Technical Tip: How to route IPv6 traffic over an IPv4 Ipsec Tunnel

Description

 

This article describes how to route IPv6 traffic over an IPv4 IPsec tunnel.

 

Scope

 

FortiGate, any supported version of FortiOS.

 

Solution

 

In the following scenario, site to site IPsec tunnel is configured over IPv4 address schema and will be accessing an IPv6 loopback subnet. Two FortiGates, labelled FGT-A and FGT-B, are operating in the network.

 

Network Topology:

 

FGT-A configuration:

1) WAN Interface configuration

 

# show sys interface wan2

# config system interface

edit "wan2"

set vdom "root"

set ip 10.33.10.141 255.255.240.0

set allowaccess ping https ssh http telnet

set type physical

set role wan

set snmp-index 4

next

end

 

2) VPN configuration

# show vpn ipsec phase1-interface

# config vpn ipsec phase1-interface

edit "VPN-A"

set interface "wan2"

set peertype any

set net-device disable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

set remote-gw 10.33.4.158

set psksecret ENC 5eBP+monKYV5jHEnlhGVpwHB5egnSKXBPHaFpQyty+HvXrZWMRZjRxHu6xeV49hkOoC+xmoRLyKIRLHK+S8sPeDCs+oovlrq5wuVXBeJ9PlQzf85x9k+Q4oz6x36F3jDtnwbkJxLpQDNf2QxrzaRyf7M4PoPSDUCa1Dyq3jd4KRth5RJtxWmkvFO1mA1z6O79MjxPg==

next

end

# show vpn ipsec phase2-interface

# config vpn ipsec phase2-interface

edit "VPN-A"

set phase1name "VPN-A"

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

set src-addr-type subnet6 <- Change the source address type to subnet6 to use the IPv6 local selector

set dst-addr-type subnet6 <- Change the destination address type to subnet6 to use the IPv6 remote selector

set src-subnet6 2001::1/128 <- Define the IPv6 local selector

set dst-subnet6 2001::2/128 <- Define the IPv6 remote selector

next

end

3) Firewall policy configuration

 

# show firewall policy

# config firewall policy

edit 2

set name "VPN"

set uuid 3a7ef4a2-e3ff-51ed-189b-035e2b85f649

set srcintf "lipv6-A"

set dstintf "VPN-A"

set action accept

set srcaddr6 "all"

set dstaddr6 "all"

set schedule "always"

set service "ALL"

next

edit 3

set uuid 2abedcc0-e419-51ed-70cd-08f475e4ef50

set srcintf "VPN-A"

set dstintf "lipv6-A"

set action accept

set srcaddr6 "all"

set dstaddr6 "all"

set schedule "always"

set service "ALL"

set comments " (Copy of VPN) (Reverse of VPN)"

next

end

 

4) Static route configuration

# show router static6

# config router static6

edit 1

set dst 2001::2/128

set device "VPN-A"

next

end

 

FGT-B configuration:

1) Interface configuration

 

# show sys interface wan2

# config system interface

edit "wan2"

set vdom "root"

set ip 10.33.4.158 255.255.240.0

set allowaccess ping https ssh http telnet

set type physical

set role wan

set snmp-index 6

next

end

 

# show sys interface lipv6-B

# config system interface

edit "lipv6-B"

set vdom "root"

set type loopback

set snmp-index 23

# config ipv6

set ip6-address 2001::2/128

set ip6-allowaccess ping

end

next

end

 

2) VPN configuration

 

# show vpn ipsec phase1-interface

# config vpn ipsec phase1-interface

edit "VPN-B"

set interface "wan2"

set peertype any

set net-device disable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

set remote-gw 10.33.10.141

set psksecret ENC o0zSXeUni06PEgAqokPwlfKX1yUP254OkWzBsNDRKN+pmtp3mQ3xGfICT/RQGJuUpN51eF9iWJSkzHpm+3vWS5+jZwRzBRe4b6GtyyMJAZ0qo0HacgyaALMHJmgvrmVIiku79RGqSFY/ROQsPzZ+CnKVEWa8PZJhjepbZSnAkcbjW0usuvvoSvr+ZyOta6Xzaahlww==

next

end

 

# show vpn ipsec phase2-interface

# config vpn ipsec phase2-interface

edit "VPN-B"

set phase1name "VPN-B"

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

set src-addr-type subnet6 <- Change source address type to subnet6 to use IPv6 local selector

set dst-addr-type subnet6 <- Change destination address type to subnet6 to use IPv6 remote selector

set src-subnet6 2001::2/128 <- Define IPv6 local selector

set dst-subnet6 2001::1/128 <- Define IPv6 remote selector

next

end

 

3) Firewall policy configuration:

 

# show firewall policy

# config firewall policy

edit 2

set name "VPN"

set uuid 1f51940a-e3ff-51ed-0b3d-9039ca523bfb

set srcintf "lipv6-B"

set dstintf "VPN-B"

set action accept

set srcaddr6 "all"

set dstaddr6 "all"

set schedule "always"

set service "ALL"

next

edit 3

set uuid 312daf30-e402-51ed-498c-d7115745b9f7

set srcintf "VPN-B"

set dstintf "lipv6-B"

set action accept

set srcaddr6 "all"

set dstaddr6 "all"

set schedule "always"

set service "ALL"

set comments " (Copy of VPN) (Reverse of VPN)"

next

end

 

4) Static route configuration:

# show router static6

# config router static6

edit 1

set dst 2001::1/128

set device "VPN-B"

next

end

 

Verification of ipsec tunnel:

 

On FGT-A:

 

# dia vpn ike gateway list

vd: root/0
name: VPN-A
version: 1
interface: wan2 8
addr: 10.33.10.141:500 -> 10.33.4.158:500 <- IPv4 ipsec phase1
tun_id: 10.33.4.158/::10.33.4.158
remote_location: 0.0.0.0
network-id: 0
created: 11094s ago
IKE SA: created 1/2 established 1/2 time 0/4510/9020 ms
IPsec SA: created 1/2 established 1/1 time 0/0/0 ms

id/spi: 13 b2cda29cd2d19bb9/ca9716abca3f4633
direction: responder
status: established 11087-11087s ago = 0ms
proposal: aes128-sha256
key: 077b599444290c05-cd58d5bd83ea5c4a
lifetime/rekey: 86400/75042
DPD sent/recv: 00000005/00000000

 

# dia vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=VPN-A ver=1 serial=1 10.33.10.141:0->10.33.4.158:0 tun_id=10.33.4.158 tun_id6=::10.33.4.158 dst_mtu=1500 dpd-link=on weight=1
bound_if=8 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=primary accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=4 ilast=10179 olast=10179 ad=/0
stat: rxp=10 txp=28 rxb=1982 txb=2936
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=5
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=VPN-A proto=0 sa=1 ref=2 serial=2
src: 0:2001::1-2001::1:0 <- IPv6 phase2 local selector
dst: 0:2001::2-2001::2:0 <- IPv6 phase2 remote selector
SA: ref=6 options=10226 type=00 soft=0 mtu=1438 expire=32143/0B replaywin=2048
seqno=1b esn=0 replaywin_lastseq=00000009 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42903/43200
dec: spi=d86f7f5e esp=aes key=16 7486354041daccf95b4de88157c0c8c1
ah=sha1 key=20 354a7e252c6954d4aa73f8074448e590184b5ace
enc: spi=5b62d3fe esp=aes key=16 d107ffdd286af5f48a95513bb860f19e
ah=sha1 key=20 a8a643ad1ae4cf90ae8972460bb4cac174bb7f07
dec:pkts/bytes=11/2134, enc:pkts/bytes=53/7136
npu_flag=03 npu_rgwy=10.33.4.158 npu_lgwy=10.33.10.141 npu_selid=1 dec_npuid=1 enc_npuid=1
run_tally=0

 

# get router info6 routing-table 2001::2/128
Routing entry for 2001::2/128
Known via "static", distance 10, metric 0, best
Last update 03:05:59 ago
* via VPN-A tunnel 10.33.4.158

 

# execute ping6-options source6 2001::1

 

# execute ping6 2001::2

PING 2001::2(2001::2) from 2001::1 : 56 data bytes

64 bytes from 2001::2: icmp_seq=1 ttl=64 time=0.283 ms

64 bytes from 2001::2: icmp_seq=2 ttl=64 time=0.218 ms

--- 2001::2 ping statistics ---

2 packets transmitted, 2 packets received, 0% packet loss, time 4046ms

rtt min/avg/max/mdev = 0.218/0.235/0.283/0.029 ms

# dia sniffer packet any "host 2001::2" 4 0 a
interfaces=[any]
filters=[host 2001::2]
2023-04-26 10:12:49.238687 VPN-A out 2001::1 -> 2001::2: icmp6: echo request seq 1
2023-04-26 10:12:49.238911 VPN-A in 2001::2 -> 2001::1: icmp6: echo reply seq 1
2023-04-26 10:12:50.245048 VPN-A out 2001::1 -> 2001::2: icmp6: echo request seq 2
2023-04-26 10:12:50.245226 VPN-A in 2001::2 -> 2001::1: icmp6: echo reply seq 2