Fortinet black logo

Dual stack IPv4 and IPv6 for SSL VPN 7.0.1

Copy Link
Copy Doc ID c7e1b029-a797-11eb-b70b-00505692583a:186594
Download PDF

Dual stack IPv4 and IPv6 for SSL VPN 7.0.1

FortiClient (Windows) has added SSL VPN dual stack support, where it can send IPv4 and IPv6 traffic over the same tunnel. By default, FortiClient disables this feature. Only FortiOS 7.0 and later versions support this feature.

To enable dual stack for an SSL VPN tunnel in the GUI:
  1. In FortiClient, on the Remote Access tab, select an existing VPN tunnel or create a new one.
  2. Select the Enable Dual-stack IPv4/IPv6 address checkbox.
To enable dual stack for an SSL VPN tunnel in the XML:

<forticlient_configuration>

<vpn>

<sslvpn>

<connections>

<connection>

<dual_stack>1</dual_stack>

</connection>

</connections>

</sslvpn>

</vpn>

</forticlient_configuration>

This is a balanced but incomplete XML configuration fragment. It includes all closing tags, but omits some important elements to complete the SSL VPN configuration.

To configure dual stack in FortiOS:

config vpn ssl settings

set dual-stack-mode enable

end

config firewall policy

edit 14

set name "ssl-wan1"

set uuid 26f24a0a-09c4-51eb-daf7-cfb43cea057f

set srcintf "ssl.root"

set dstintf "wan1"

set srcaddr "all"

set dstaddr "all"

set srcaddr6 "all"

set dstaddr6 "myinternalV6"

set action accept

set schedule "always"

set service "ALL"

set logtraffic all

set nat enable

set groups "sslvpn-group" "pki"

set users "test" "xyan" "dns-split"

next

end

config firewall policy

edit 21

set uuid 94e3489a-b764-51eb-efad-b7b3762070dd

set srcintf "ssl.root"

set dstintf "lan"

set srcaddr "all"

set dstaddr "all"

set srcaddr6 "all"

set dstaddr6 "myinternalV6"

set action accept

set schedule "always"

set service "ALL"

set nat enable

set groups "sslvpn-group"

next

end

The following table summarizes the results:

FortiOS enabled dual stack

FortiOS disabled dual stack

FortiClient enabled dual stack

FortiClient sends IPv4 and IPv6 traffic over the same tunnel.

The connection fails.

FortiClient disabled dual stack

FortiClient sends IPv4 traffic over an IPv4 tunnel.

FortiClient sends IPv6 traffic over an IPv6 tunnel.

FortiClient sends IPv4 traffic over an IPv4 tunnel.

FortiClient sends IPv6 traffic over an IPv6 tunnel.

See the Dual stack IPv4 and IPv6 support for SSL VPN.

Dual stack IPv4 and IPv6 for SSL VPN 7.0.1

FortiClient (Windows) has added SSL VPN dual stack support, where it can send IPv4 and IPv6 traffic over the same tunnel. By default, FortiClient disables this feature. Only FortiOS 7.0 and later versions support this feature.

To enable dual stack for an SSL VPN tunnel in the GUI:
  1. In FortiClient, on the Remote Access tab, select an existing VPN tunnel or create a new one.
  2. Select the Enable Dual-stack IPv4/IPv6 address checkbox.
To enable dual stack for an SSL VPN tunnel in the XML:

<forticlient_configuration>

<vpn>

<sslvpn>

<connections>

<connection>

<dual_stack>1</dual_stack>

</connection>

</connections>

</sslvpn>

</vpn>

</forticlient_configuration>

This is a balanced but incomplete XML configuration fragment. It includes all closing tags, but omits some important elements to complete the SSL VPN configuration.

To configure dual stack in FortiOS:

config vpn ssl settings

set dual-stack-mode enable

end

config firewall policy

edit 14

set name "ssl-wan1"

set uuid 26f24a0a-09c4-51eb-daf7-cfb43cea057f

set srcintf "ssl.root"

set dstintf "wan1"

set srcaddr "all"

set dstaddr "all"

set srcaddr6 "all"

set dstaddr6 "myinternalV6"

set action accept

set schedule "always"

set service "ALL"

set logtraffic all

set nat enable

set groups "sslvpn-group" "pki"

set users "test" "xyan" "dns-split"

next

end

config firewall policy

edit 21

set uuid 94e3489a-b764-51eb-efad-b7b3762070dd

set srcintf "ssl.root"

set dstintf "lan"

set srcaddr "all"

set dstaddr "all"

set srcaddr6 "all"

set dstaddr6 "myinternalV6"

set action accept

set schedule "always"

set service "ALL"

set nat enable

set groups "sslvpn-group"

next

end

The following table summarizes the results:

FortiOS enabled dual stack

FortiOS disabled dual stack

FortiClient enabled dual stack

FortiClient sends IPv4 and IPv6 traffic over the same tunnel.

The connection fails.

FortiClient disabled dual stack

FortiClient sends IPv4 traffic over an IPv4 tunnel.

FortiClient sends IPv6 traffic over an IPv6 tunnel.

FortiClient sends IPv4 traffic over an IPv4 tunnel.

FortiClient sends IPv6 traffic over an IPv6 tunnel.

See the Dual stack IPv4 and IPv6 support for SSL VPN.