Fortinet black logo

New Features

Home FortiGate / FortiOS 6.4.0 New Features

FQDN support for remote gateways

6.4.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0
Copy Link
Copy Doc ID de1e129a-0283-11ea-8977-00505692583a:400910
Download PDF

FQDN support for remote gateways

FortiGate supports FQDN when defining an IPsec remote gateway with a dynamically assigned IPv6 address. When FortiGate attempts to connect to the IPv6 device, FQDN will resolve the IPv6 address even when the address changes.

Using FQDN to configure the remote gateway is useful when the remote end has a dynamic IPv6 address assigned by their ISP or DHCPv6 server.

1. Set the VPN to DDNS and configure FQDN

config vpn ipsec phase1-interface

edit "ddns6"

set type ddns

set interface "agg1"

set ip-version 6

set ike-version 2

set peertype any

set net-device disable

set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256

set dpd on-idle

set remotegw-ddns "rgwa61.vpnlab.org"

set psksecret xxxxxxx

next

end

config vpn ipsec phase2-interface

edit "ddns6"

set phase1name "ddns6"

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

set src-addr-type subnet6

set dst-addr-type subnet6

set src-subnet6 2003:1:1:1::/64

next

end

2. FQDN resolves the IPv6 address

# diagnose test application dnsproxy 7

vfid=0, name=rgwa61.vpnlab.org, ttl=3600:3547:1747

2003:33:1:1::22 (ttl=3600)

3. FortiGate uses FQDN to connect to the IPv6 device

# diagnose vpn tunnel list name ddns6

list ipsec tunnel by names in vd 0

------------------------------------------------------

name=ddns6 ver=2 serial=2 2003:33:1:1::1:0->2003:33:1:1::22:0 dst_mtu=1500

bound_if=32 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/520 options[0208]=npu frag-rfc run_state=0 accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=10 ilast=9 olast=9 ad=/0

stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=72340

natt: mode=none draft=0 interval=0 remote_port=0

proxyid=ddns6 proto=0 sa=1 ref=2 serial=1

src: 0:2003:1:1:1::/64:0

dst: 0:::/0:0

SA: ref=3 options=10226 type=00 soft=0 mtu=1422 expire=42680/0B replaywin=2048

seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0 hash_search_len=1

life: type=01 bytes=0/0 timeout=42901/43200

dec: spi=ac7a5718 esp=aes key=16 9976b66280cc49f500d8edca093e03fb

ah=sha1 key=20 4d94d76fc18df5a180c52e0a6cd5f430fde48fe8

enc: spi=7ab888ec esp=aes key=16 841a95d3ee5ea5108a2ba269b74998d1

ah=sha1 key=20 ed0b52d27776e30149ee36af4fd4626681c2a3a1

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

npu_flag=00 npu_rgwy=2003:33:1:1::22 npu_lgwy=2003:33:1:1::1 npu_selid=0 dec_npuid=0 enc_npuid=0

run_tally=1

4. The tunnel can still connect to the FQDN address when the IPv6 address changes

# diagnose debug application ike -1

# diagnose debug enable

ike 0:ddns6: set oper down

ike 0:ddns6: carrier down

ike shrank heap by 159744 bytes

ike 0: cache rebuild start

ike 0:ddns6: sending DNS request for remote peer rgwa61.vpnlab.org

ike 0: send IPv6 DNS query : rgwa61.vpnlab.org

ike 0: cache rebuild done

ike 0:ddns6: remote IPv6 DDNS gateway is empty, retry to resolve it

ike 0: DNS response received for remote gateway rgwa61.vpnlab.org

ike 0: DNS rgwa61.vpnlab.org -> 2003:33:1:1::33

ike 2:test:46932: could not send IKE Packet(P1_RETRANSMIT):50.1.1.1:500->50.1.1.2:500, len=716: error 101:Network is unreachable

ike 0:ddns6: remote IPv6 DDNS gateway is empty, retry to resolve it

ike 0:ddns6: 'rgwa61.vpnlab.org' resolved to 2003:33:1:1::33

ike 0: cache rebuild start

ike 0:ddns6: local:2003:33:1:1::1, remote:2003:33:1:1::33

ike 0:ddns6: cached as static-ddns.

ike 0: cache rebuild done

ike 0:ddns6: auto-negotiate connection

ike 0:ddns6: created connection: 0x155aa510 32 2003:33:1:1::1->2003:33:1:1::33:500.

.....................................................................................................................

ike 0:ddns6:46933:ddn6:47779: add IPsec SA: SPIs=ac7a5719/7ab888ed

ike 0:ddns6:46933:ddn6:47779: IPsec SA dec spi ac7a5719 key 16:0F27F1D1D02496F90D15A30E2C032678 auth 20:46564E0E86A054374B31E58F95E4458340121BCE

ike 0:ddns6:46933:ddn6:47779: IPsec SA enc spi 7ab888ed key 16:926B12908EE670E1A5DDA6AD8E96607B auth 20:42BF438DC90867B837B0490EAB08E329AB62CBE3

ike 0:ddns6:46933:ddn6:47779: added IPsec SA: SPIs=ac7a5719/7ab888ed

ike 0:ddns6:46933:ddn6:47779: sending SNMP tunnel UP trap

ike 0:ddns6: carrier up

Previous
Next

FQDN support for remote gateways

FortiGate supports FQDN when defining an IPsec remote gateway with a dynamically assigned IPv6 address. When FortiGate attempts to connect to the IPv6 device, FQDN will resolve the IPv6 address even when the address changes.

Using FQDN to configure the remote gateway is useful when the remote end has a dynamic IPv6 address assigned by their ISP or DHCPv6 server.

1. Set the VPN to DDNS and configure FQDN

config vpn ipsec phase1-interface

edit "ddns6"

set type ddns

set interface "agg1"

set ip-version 6

set ike-version 2

set peertype any

set net-device disable

set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256

set dpd on-idle

set remotegw-ddns "rgwa61.vpnlab.org"

set psksecret xxxxxxx

next

end

config vpn ipsec phase2-interface

edit "ddns6"

set phase1name "ddns6"

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

set src-addr-type subnet6

set dst-addr-type subnet6

set src-subnet6 2003:1:1:1::/64

next

end

2. FQDN resolves the IPv6 address

# diagnose test application dnsproxy 7

vfid=0, name=rgwa61.vpnlab.org, ttl=3600:3547:1747

2003:33:1:1::22 (ttl=3600)

3. FortiGate uses FQDN to connect to the IPv6 device

# diagnose vpn tunnel list name ddns6

list ipsec tunnel by names in vd 0

------------------------------------------------------

name=ddns6 ver=2 serial=2 2003:33:1:1::1:0->2003:33:1:1::22:0 dst_mtu=1500

bound_if=32 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/520 options[0208]=npu frag-rfc run_state=0 accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=10 ilast=9 olast=9 ad=/0

stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=72340

natt: mode=none draft=0 interval=0 remote_port=0

proxyid=ddns6 proto=0 sa=1 ref=2 serial=1

src: 0:2003:1:1:1::/64:0

dst: 0:::/0:0

SA: ref=3 options=10226 type=00 soft=0 mtu=1422 expire=42680/0B replaywin=2048

seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0 hash_search_len=1

life: type=01 bytes=0/0 timeout=42901/43200

dec: spi=ac7a5718 esp=aes key=16 9976b66280cc49f500d8edca093e03fb

ah=sha1 key=20 4d94d76fc18df5a180c52e0a6cd5f430fde48fe8

enc: spi=7ab888ec esp=aes key=16 841a95d3ee5ea5108a2ba269b74998d1

ah=sha1 key=20 ed0b52d27776e30149ee36af4fd4626681c2a3a1

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

npu_flag=00 npu_rgwy=2003:33:1:1::22 npu_lgwy=2003:33:1:1::1 npu_selid=0 dec_npuid=0 enc_npuid=0

run_tally=1

4. The tunnel can still connect to the FQDN address when the IPv6 address changes

# diagnose debug application ike -1

# diagnose debug enable

ike 0:ddns6: set oper down

ike 0:ddns6: carrier down

ike shrank heap by 159744 bytes

ike 0: cache rebuild start

ike 0:ddns6: sending DNS request for remote peer rgwa61.vpnlab.org

ike 0: send IPv6 DNS query : rgwa61.vpnlab.org

ike 0: cache rebuild done

ike 0:ddns6: remote IPv6 DDNS gateway is empty, retry to resolve it

ike 0: DNS response received for remote gateway rgwa61.vpnlab.org

ike 0: DNS rgwa61.vpnlab.org -> 2003:33:1:1::33

ike 2:test:46932: could not send IKE Packet(P1_RETRANSMIT):50.1.1.1:500->50.1.1.2:500, len=716: error 101:Network is unreachable

ike 0:ddns6: remote IPv6 DDNS gateway is empty, retry to resolve it

ike 0:ddns6: 'rgwa61.vpnlab.org' resolved to 2003:33:1:1::33

ike 0: cache rebuild start

ike 0:ddns6: local:2003:33:1:1::1, remote:2003:33:1:1::33

ike 0:ddns6: cached as static-ddns.

ike 0: cache rebuild done

ike 0:ddns6: auto-negotiate connection

ike 0:ddns6: created connection: 0x155aa510 32 2003:33:1:1::1->2003:33:1:1::33:500.

.....................................................................................................................

ike 0:ddns6:46933:ddn6:47779: add IPsec SA: SPIs=ac7a5719/7ab888ed

ike 0:ddns6:46933:ddn6:47779: IPsec SA dec spi ac7a5719 key 16:0F27F1D1D02496F90D15A30E2C032678 auth 20:46564E0E86A054374B31E58F95E4458340121BCE

ike 0:ddns6:46933:ddn6:47779: IPsec SA enc spi 7ab888ed key 16:926B12908EE670E1A5DDA6AD8E96607B auth 20:42BF438DC90867B837B0490EAB08E329AB62CBE3

ike 0:ddns6:46933:ddn6:47779: added IPsec SA: SPIs=ac7a5719/7ab888ed

ike 0:ddns6:46933:ddn6:47779: sending SNMP tunnel UP trap

ike 0:ddns6: carrier up

Previous
Next