Site-to-site IPv4 over IPv6 VPN example

Site-tosite IPv4 over IPv6 VPN example

In this example, two private networks with IPv4 addressing communicate securely over IPv6 infrastructure.

 

Example IPv4-over-IPv6 VPN topology

10-230-2016

Configure FortiGate A interfaces

Port 2 connects to the IPv6 public network and port 3 connects to the IPv4 LAN.

config system interface edit port2

config ipv6

set ip6-address fec0::0001:209:0fff:fe83:25f2/64 end

next

edit port3

set 192.168.2.1/24 end

 

Configure FortiGate A IPsec settings

The Phase 1 configuration is the same as in the IPv6 over IPv6 example.

config vpn ipsec phase1-interface edit toB

set ip-version 6

set interface port2

set remote-gw6 fec0:0000:0000:0003:209:0fff:fe83:25c7 set dpd [disable | on-idle | on-demand]

set psksecret maryhadalittlelamb set proposal 3des-md5 3des-sha1

end

 

The Phase 2 configuration is the same as you would use for an IPv4 VPN. By default, Phase 2 selectors are set to accept all subnet addresses for source and destination.

 

config vpn ipsec phase2-interface edit toB2

set phase1name toB

set proposal 3des-md5 3des-sha1 set pfs enable

set replay enable end

 

Configure FortiGate A security policies

Security policies are required to allow traffic between port3 and the IPsec interface toB in each direction. These are IPv4 security policies.

config firewall policy edit 1

set srcintf port3 set dstintf toB set srcaddr all set dstaddr all set action accept set service ANY

set schedule always next

edit 2

set srcintf toB set dstintf port3 set srcaddr all

set dstaddr all set action accept set service ANY

set schedule always end

 

Configure FortiGate A routing

This simple example requires just two static routes. Traffic to the protected network behind FortiGate B is routed via the virtual IPsec interface toB using an IPv4 static route. A default route sends all IPv6 traffic, including the IPv6 IPsec packets, out on port2.

 

config router static6 edit 1

set device port2 set dst 0::/0

next edit 2

set device toB

set dst 192.168.3.0/24 end

 

Configure FortiGate B

The configuration of FortiGate B is very similar to that of FortiGate A. A virtual IPsec interface toA is configured on port2 and its remote gateway is the public IP address of FortiGate A. The IPsec Phase 2 configuration has IPv4 selectors.

IPv4 security policies enable traffic to pass between the private network and the IPsec interface. An IPv4 static route ensures traffic for the private network behind FortiGate A goes through the VPN and an IPv6 static route ensures that all IPv6 packets are routed to the public network.

 

config system interface edit port2

config ipv6

set ip6-address fec0::0003:fe83:25c7/64 end

next

edit port3

set 192.168.3.1/24 end

config vpn ipsec phase1-interface edit toA

set ip-version 6

set interface port2

set remote-gw6 fec0:0000:0000:0001:209:0fff:fe83:25f2 set dpd [disable | on-idle | on-demand]

set psksecret maryhadalittlelamb set proposal 3des-md5 3des-sha1

end

config vpn ipsec phase2-interface edit toA2

set phase1name toA

set proposal 3des-md5 3des-sha1 set pfs enable

set replay enable end

config firewall policy

edit 1

set srcintf port3 set dstintf toA set srcaddr all set dstaddr all set action accept set service ANY

set schedule always next

edit 2

set srcintf toA set dstintf port3 set srcaddr all set dstaddr all set action accept set service ANY

set schedule always end

config router static6 edit 1

set device port2 set dst 0::/0

next edit 2

set device toA

set dst 192.168.2.0/24 end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in FortiOS 5.4 Handbook on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.