db8:d0c:3::/64
          Interface to_HQ2

        6. Select OK.

        7. Repeat the first two steps and configure the following settings for the blackhole route:

          Destination 2001:db8:d0c:3::/64
          Interface Blackhole
          Administrative Distance 254

        8. Select OK.

    2. Configure the HQ2 FortiGate:

      1. Configure the IPv6 address on port2 and port3:

        1. Go to Network > Interfaces and edit port2.

        2. Set IPv6 addressing mode to Manual and enter the IPv6 Address/Prefix.

          IPv6 Address/Prefix 2001:db8:d0c:2::e/64

        3. Click OK.

        4. Repeat these steps for port3.

          IPv6 Address/Prefix 2001:db8:d0c:3::e/64

      2. Configure IPsec settings:

        1. Go to VPN > IPsec Wizard and enter a VPN name.

        2. Set Template type to Custom.

        3. Click Next.

        4. Configure the following Network settings:

          IP Version IPv6
          Remote Gateway Static IP Address
          IP Address 2001:db8:d0c:1::e
          Interface port2

        5. Configure the following Authentication settings:

          Method Pre-shared Key
          Pre-shared Key sample

        6. Configure the following New Phase 2 settings:

          Local Address IPv6 Subnet
          Remote Address IPv6 Subnet

      3. Configure the IPv6 firewall policy to allow IPv6 traffic from port3 to the IPsec interface:

        1. Go to Policy & Objects > Firewall Policy.

        2. Click Create New.

        3. Name the policy and configure the following parameters:

          Incoming Interface port3
          Outgoing Interface to_HQ1
          Source all
          Destination all
          Schedule always
          Service ALL
          Action ACCEPT

        4. Click OK.

      4. Configure the IPv6 firewall policy to allow IPv6 traffic from the IPsec interface to port3:

        1. Go to Policy & Objects > Firewall Policy.

        2. Click Create New.

        3. Name the policy and configure the following parameters:

          Incoming Interface to_HQ1
          Outgoing Interface port3
          Source all
          Destination all
          Schedule always
          Service ALL
          Action ACCEPT

        4. Click OK.

      5. Configure the static routes:

        1. Go to Network > Static Routes.

        2. Click Create New > IPv6 Static Route.

        3. Configure the following settings for the default route to the remote VPN gateway:

          Destination ::/0
          Gateway Address 2001:db8:d0c:2::f
          Interface port2

        4. Select OK.

        5. Repeat the first two steps and configure the following settings for the route to the remote protected network:

          Destination 2001:db8:d0c:4::/64
          Interface to_HQ1

        6. Select OK.

        7. Repeat the first two steps and configure the following settings for the blackhole route:

          Destination 2001:db8:d0c:4::/64
          Interface Blackhole
          Administrative Distance 254

        8. Select OK.

    To configure the example in the CLI:

    1. Configure the HQ1 FortiGate.

      1. Configure the IPv6 address on port2 and port3:

        config system interface
    edit port2
        config ipv6
            set ip6-address 2001:db8:d0c:1::e/64
        end
    next
    edit port3
        config ipv6
            set ip6-address 2001:db8:d0c:4::e/64
        end
    next
end

      2. Configure IPsec settings:

        config vpn ipsec phase1-interface
    edit "to_HQ2"
        set interface port2
        set ip-version 6
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set remote-gw6 2001:db8:d0c:2::e 
        set psksecret sample
    next
end
config vpn ipsec phase2-interface
    edit "to_HQ2"
        set phase1name "to_HQ2"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set src-addr-type subnet6
        set dst-addr-type subnet6
    next
end

      3. Configure the IPv6 firewall policy to allow IPv6 traffic between port3 to the IPsec interface:

        config firewall policy
    edit 1
        set srcintf "port3"
        set dstintf "to_HQ2"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic "all"
    next
    edit 2
        set srcintf "to_HQ2"
        set dstintf "port3"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic "all"
    next
end

      4. Configure the static routes:

        config router static6
    edit 1
        set gateway 2001:db8:d0c:1::f
        set device "port2"
    next
    edit 2
        set dst 2001:db8:d0c:3::/64
        set device "to_HQ2"
    next
    edit 3
        set dst 2001:db8:d0c:3::/64
        set blackhole enable 
        set distance 254
    next
end

    2. Configure the HQ2 FortiGate.

      1. Configure the IPv6 address on port2 and port3:

        config system interface
    edit port2
        config ipv6
            set ip6-address 2001:db8:d0c:2::e/64
        end
    next
    edit port3
        config ipv6
            set ip6-address 2001:db8:d0c:3::e/64
        end
    next
end

      2. Configure IPsec settings:

        config vpn ipsec phase1-interface
    edit "to_HQ1"
        set interface port2
        set ip-version 6
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set remote-gw6 2001:db8:d0c:1::e 
        set psksecret sample
    next
end
config vpn ipsec phase2-interface
    edit "to_HQ2"
        set phase1name "to_HQ1"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set src-addr-type subnet6
        set dst-addr-type subnet6
    next
end

      3. Configure the IPv6 firewall policy to allow IPv6 traffic between port3 to the IPsec interface:

        config firewall policy
    edit 1
        set srcintf "port3"
        set dstintf "to_HQ1"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic "all"
    next
    edit 2
        set srcintf "to_HQ1"
        set dstintf "port3"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic "all"
    next
end

      4. Configure the static routes:

        config router static6
    edit 1
        set gateway 2001:db8:d0c:2::f
        set device "port2"
    next
    edit 2
        set dst 2001:db8:d0c:4::/64
        set device "to_HQ1"
    next
    edit 3
        set dst 2001:db8:d0c:4::/64
        set blackhole enable
        set distance 254
    next
end

    Verification

    The following commands are useful to check IPsec phase1/phase2 interface status:

    1. Run the diagnose vpn ike gateway list command on HQ1. The system should return the following:

      vd: root/0
name: to_HQ2
version: 1
interface: port2 6
addr: 2001:db8:d0c:1::e:500 -> 2001:db8:d0c:2::e:500
tun_id: 10.0.0.1/::10.0.0.1
remote_location: 0.0.0.0
network-id: 0
created: 1537s ago
peer-id: 2001:db8:d0c:2::e
peer-id-auth: no
IKE SA: created 1/1  established 1/1  time 0/0/0 ms
IPsec SA: created 1/1  established 1/1  time 0/0/0 ms

  id/spi: 160 8d7231820bb5ffd9/6c840a4c11b57927
  direction: initiator
  status: established 1537-1537s ago = 0ms
  proposal: aes128-sha256
  key: 32d8521a77d98529-5fe4b67914d30f87
  lifetime/rekey: 86400/84562
  DPD sent/recv: 00000007/00000003
  peer-id: 2001:db8:d0c:2::e

    2. Run the diagnose vpn tunnel list command on HQ1. The system should return the following:

      list all ipsec tunnel in vd 0
------------------------------------------------------
name=to_HQ2 ver=1 serial=1 2001:db8:d0c:1::e:0->2001:db8:d0c:2::e:0 tun_id=10.0.0.1 tun_id6=::10.0.0.1 dst_mtu=1500 dpd-link=on weight=1
bound_if=6 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc  run_state=0 role=primary accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=4 ilast=416 olast=416 ad=/0
stat: rxp=28 txp=51 rxb=76440 txb=274972
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=7
natt: mode=none draft=0 interval=0 remote_port=0
fec: egress=0 ingress=0
proxyid=to_HQ2 proto=0 sa=1 ref=2 serial=1
  src: 0:::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff:0
  dst: 0:::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff:0
  SA:  ref=3 options=10202 type=00 soft=0 mtu=1422 expire=41332/0B replaywin=2048
       seqno=34 esn=0 replaywin_lastseq=0000001d qat=0 rekey=0 hash_search_len=1
  life: type=01 bytes=0/0 timeout=42897/43200
  dec: spi=97511f0c esp=aes key=16 3b65a0121f54e07101d7b7a84b0ce243
       ah=sha1 key=20 c64cdcb40949573383c2c9f26d5af5d63776b1ce
  enc: spi=0f65cc64 esp=aes key=16 3de2f282167bac00d0a9dd942359cff3
       ah=sha1 key=20 e80e31d277f045053950e56db9eec5b6e529ea1a
  dec:pkts/bytes=56/152880, enc:pkts/bytes=99/357420
  npu_flag=00 npu_rgwy=2001:db8:d0c:2::e npu_lgwy=2001:db8:d0c:1::e npu_selid=0 dec_npuid=0 enc_npuid=0
run_tally=0
    Previous
    Next