Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
naveenk
Staff
Staff

Created on ‎10-14-2020 05:11 AM

Article Id 193921

Technical Tip: FQDN support for remote gateways

Description
FortiGate supports FQDN when defining an IPsec remote gateway with a dynamically assigned IPv6 address.

This article describes this feature.

Solution
When FortiGate attempts to connect to the IPv6 unit, FQDN will resolve the IPv6 address even when the address changes.

Using FQDN to configure the remote gateway is useful when the remote end has a dynamic IPv6 address assigned by their ISP or DHCPv6 server.

1) Set the VPN to DDNS and configure FQDN
# config vpn ipsec phase1-interface
    edit "ddns6"
        set type ddns
        set interface "agg1"
        set ip-version 6
        set ike-version 2
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256
         aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set dpd on-idle
        set remotegw-ddns "rgwa61.vpnlab.org"
        set psksecret xxxxxxx
    next
end
# config vpn ipsec phase2-interface
    edit "ddns6"
        set phase1name "ddns6"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256
         aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set src-addr-type subnet6
        set dst-addr-type subnet6
        set src-subnet6 2003:1:1:1::/64
    next
end
2) FQDN resolves the IPv6 address.
# diagnose test application dnsproxy 7
vfid=0, name=rgwa61.vpnlab.org, ttl=3600:3547:1747
2003:33:1:1::22 (ttl=3600)
3) FortiGate uses FQDN to connect to the IPv6 unit.
# diagnose vpn tunnel list name ddns6
list ipsec tunnel by names in vd 0
------------------------------------------------------
name=ddns6 ver=2 serial=2 2003:33:1:1::1:0->2003:33:1:1::22:0
 dst_mtu=1500
bound_if=32 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/520
options[0208]=npu frag-rfc run_state=0 accept_traffic=1
overlay_id=0
proxyid_num=1 child_num=0 refcnt=10 ilast=9 olast=9 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=72340
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=ddns6 proto=0 sa=1 ref=2 serial=1
src: 0:2003:1:1:1::/64:0
dst: 0:::/0:0
SA: ref=3 options=10226 type=00 soft=0 mtu=1422
expire=42680/0B
 replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0
 hash_search_len=1
life: type=01 bytes=0/0 timeout=42901/43200
dec: spi=ac7a5718 esp=aes key=16
9976b66280cc49f500d8edca093e03fb
ah=sha1 key=20 4d94d76fc18df5a180c52e0a6cd5f430fde48fe8
enc: spi=7ab888ec esp=aes key=16
841a95d3ee5ea5108a2ba269b74998d1
ah=sha1 key=20 ed0b52d27776e30149ee36af4fd4626681c2a3a1
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
npu_flag=00 npu_rgwy=2003:33:1:1::22 npu_lgwy=2003:33:1:1::1
npu_selid=0 dec_npuid=0 enc_npuid=0
run_tally=1
4) The tunnel can still connect to the FQDN address when the IPv6 address changes.
# diagnose debug application ike -1
# diagnose debug enable
ike 0:ddns6: set oper down
ike 0:ddns6: carrier down
ike shrank heap by 159744 bytes
ike 0: cache rebuild start
ike 0:ddns6: sending DNS request for remote peer
rgwa61.vpnlab.org
ike 0: send IPv6 DNS query : rgwa61.vpnlab.org
ike 0: cache rebuild done
ike 0:ddns6: remote IPv6 DDNS gateway is empty, retry to resolve
 it
ike 0: DNS response received for remote gateway
rgwa61.vpnlab.org
ike 0: DNS rgwa61.vpnlab.org -> 2003:33:1:1::33
ike 2:test:46932: could not send IKE
Packet(P1_RETRANSMIT):50.1.1.1:500->50.1.1.2:500,
len=716: error 101:Network is unreachable
ike 0:ddns6: remote IPv6 DDNS gateway is empty,
retry to resolve it
ike 0:ddns6: 'rgwa61.vpnlab.org' resolved to 2003:33:1:1::33
ike 0: cache rebuild start
ike 0:ddns6: local:2003:33:1:1::1, remote:2003:33:1:1::33
ike 0:ddns6: cached as static-ddns.
ike 0: cache rebuild done
ike 0:ddns6: auto-negotiate connection
ike 0:ddns6: created connection:
0x155aa510 32 2003:33:1:1::1->2003:33:1:1::33:500.
.....................................................................................................................
ike 0:ddns6:46933:ddn6:47779: add IPsec SA:
SPIs=ac7a5719/7ab888ed
ike 0:ddns6:46933:ddn6:47779: IPsec SA dec spi ac7a5719
key 16:0F27F1D1D02496F90D15A30E2C032678 auth
20:46564E0E86A054374B31E58F95E4458340121BCE
ike 0:ddns6:46933:ddn6:47779: IPsec SA enc spi 7ab888ed
key 16:926B12908EE670E1A5DDA6AD8E96607B auth
20:42BF438DC90867B837B0490EAB08E329AB62CBE3
ike 0:ddns6:46933:ddn6:47779: added IPsec SA:
SPIs=ac7a5719/7ab888ed
ike 0:ddns6:46933:ddn6:47779: sending SNMP tunnel UP trap
ike 0:ddns6: carrier up
Related document.
https://docs.fortinet.com/document/fortigate/6.4.0/new-features/400910/fqdn-support-for-remote-gatew...

Labels:
2736
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.