Site-to-site IPv6 over IPv4 VPN example

Site-to–site IPv6 over IPv4 VPN example

In this example, IPv6-addressed private networks communicate securely over IPv4 public infrastructure.

Example IPv6-over-IPv4 VPN topology

Configure FortiGate A interfaces

Port 2 connects to the IPv4 public network and port 3 connects to the IPv6 LAN.

config system interface edit port2

set 10.0.0.1/24 next

edit port3 config ipv6

set ip6-address fec0::0001:209:0fff:fe83:25f3/64 end

Configure FortiGate A IPsec settings

The Phase 1 configuration uses IPv4 addressing.

config vpn ipsec phase1-interface edit toB

set interface port2

set remote-gw 10.0.1.1

set dpd [disable | on-idle | on-demand]

set psksecret maryhadalittlelamb set proposal 3des-md5 3des-sha1

end

The Phase 2 configuration uses IPv6 selectors. By default, Phase 2 selectors are set to accept all subnet addresses for source and destination. The default setting for src-addr-type and dst-addr-type is subnet. The IPv6 equivalent is subnet6. The default subnet addresses are 0.0.0.0/0 for IPv4, ::/0 for IPv6.

config vpn ipsec phase2-interface edit toB2

set phase1name toB

set proposal 3des-md5 3des-sha1 set pfs enable

set replay enable

set src-addr-type subnet6 set dst-addr-type subnet6

end

Configure FortiGate A security policies

IPv6 security policies are required to allow traffic between port3 and the IPsec interface toB in each direction. Define the address all6 using the firewall address6 command as ::/0.

config firewall policy6 edit 1

set srcintf port3 set dstintf toB set srcaddr all6 set dstaddr all6 set action accept set service ANY

set schedule always next

edit 2

set srcintf toB set dstintf port3 set srcaddr all6 set dstaddr all6 set action accept set service ANY

set schedule always end

Configure FortiGate A routing

This simple example requires just two static routes. Traffic to the protected network behind FortiGate B is routed via the virtual IPsec interface toB using an IPv6 static route. A default route sends all IPv4 traffic, including the IPv4 IPsec packets, out on port2.

config router static6 edit 1

set device toB

set dst fec0:0000:0000:0004::/64 end

config router static edit 1

set device port2 set dst 0.0.0.0/0

set gateway 10.0.0.254 end

Configure FortiGate B

The configuration of FortiGate B is very similar to that of FortiGate A. A virtual IPsec interface toA is configured on port2 and its remote gateway is the IPv4 public IP address of FortiGate A. The IPsec Phase 2 configuration has IPv6 selectors.

IPv6 security policies enable traffic to pass between the private network and the IPsec interface. An IPv6 static route ensures traffic for the private network behind FortiGate A goes through the VPN and an IPv4 static route ensures that all IPv4 packets are routed to the public network.

config system interface edit port2

set 10.0.1.1/24 next

edit port3 config ipv6

set ip6-address fec0::0004:209:0fff:fe83:2569/64 end

config vpn ipsec phase1-interface edit toA

set interface port2

set remote-gw 10.0.0.1

set dpd [disable | on-idle | on-demand]

set psksecret maryhadalittlelamb set proposal 3des-md5 3des-sha1

end

config vpn ipsec phase2-interface edit toA2

set phase1name toA

set proposal 3des-md5 3des-sha1 set pfs enable

set replay enable

set src-addr-type subnet6 set dst-addr-type subnet6

end

config firewall policy6 edit 1

set srcintf port3 set dstintf toA set srcaddr all6 set dstaddr all6 set action accept set service ANY

set schedule always next

edit 2

set srcintf toA set dstintf port3 set srcaddr all6 set dstaddr all6 set action accept set service ANY

set schedule always end

config router static6 edit 1

set device toA

set dst fec0:0000:0000:0000::/64 end

config router static edit 1

set device port2

set gateway 10.0.1.254 end