Configuring IPv6 IPsec VPNs

Configuring IPv6 IPsec VPNs

Configuration of an IPv6 IPsec VPN follows the same sequence as for an IPv4 route-based VPN: Phase 1 settings, Phase 2 settings, security policies and routing.

By default IPv6 configurations to not appear on the Web-based Manager. You need to enable the feature first.

To enable IPv6

1. Go to System > Feature Select.

2. Enable IPv6.

3. Select Apply.

 

Phase 1 configuration

In the web-based manager, you define the Phase 1 as IPv6 in the Advanced settings. Enable the IPv6 Version check box. You can then enter an IPv6 address for the remote gateway.

In the CLI, you define an IPsec Phase 1 configuration as IPv6 by setting ip-version to 6. Its default value is 4. Then, the local-gw and remote-gw keywords are hidden and the corresponding local-gw6 and remote- gw6 keywords are available. The values for local-gw6 and remote-gw6 must be IPv6 addresses. For example:

config vpn ipsec phase1-interface edit tunnel6

set ip-version 6

set remote-gw6 0:123:4567::1234 set interface port3

set proposal 3des-md5 end

 

Phase 2 configuration

To create an IPv6 IPsec Phase 2 configuration in the web-based manager, you need to define IPv6 selectors in the Advanced settings. Change the default “0.0.0.0/0” address for Source address and Destination address to the IPv6 value “::/0”. If needed, enter specific IPv6 addresses, address ranges, or subnet addresses in these fields.

In the CLI, set src-addr-type and dst-addr-type to ip6, range6 or subnet6 to specify IPv6 selectors. By default, zero selectors are entered, “::/0” for the subnet6 address type, for example. The simplest IPv6 Phase 2 configuration looks like this:

config vpn ipsec phase2-interface edit tunnel6_p2

set phase1name tunnel6 set proposal 3des-md5

set src-addr-type subnet6 set dst-addr-type subnet6

end

 

The management of static selector rules is performed by the IKE daemon, which allows named selectors to be reloaded if any named address or address groups are changed, without requiring the FortiGate unit to be rebooted before applying changes.

 

Security policies

To complete the VPN configuration, you need a security policy in each direction to permit traffic between the protected network’s port and the IPsec interface. You need IPv6 policies unless the VPN is IPv4 over IPv6.

 

Routing

Appropriate routing is needed for both the IPsec packets and the encapsulated traffic within them. You need a route, which could be the default route, to the remote VPN gateway via the appropriate interface. You also need a route to the remote protected network via the IPsec interface.

 

To create a static route in the web-based manager

1. Go to Network > Static Routes.

2. Select the drop-down arrow on the Create New button and select IPv6 Route.

3. Enter the information and select OK.

In the CLI, use the router static6 command. For example, where the remote network is fec0:0000:0000:0004::/64 and the IPsec interface is toB:

config router static6 edit 1

set device port2 set dst 0::/0

next edit 2

set device toB

set dst fec0:0000:0000:0004::/64 next

end

 

If the VPN is IPV4 over IPv6, the route to the remote protected network is an IPv4 route. If the VPN is IPv6 over IPv4, the route to the remote VPN gateway is an IPv4 route.

 

Site-to–site IPv6 over IPv6 VPN example

In this example, computers on IPv6-addressed private networks communicate securely over public IPv6 infrastructure.

By default IPv6 configurations to not appear on the Web-based Manager. You need to enable the feature first.

To enable IPv6

1. Go to System > Feature Select.

2. Enable IPv6.

3. Select Apply.

 

Example IPv6-over-IPv6 VPN topology

 

Configure FortiGate A interfaces

Port 2 connects to the public network and port 3 connects to the local network.

config system interface edit port2

config ipv6

set ip6-address fec0::0001:209:0fff:fe83:25f2/64 end

next

edit port3 config ipv6

set ip6-address fec0::0000:209:0fff:fe83:25f3/64 end

next end

 

Configure FortiGate A IPsec settings

The Phase 1 configuration creates a virtual IPsec interface on port 2 and sets the remote gateway to the public IP address FortiGate B. This configuration is the same as for an IPv4 route-based VPN, except that ip-version is set to 6 and the remote-gw6 keyword is used to specify an IPv6 remote gateway address.

 

config vpn ipsec phase1-interface edit toB

set ip-version 6

set interface port2

set remote-gw6 fec0:0000:0000:0003:209:0fff:fe83:25c7 set dpd [disable | on-idle | on-demand]

set psksecret maryhadalittlelamb set proposal 3des-md5 3des-sha1

end

By default, Phase 2 selectors are set to accept all subnet addresses for source and destination. The default setting for src-addr-type and dst-addr-type is subnet. The IPv6 equivalent is subnet6. The default subnet addresses are 0.0.0.0/0 for IPv4, ::/0 for IPv6.

 

config vpn ipsec phase2-interface edit toB2

set phase1name toB

set proposal 3des-md5 3des-sha1 set pfs enable

set replay enable

set src-addr-type subnet6 set dst-addr-type subnet6

end

 

Configure FortiGate A security policies

Security policies are required to allow traffic between port3 and the IPsec interface toB in each direction. The address all6 must be defined using the firewall address6 command as ::/0.

 

config firewall policy6 edit 1

set srcintf port3 set dstintf toB set srcaddr all6 set dstaddr all6 set action accept set service ANY

set schedule always next

edit 2

set srcintf toB set dstintf port3 set srcaddr all6 set dstaddr all6 set action accept set service ANY

set schedule always end

 

Configure FortiGate A routing

This simple example requires just two static routes. Traffic to the protected network behind FortiGate B is routed via the virtual IPsec interface toB. A default route sends all IPv6 traffic out on port2.

config router static6 edit 1

set device port2 set dst 0::/0

next edit 2

set device toB

set dst fec0:0000:0000:0004::/64 end

 

Configure FortiGate B

The configuration of FortiGate B is very similar to that of FortiGate A. A virtual IPsec interface toA is configured on port2 and its remote gateway is the public IP address of FortiGate A. Security policies enable traffic to pass between the private network and the IPsec interface. Routing ensures traffic for the private network behind FortiGate A goes through the VPN and that all IPv6 packets are routed to the public network.

 

config system interface edit port2

config ipv6

set ip6-address fec0::0003:209:0fff:fe83:25c7/64 end

next

edit port3 config ipv6

set ip6-address fec0::0004:209:0fff:fe83:2569/64 end

end

config vpn ipsec phase1-interface edit toA

set ip-version 6

set interface port2

set remote-gw6 fec0:0000:0000:0001:209:0fff:fe83:25f2 set dpd [disable | on-idle | on-demand]

set psksecret maryhadalittlelamb set proposal 3des-md5 3des-sha1

end

config vpn ipsec phase2-interface edit toA2

set phase1name toA

set proposal 3des-md5 3des-sha1 set pfs enable

set replay enable

set src-addr-type subnet6 set dst-addr-type subnet6

end

config firewall policy6 edit 1

set srcintf port3 set dstintf toA set srcaddr all6 set dstaddr all6

set action accept set service ANY

set schedule always next

edit 2

set srcintf toA set dstintf port3 set srcaddr all6 set dstaddr all6 set action accept set service ANY

set schedule always end

config router static6 edit 1

set device port2 set dst 0::/0

next edit 2

set device toA

set dst fec0:0000:0000:0000::/64

end