Fortinet black logo

Handbook

IPv6 IPsec VPNs

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:648165
Download PDF

IPv6 IPsec VPNs

This chapter describes how to configure the IPv6 IPsec VPN functionality for your FortiGate unit. For examples, see Configuration examples

note icon

By default IPv6 configurations do not appear on the GUI. You need to enable the feature first.

To enable IPv6

1. Go to System > Feature Visibility.
2. Enable IPv6.
3. Select Apply.

IPv6 IPsec support

FortiOS supports route-based IPv6 IPsec, but not policy-based. This section describes how IPv6 IPsec support differs from IPv4 IPsec support. FortiOS 4.0 MR3 is IPv6 Ready Logo Program Phase 2 certified.

Where both the gateways and the protected networks use IPv6 addresses, sometimes called IPv6 over IPv6, you can create either an auto-keyed or manually-keyed VPN. You can combine IPv6 and IPv4 addressing in an auto-keyed VPN in the following ways:

IPv4 over IPv6

The VPN gateways have IPv6 addresses.

The protected networks have IPv4 addresses. The Phase 2 configurations at either end use IPv4 selectors.

IPv6 over IPv4

The VPN gateways have IPv4 addresses.

The protected networks use IPv6 addresses. The Phase 2 configurations at either end use IPv6 selectors.

Compared with IPv4 IPsec VPN functionality, there are some limitations:

  • Except for IPv6 over IPv4, remote gateways with Dynamic DNS are not supported.
  • Selectors cannot be firewall address names. Only IP address, address range and subnet are supported.
  • Redundant IPv6 tunnels are not supported.

Certificates

On a VPN with IPv6 Phase 1 configuration, you can authenticate using VPN certificates in which the common name (cn) is an IPv6 address. The cn-type keyword of the user peer command has an option, ipv6, to support this.

IPv6 IPsec VPNs

This chapter describes how to configure the IPv6 IPsec VPN functionality for your FortiGate unit. For examples, see Configuration examples

note icon

By default IPv6 configurations do not appear on the GUI. You need to enable the feature first.

To enable IPv6

1. Go to System > Feature Visibility.
2. Enable IPv6.
3. Select Apply.

IPv6 IPsec support

FortiOS supports route-based IPv6 IPsec, but not policy-based. This section describes how IPv6 IPsec support differs from IPv4 IPsec support. FortiOS 4.0 MR3 is IPv6 Ready Logo Program Phase 2 certified.

Where both the gateways and the protected networks use IPv6 addresses, sometimes called IPv6 over IPv6, you can create either an auto-keyed or manually-keyed VPN. You can combine IPv6 and IPv4 addressing in an auto-keyed VPN in the following ways:

IPv4 over IPv6

The VPN gateways have IPv6 addresses.

The protected networks have IPv4 addresses. The Phase 2 configurations at either end use IPv4 selectors.

IPv6 over IPv4

The VPN gateways have IPv4 addresses.

The protected networks use IPv6 addresses. The Phase 2 configurations at either end use IPv6 selectors.

Compared with IPv4 IPsec VPN functionality, there are some limitations:

  • Except for IPv6 over IPv4, remote gateways with Dynamic DNS are not supported.
  • Selectors cannot be firewall address names. Only IP address, address range and subnet are supported.
  • Redundant IPv6 tunnels are not supported.

Certificates

On a VPN with IPv6 Phase 1 configuration, you can authenticate using VPN certificates in which the common name (cn) is an IPv6 address. The cn-type keyword of the user peer command has an option, ipv6, to support this.