FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article describes how OSPFv3 neighborship can be formed when IPSec is configured with IPv6.
Solution In order to bring OSPFv3 up on the tunnel interface, the link-local address apart from IPv6 address is necessary.
OSPFv3 requires that a link-local address be configured. Only link-local address are used for OSPFv3 advertisements.
Link-local addresses are automatically configured for broadcast interfaces. This is why issue will not be noticed over broadcast interfaces.
Link-local addresses are not automatically configured for point-to-point interfaces (inter-vdom link, GRE, IPSec,...) because these interfaces do not have their own MAC addresses.
Each end-point of the tunnel must be configured with a link-local address in order to allow OSPFv3 adjacency.
IPv6 link-local addresses start with 'FE8', 'FE9', 'FEA' or 'FEB'.
Also it is unique for each tunnel, below is the example:
Example,
# config system interface edit "Test" <----- Tunnel interface. # config ipv6 set ip6-address fe80::1/64 <----- Link-Local address. # config ip6-extra-addr edit xyz8:0:0:93::/127 next end end next end
