Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nikolsko
New Contributor

Created on ‎10-15-2013 05:49 AM

ipv6 slaac

Hi I am having issues getting slaac to work on a fortigate 60C I have my wan interface set with a static address. I have no issues pinging services through ipv6 from the fortigate unit itself. But it will not autoconfigure the units connected to the internal interface. set ip6-allowaccess ping https ssh set ip6-address 2001:000:000:1::1/64 set ip6-send-adv enable set autoconf enable Is the config for the internal side of it. Then I have. set ip6-allowaccess ping https ssh set ip6-address 2001:000:000::2/64 set ip6-send-adv enable set autoconf enable For the wan interface. with at default GW 2001:000:000::1/64 Any help would be greatly appreciated.
7138
0 Kudos
8 REPLIES 8
emnoc
Esteemed Contributor III

Created on ‎10-15-2013 06:21 PM

You config is missing a lot. Follow my blog on autconf function and ipv6 on FGT http://socpuppet.blogspot.com/2012/12/ipv6-fortigate-style.html But you need to assign the prefix for starter. This one area most missed by fortigate configuration. Unlike cisco, it' s done automatically when you enable ipv6 on a interface.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
3732
0 Kudos
nikolsko
New Contributor

Created on ‎10-15-2013 11:55 PM

Thanks for the reply. I have tried to change the config for the internal side so it matches your post. config ipv6 set ip6-allowaccess ping https ssh set ip6-address 2001:000:000:1::1/64 set ip6-send-adv enable set autoconf enable config ip6-prefix-list edit 2001:000:000::/64 set autonomous-flag enable set preferred-life-time 600 set valid-life-time 600 next end Still on the cisco in front i only see the fortigate itself, ant that registers as stale.
3732
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎10-16-2013 04:34 AM

You need something like this; config ipv6 set ip6-address 2001:000:000:1::1/64 set ip6-allowaccess ping https ssh snmp config ip6-prefix-list edit 2001:000:000:1::/64 set autonomous-flag enable set preferred-life-time 600 set valid-life-time 600 next end set ip6-retrans-time 4000 set ip6-send-adv enable end next Does the cisco have ipv6 enable and auto for the address? Does it have layer-2 connectivity to FGT ( temp assign it a static of eui64 address and test with a ipv6 ping ) ? Does a host attached to a FGT pickup a stateless assign address ( MACOSX/LINUX/WINDOW/OpenBSD/etc.....)? What does your debug output show if anything other than cisco get' s address? If nothing get' s an address, once again start diagnostic and packet captures?

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
3732
0 Kudos
nikolsko
New Contributor

Created on ‎10-16-2013 04:56 AM

There I got it working. I used the config i had on the internal side. But on the cisco in front I put up an ipv6 linknet, on the vlan to the fortigate. So i assigned on the cisco side. 2001:0:0:0::1/64 Then on the fortigate 2001:0:0:0::2/64 I then used a static route for the 2001:0:0::/48 to the 2001:0:0:0::2/64 Then everything worked fine. As soon as i changed my fw policy to allow icmp6 this is not technically slaac is it. But it works. Thank you so much.
3732
0 Kudos
nikolsko
New Contributor

Created on ‎10-16-2013 06:39 AM

Seems I was a bit quick there. It worked for a while. Now I am not able to ping from the fortigate to ipv6 sites. The fortigate replies to ping packets through ipv6 though.
3732
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎10-16-2013 10:29 AM

What are you trying todo? Do you have a topology drawing of the inside/outside interfaces and where the autconf clients are located at? Some how & from what your describing tells me , SLAAC is not what you want. SLAAC is trivial and a straight forward configuration

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
3732
0 Kudos
nikolsko
New Contributor

Created on ‎10-16-2013 11:21 PM

I can try and explain what I am after. I have a /48 prefix assigned by my ISP. This /48 prefix can be routed to me by putting it straight on the vlan that connects to me, or by using a /64 link net. This link net is not a part of my initial prefix. Right now it is setup using the link net configuration. I would prefer for the prefix to be assigned to my vlan directly though. And having the fortigate sit on a static ipv6 address for management. While my internal units automatically picks up their ipv6 configuration using slaac. I hope this was a better explanation of what I wanted. Thanks again for the help.
3732
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎10-17-2013 09:40 AM

Why don' t you assign a /64 out of the /48 on the WAN link and divided the reminding 64k minus1 /64 for your internal vlans with SLAAC on the vlan interfaces. You can assign multiple /64 prefixes on one interface if required and you can have multiple ipv6 address per interface. Very simple see diagram;

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Xv63018.jpg
Preview file
22 KB
3732
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.