IPv6 IPsec VPNs

IPv6 IPsec VPNs

This chapter describes how to configure your FortiGate unit’s IPv6 IPsec VPN functionality.

By default IPv6 configurations to not appear on the Web-based Manager. You need to enable the feature first.

To enable IPv6

1. Go to System > Feature Select.

2. Enable IPv6.

3. Select Apply.

The following topics are included in this section:

• Overview of IPv6 IPsec support
• Configuring IPv6 IPsec VPNs
• Site-to-site IPv6 over IPv6 VPN example
• Site-to-site IPv4 over IPv6 VPN example
• Site-to-site IPv6 over IPv4 VPN example

Certificates

On a VPN with IPv6 Phase 1 configuration, you can authenticate using VPN certificates in which the common name (cn) is an IPv6 address. The cn-type keyword of the user peer command has an option, ipv6, to support this.

Overview of IPv6 IPsec support

FortiOS supports route-based IPv6 IPsec, but not policy-based. This section describes how IPv6 IPsec support differs from IPv4 IPsec support. FortiOS 4.0 MR3 is IPv6 Ready Logo Program Phase 2 certified.

Where both the gateways and the protected networks use IPv6 addresses, sometimes called IPv6 over IPv6, you can create either an auto-keyed or manually-keyed VPN. You can combine IPv6 and IPv4 addressing in an auto- keyed VPN in the following ways:

IPv4 over IPv6                           The VPN gateways have IPv6 addresses.

The protected networks have IPv4 addresses. The Phase 2 configurations at either end use IPv4 selectors.

IPv6 over IPv4

The VPN gateways have IPv4 addresses.

The protected networks use IPv6 addresses. The Phase 2 configurations at either end use IPv6 selectors.

Compared with IPv4 IPsec VPN functionality, there are some limitations:

• Except for IPv6 over IPv4, remote gateways with Dynamic DNS are not supported.
• Selectors cannot be firewall address names. Only IP address, address range and subnet are supported.
• Redundant IPv6 tunnels are not supported.

Certificates

On a VPN with IPv6 Phase 1 configuration, you can authenticate using VPN certificates in which the common name (cn) is an IPv6 address. The cn-type keyword of the user peer command has an option, ipv6, to support this.