Fortinet white logo
Fortinet white logo

Administration Guide

SD-WAN segmentation over a single overlay using IPv6

SD-WAN segmentation over a single overlay using IPv6

IPv6 is supported for SD-WAN segmentation over a single overlay. This allows seamless communication between IPv6 devices within virtual routing and forwarding (VRF) overlay networks, benefiting organizations transitioning to IPv6 or operating in a dual-stack environment.

Example

In this example, multiple companies (or departments of a company) share the ADVPN. Company A and company B each have two branches in two different locations. Company A's branches (A-1 and A-2) can talk to each other using the VPN shortcut, but not to company B's branches (B-1 and B-2). Likewise, company B's branches can talk to each other using the VPN shortcut, but not to company A's branches. Traffic can share the tunnels and shortcuts, but cannot be mixed up.

In this example, two spokes each have two tunnels to the hub.

  • Each spoke has two VRFs behind it that can use the same IP address or subnets.
  • The computers in VRF1 behind spoke 1 can talk to the computers in VRF1 behind spoke 2, but not to any of the computers in the VRF2s behind either spoke.
  • The computers in VRF2 behind spoke 1 can talk to the computers in VRF2 behind spoke 2, but not to any of the computers in the VRF1s behind either spoke.
  • Loopback addresses are used for communication between the spokes and the hub instead of tunnel IP address.
Note

The exchange-ip-addr6 option allows a loopback IPv6 address to be exchanged between the spokes and the hub in a network. This means that instead of using the tunnel IP address, which is typically used for communication, the loopback IPv6 address is used.

See config router bgp and config router route-map in the CLI Reference for a comprehensive list of commands.

To configure the hub:
  1. Configure the BGP settings:

    config router bgp
        set as 65100
        set router-id 10.200.1.1
        set keepalive-timer 5
        set holdtime-timer 15
        set ibgp-multipath enable
        set network-import-check disable
        set additional-path6 enable
        set additional-path-vpnv6 enable
        set additional-path-select6 4
        config neighbor-group
            edit "EDGEv6"
                set advertisement-interval 1
                set activate disable
                set activate-vpnv4 disable
                set capability-graceful-restart enable
                set next-hop-self-rr6 enable
                set soft-reconfiguration6 enable
                set remote-as 65100
                set update-source "vd11-lo1"
                set additional-path6 both
                set adv-additional-path6 4
                set route-reflector-client6 enable
                set route-reflector-client-vpnv6 enable
            next
        end
        config neighbor-range6
            edit 2
                set prefix6 2001::10:200:1:0/112
                set neighbor-group "EDGEv6"
            next
        end
        config network6
            edit 1
                set prefix6 2001::10:200:1:0/112
            next
        end
        config vrf6
            edit "0"
                set role pe
            next
            edit "1"
                set role ce
                set rd "1:1"
                set export-rt "1:1"
                set import-rt "1:1"
            next
            edit "2"
                set role ce
                set rd "2:1"
                set export-rt "2:1"
                set import-rt "2:1"
            next
        end
    end
  2. Configure the IPsec phase 1 interface settings:

    config vpn ipsec phase1-interface
        edit "p1"
            set type dynamic
            set interface "vd11-vlan1"
            set ike-version 2
            set peertype any
            set net-device disable
            set exchange-ip-addr6 2001::10:200:1:1
            set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
            set add-route disable
            set dpd on-idle
            set npu-offload disable
            set dhgrp 5
            set auto-discovery-sender enable
            set encapsulation vpn-id-ipip
            set psksecret **********
            set dpd-retryinterval 60
        next
        edit "p111"
            set type dynamic
            set interface "vd11-vlan111"
            set ike-version 2
            set peertype any
            set net-device disable
            set exchange-ip-addr6 2001::10:200:1:1
            set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
            set add-route disable
            set dpd on-idle
            set npu-offload disable
            set dhgrp 5
            set auto-discovery-sender enable
            set encapsulation vpn-id-ipip
            set psksecret **********
            set dpd-retryinterval 60
        next
    end
  3. Configure the IPsec phase 2 interface settings:

    config vpn ipsec phase2-interface
        edit "p1-v6"
            set phase1name "p1"
            set proposal aes128-sha1
            set replay disable
            set src-addr-type subnet6
            set dst-addr-type subnet6
        next
        edit "p111-v6"
            set phase1name "p111"
            set proposal aes128-sha1
            set replay disable
            set src-addr-type subnet6
            set dst-addr-type subnet6
        next
    end
To configure a spoke:
  1. Configure the BGP settings:

    config router bgp
        set as 65100
        set router-id 10.200.1.100
        set keepalive-timer 5
        set holdtime-timer 15
        set ibgp-multipath enable
        set additional-path6 enable
        set additional-path-vpnv6 enable
        set recursive-next-hop enable
        set tag-resolve-mode merge
        set graceful-restart enable
        set additional-path-select6 4
        config neighbor
            edit "2001::10:200:1:1"
                set advertisement-interval 1
                set activate disable
                set activate-vpnv4 disable
                set capability-dynamic enable
                set capability-graceful-restart6 enable
                set capability-graceful-restart-vpnv6 enable
                set soft-reconfiguration6 enable
                set remote-as 65100
                set route-map-in6 "tag"
                set route-map-in-vpnv6 "tag"
                set connect-timer 10
                set update-source "vd2-lo1"
                set additional-path6 both
                set additional-path-vpnv6 both
            next
        end
        config network6
            edit 1
                set prefix6 2001:22::/64
            next
            edit 2
                set prefix6 2001::10:200:1:100/128
            next
        end
        config vrf6
            edit "0"
                set role pe
            next
            edit "1"
                set role ce
                set rd "1:1"
                set export-rt "1:1"
                set import-rt "1:1"
            next
            edit "2"
                set role ce
                set rd "2:1"
                set export-rt "2:1"
                set import-rt "2:1"
            next
        end
    end
  2. Configure the IPsec phase 1 interface settings:

    config vpn ipsec phase1-interface
        edit "vd2-1"
            set interface "vd2-vlan12"
            set ike-version 2
            set peertype any
            set net-device enable
            set exchange-ip-addr6 2001::10:200:1:100
            set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
            set add-route disable
            set npu-offload disable
            set dhgrp 5
            set auto-discovery-receiver enable
            set encapsulation vpn-id-ipip
            set remote-gw 11.1.1.11
            set psksecret **********
        next
        edit "vd2-2"
            set interface "vd2-vlan112"
            set ike-version 2
            set peertype any
            set net-device enable
            set exchange-ip-addr6 2001::10:200:1:100
            set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
            set add-route disable
            set npu-offload disable
            set dhgrp 5
            set auto-discovery-receiver enable
            set encapsulation vpn-id-ipip
            set remote-gw 111.1.1.11
            set psksecret **********
        next
    end
  3. Configure the IPsec phase 2 interface settings:

    config vpn ipsec phase2-interface
        edit "vd2-1-6"
            set phase1name "vd2-1"
            set proposal aes128-sha1
            set dhgrp 5
            set replay disable
            set auto-negotiate enable
            set src-addr-type subnet6
            set dst-addr-type subnet6
        next
        edit "vd2-2-6"
            set phase1name "vd2-2"
            set proposal aes128-sha1
            set dhgrp 5
            set replay disable
            set auto-negotiate enable
            set src-addr-type subnet6
            set dst-addr-type subnet6
        next
    end
  4. Configure the SD-WAN settings:

    config system sdwan
        set status enable
        config zone
            edit "virtual-wan-link"
            next
        end
        config members
            edit 1
                set interface "vd2-1"
                set cost 10
            next
            edit 2
                set interface "vd2-2"
                set cost 20
            next
        end
        config health-check
            edit "ping6"
                set addr-mode ipv6
                set server "2001::10:200:1:1"
                set source6 2001::10:200:1:100
                set members 1 2
                config sla
                    edit 1
                    next
                end
            next
        end
        config service
            edit 61
                set addr-mode ipv6
                set priority-members 1
                set dst6 "6001-100"
            next
            edit 62
                set addr-mode ipv6
                set priority-members 2
                set dst6 "6100-200"
            next
        end
    end
To check the spoke 1 routes:
# get router info6 routing-table bgp
Routing table for VRF=0
B       2001::10:200:1:0/112 [200/0] via 2001::10:200:1:1 tag 100 (recursive via vd2-1 tunnel ::11.1.1.11), 1d15h41m
(recursive via vd2-2 tunnel ::111.1.1.11), 1d15h41m, [1024/0]
B       2001::10:200:1:101/128 [200/0] via 2001::10:200:1:1 tag 100 (recursive via vd2-1 tunnel ::11.1.1.11), 1d15h41m
(recursive via vd2-2 tunnel ::111.1.1.11), 1d15h41m, [1024/0]

Routing table for VRF=1
B V     2001:33::/64 [200/0] via 2001::10:200:1:101 tag 100 (recursive via vd2-1 tunnel ::11.1.1.11), 1d15h41m
(recursive via vd2-2 tunnel ::111.1.1.11), 1d15h41m, [1024/0]

Routing table for VRF=2
B V     2001:33::/64 [200/0] via 2001::10:200:1:101 tag 100 (recursive via vd2-1 tunnel ::11.1.1.11), 1d15h41m
(recursive via vd2-2 tunnel ::111.1.1.11), 1d15h41m, [1024/0]
To test the configuration on shortcut 1:
  1. From VRF1 of spoke 1, ping VRF1 of spoke 2.

  2. From VRF2 of spoke 1, ping VRF2 spoke 2. Both VRF1 and VRF2 source and destination IP addresses are the same, so you can see how the traffic is isolated.

  3. Verify the session list:

    # diagnose sys session6 list
    session6 info: proto=58 proto_state=00 duration=3 expire=59 timeout=0 refresh_dir=both flags=00000000 sockport=0 socktype=0 use=3
    origin-shaper=
    reply-shaper=
    per_ip_shaper=
    class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
    state=may_dirty
    statistic(bytes/packets/allow_err): org=416/4/0 reply=416/4/0 tuples=2
    tx speed(Bps/kbps): 136/1 rx speed(Bps/kbps): 136/1
    orgin->sink: org pre->post, reply pre->post dev=100->223/223->100
    hook=pre dir=org act=noop 2001:22::55:398->2001:33::44:128(:::0)
    hook=post dir=reply act=noop 2001:33::44:398->2001:22::55:129(:::0)
    src_mac=02:4c:a5:fc:77:6f
    misc=0 policy_id=1 pol_uuid_idx=1070 auth_info=0 chk_client_info=0 vd=3:2 
    serial=0001104d tos=ff/ff ips_view=0 app_list=0 app=0 url_cat=0
    sdwan_mbr_seq=0 sdwan_service_id=61
    rpdb_link_id=ff00003d ngfwid=n/a
    npu_state=0x1040001 no_offload
    no_ofld_reason:  disabled-by-policy non-npu-intf
    total session6: 1

    In the output, vd=<vdom_ID>:<VRF_ID> indicates that sessions are created in and stay in the corresponding VRFs.

SD-WAN segmentation over a single overlay using IPv6

SD-WAN segmentation over a single overlay using IPv6

IPv6 is supported for SD-WAN segmentation over a single overlay. This allows seamless communication between IPv6 devices within virtual routing and forwarding (VRF) overlay networks, benefiting organizations transitioning to IPv6 or operating in a dual-stack environment.

Example

In this example, multiple companies (or departments of a company) share the ADVPN. Company A and company B each have two branches in two different locations. Company A's branches (A-1 and A-2) can talk to each other using the VPN shortcut, but not to company B's branches (B-1 and B-2). Likewise, company B's branches can talk to each other using the VPN shortcut, but not to company A's branches. Traffic can share the tunnels and shortcuts, but cannot be mixed up.

In this example, two spokes each have two tunnels to the hub.

  • Each spoke has two VRFs behind it that can use the same IP address or subnets.
  • The computers in VRF1 behind spoke 1 can talk to the computers in VRF1 behind spoke 2, but not to any of the computers in the VRF2s behind either spoke.
  • The computers in VRF2 behind spoke 1 can talk to the computers in VRF2 behind spoke 2, but not to any of the computers in the VRF1s behind either spoke.
  • Loopback addresses are used for communication between the spokes and the hub instead of tunnel IP address.
Note

The exchange-ip-addr6 option allows a loopback IPv6 address to be exchanged between the spokes and the hub in a network. This means that instead of using the tunnel IP address, which is typically used for communication, the loopback IPv6 address is used.

See config router bgp and config router route-map in the CLI Reference for a comprehensive list of commands.

To configure the hub:
  1. Configure the BGP settings:

    config router bgp
        set as 65100
        set router-id 10.200.1.1
        set keepalive-timer 5
        set holdtime-timer 15
        set ibgp-multipath enable
        set network-import-check disable
        set additional-path6 enable
        set additional-path-vpnv6 enable
        set additional-path-select6 4
        config neighbor-group
            edit "EDGEv6"
                set advertisement-interval 1
                set activate disable
                set activate-vpnv4 disable
                set capability-graceful-restart enable
                set next-hop-self-rr6 enable
                set soft-reconfiguration6 enable
                set remote-as 65100
                set update-source "vd11-lo1"
                set additional-path6 both
                set adv-additional-path6 4
                set route-reflector-client6 enable
                set route-reflector-client-vpnv6 enable
            next
        end
        config neighbor-range6
            edit 2
                set prefix6 2001::10:200:1:0/112
                set neighbor-group "EDGEv6"
            next
        end
        config network6
            edit 1
                set prefix6 2001::10:200:1:0/112
            next
        end
        config vrf6
            edit "0"
                set role pe
            next
            edit "1"
                set role ce
                set rd "1:1"
                set export-rt "1:1"
                set import-rt "1:1"
            next
            edit "2"
                set role ce
                set rd "2:1"
                set export-rt "2:1"
                set import-rt "2:1"
            next
        end
    end
  2. Configure the IPsec phase 1 interface settings:

    config vpn ipsec phase1-interface
        edit "p1"
            set type dynamic
            set interface "vd11-vlan1"
            set ike-version 2
            set peertype any
            set net-device disable
            set exchange-ip-addr6 2001::10:200:1:1
            set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
            set add-route disable
            set dpd on-idle
            set npu-offload disable
            set dhgrp 5
            set auto-discovery-sender enable
            set encapsulation vpn-id-ipip
            set psksecret **********
            set dpd-retryinterval 60
        next
        edit "p111"
            set type dynamic
            set interface "vd11-vlan111"
            set ike-version 2
            set peertype any
            set net-device disable
            set exchange-ip-addr6 2001::10:200:1:1
            set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
            set add-route disable
            set dpd on-idle
            set npu-offload disable
            set dhgrp 5
            set auto-discovery-sender enable
            set encapsulation vpn-id-ipip
            set psksecret **********
            set dpd-retryinterval 60
        next
    end
  3. Configure the IPsec phase 2 interface settings:

    config vpn ipsec phase2-interface
        edit "p1-v6"
            set phase1name "p1"
            set proposal aes128-sha1
            set replay disable
            set src-addr-type subnet6
            set dst-addr-type subnet6
        next
        edit "p111-v6"
            set phase1name "p111"
            set proposal aes128-sha1
            set replay disable
            set src-addr-type subnet6
            set dst-addr-type subnet6
        next
    end
To configure a spoke:
  1. Configure the BGP settings:

    config router bgp
        set as 65100
        set router-id 10.200.1.100
        set keepalive-timer 5
        set holdtime-timer 15
        set ibgp-multipath enable
        set additional-path6 enable
        set additional-path-vpnv6 enable
        set recursive-next-hop enable
        set tag-resolve-mode merge
        set graceful-restart enable
        set additional-path-select6 4
        config neighbor
            edit "2001::10:200:1:1"
                set advertisement-interval 1
                set activate disable
                set activate-vpnv4 disable
                set capability-dynamic enable
                set capability-graceful-restart6 enable
                set capability-graceful-restart-vpnv6 enable
                set soft-reconfiguration6 enable
                set remote-as 65100
                set route-map-in6 "tag"
                set route-map-in-vpnv6 "tag"
                set connect-timer 10
                set update-source "vd2-lo1"
                set additional-path6 both
                set additional-path-vpnv6 both
            next
        end
        config network6
            edit 1
                set prefix6 2001:22::/64
            next
            edit 2
                set prefix6 2001::10:200:1:100/128
            next
        end
        config vrf6
            edit "0"
                set role pe
            next
            edit "1"
                set role ce
                set rd "1:1"
                set export-rt "1:1"
                set import-rt "1:1"
            next
            edit "2"
                set role ce
                set rd "2:1"
                set export-rt "2:1"
                set import-rt "2:1"
            next
        end
    end
  2. Configure the IPsec phase 1 interface settings:

    config vpn ipsec phase1-interface
        edit "vd2-1"
            set interface "vd2-vlan12"
            set ike-version 2
            set peertype any
            set net-device enable
            set exchange-ip-addr6 2001::10:200:1:100
            set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
            set add-route disable
            set npu-offload disable
            set dhgrp 5
            set auto-discovery-receiver enable
            set encapsulation vpn-id-ipip
            set remote-gw 11.1.1.11
            set psksecret **********
        next
        edit "vd2-2"
            set interface "vd2-vlan112"
            set ike-version 2
            set peertype any
            set net-device enable
            set exchange-ip-addr6 2001::10:200:1:100
            set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
            set add-route disable
            set npu-offload disable
            set dhgrp 5
            set auto-discovery-receiver enable
            set encapsulation vpn-id-ipip
            set remote-gw 111.1.1.11
            set psksecret **********
        next
    end
  3. Configure the IPsec phase 2 interface settings:

    config vpn ipsec phase2-interface
        edit "vd2-1-6"
            set phase1name "vd2-1"
            set proposal aes128-sha1
            set dhgrp 5
            set replay disable
            set auto-negotiate enable
            set src-addr-type subnet6
            set dst-addr-type subnet6
        next
        edit "vd2-2-6"
            set phase1name "vd2-2"
            set proposal aes128-sha1
            set dhgrp 5
            set replay disable
            set auto-negotiate enable
            set src-addr-type subnet6
            set dst-addr-type subnet6
        next
    end
  4. Configure the SD-WAN settings:

    config system sdwan
        set status enable
        config zone
            edit "virtual-wan-link"
            next
        end
        config members
            edit 1
                set interface "vd2-1"
                set cost 10
            next
            edit 2
                set interface "vd2-2"
                set cost 20
            next
        end
        config health-check
            edit "ping6"
                set addr-mode ipv6
                set server "2001::10:200:1:1"
                set source6 2001::10:200:1:100
                set members 1 2
                config sla
                    edit 1
                    next
                end
            next
        end
        config service
            edit 61
                set addr-mode ipv6
                set priority-members 1
                set dst6 "6001-100"
            next
            edit 62
                set addr-mode ipv6
                set priority-members 2
                set dst6 "6100-200"
            next
        end
    end
To check the spoke 1 routes:
# get router info6 routing-table bgp
Routing table for VRF=0
B       2001::10:200:1:0/112 [200/0] via 2001::10:200:1:1 tag 100 (recursive via vd2-1 tunnel ::11.1.1.11), 1d15h41m
(recursive via vd2-2 tunnel ::111.1.1.11), 1d15h41m, [1024/0]
B       2001::10:200:1:101/128 [200/0] via 2001::10:200:1:1 tag 100 (recursive via vd2-1 tunnel ::11.1.1.11), 1d15h41m
(recursive via vd2-2 tunnel ::111.1.1.11), 1d15h41m, [1024/0]

Routing table for VRF=1
B V     2001:33::/64 [200/0] via 2001::10:200:1:101 tag 100 (recursive via vd2-1 tunnel ::11.1.1.11), 1d15h41m
(recursive via vd2-2 tunnel ::111.1.1.11), 1d15h41m, [1024/0]

Routing table for VRF=2
B V     2001:33::/64 [200/0] via 2001::10:200:1:101 tag 100 (recursive via vd2-1 tunnel ::11.1.1.11), 1d15h41m
(recursive via vd2-2 tunnel ::111.1.1.11), 1d15h41m, [1024/0]
To test the configuration on shortcut 1:
  1. From VRF1 of spoke 1, ping VRF1 of spoke 2.

  2. From VRF2 of spoke 1, ping VRF2 spoke 2. Both VRF1 and VRF2 source and destination IP addresses are the same, so you can see how the traffic is isolated.

  3. Verify the session list:

    # diagnose sys session6 list
    session6 info: proto=58 proto_state=00 duration=3 expire=59 timeout=0 refresh_dir=both flags=00000000 sockport=0 socktype=0 use=3
    origin-shaper=
    reply-shaper=
    per_ip_shaper=
    class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
    state=may_dirty
    statistic(bytes/packets/allow_err): org=416/4/0 reply=416/4/0 tuples=2
    tx speed(Bps/kbps): 136/1 rx speed(Bps/kbps): 136/1
    orgin->sink: org pre->post, reply pre->post dev=100->223/223->100
    hook=pre dir=org act=noop 2001:22::55:398->2001:33::44:128(:::0)
    hook=post dir=reply act=noop 2001:33::44:398->2001:22::55:129(:::0)
    src_mac=02:4c:a5:fc:77:6f
    misc=0 policy_id=1 pol_uuid_idx=1070 auth_info=0 chk_client_info=0 vd=3:2 
    serial=0001104d tos=ff/ff ips_view=0 app_list=0 app=0 url_cat=0
    sdwan_mbr_seq=0 sdwan_service_id=61
    rpdb_link_id=ff00003d ngfwid=n/a
    npu_state=0x1040001 no_offload
    no_ofld_reason:  disabled-by-policy non-npu-intf
    total session6: 1

    In the output, vd=<vdom_ID>:<VRF_ID> indicates that sessions are created in and stay in the corresponding VRFs.