Hot!IPv6 on SSL client tunnel

Author
kotheram
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/12/20 14:03:52
  • Status: offline
2019/12/20 14:24:33 (permalink) 6.2
0

IPv6 on SSL client tunnel

Hi,
I am having trouble setting up IPv6 on Windows 10 SSL tunnel with FortiClient VPN app.
 
I have configured IPv6 address group to be assigned to users, enabled IPv6 on SSL-VPN portal, checked that IPv6 is enabled on Windows PPP interface, ... but my computer still get only IPv4 address.
 
Have anybody successfuly configured and used IPv6 on SSL VPN through Forticlient VPN app?
 
So far I have found this post http://socpuppet.blogspot.com/2013/09/sslvpn-forticlient-ipv6.html which has not been resolved and some known issues with IPv6 on full Forticlient https://docs.fortinet.com/document/forticlient/6.2.0/windows-release-notes/991883/known-issues.
 
Thanks
#1

11 Replies Related Threads

    ispcolohost
    Silver Member
    • Total Posts : 84
    • Scores: -1
    • Reward points: 0
    • Joined: 2014/11/18 08:06:51
    • Status: offline
    Re: IPv6 on SSL client tunnel 2020/03/19 19:25:59 (permalink)
    0
    Any chance you figured this out?  Trying to do dual stack with 6in4 via Forticlient.
    #2
    kotheram
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/12/20 14:03:52
    • Status: offline
    Re: IPv6 on SSL client tunnel 2020/03/20 09:37:43 (permalink)
    0
    Actualy a I opened a support ticket a day ago.
    I will post resolution here as soon as I have one.
    #3
    ispcolohost
    Silver Member
    • Total Posts : 84
    • Scores: -1
    • Reward points: 0
    • Joined: 2014/11/18 08:06:51
    • Status: offline
    Re: IPv6 on SSL client tunnel 2020/03/20 10:55:29 (permalink)
    0
    I had one, they're suggesting what I'm attempting to do is not something you can achieve with both 1) an external user, and 2) lack of EMS license.  This instance has users are defined on the fortigate but auth'd via radius, and I'm just attempting with standard 6.0 or 6.2 client unlicensed, i.e. vpn-only.  I of course can't find any docs on Fortinet's site that confirm or deny this suggestion; they have nothing on their site about setting up dual stack Forticlient, or anything that suggests it is actually capable of 6in4 tunnels.  I can get either a v6 or a v4 address depending on which protocol I connect over, but then the other protocol is free to split tunnel even though I have those options disabled in my SSL VPN definition.  Kind of a mess.
    #4
    kallbrandt
    Silver Member
    • Total Posts : 98
    • Scores: 18
    • Reward points: 0
    • Joined: 2016/05/21 11:21:05
    • Status: offline
    Re: IPv6 on SSL client tunnel 2020/03/20 16:19:38 (permalink)
    0
    SSLVPN is to my knowledge still EITHER IPV4 or IPv6. I have never heard of anyone succeding in having dual stack in SSLVPN, and support know this is kinda embarrassing and doesn't really answer your questions...
    However, it is perfectly possible to use IPSEC VPN with Forticlient and run dual stack.

    Richie
    NSE7
    #5
    ispcolohost
    Silver Member
    • Total Posts : 84
    • Scores: -1
    • Reward points: 0
    • Joined: 2014/11/18 08:06:51
    • Status: offline
    Re: IPv6 on SSL client tunnel 2020/03/20 16:46:52 (permalink)
    0
    Hmm that's unfortunate.  Ipsec is a bit too cumbersome for mass rollout and support for non-technical users; I've got that setup currently using pfsense+openvpn auth'ing off a radius server hooked into Duo for MFA and policy enforcement.  Very clean, no users on the firewall, one stop shop for locking someone out companywide.  Just doesn't have the performance of fortigate vpn, HA, etc. and is of course one more thing to support.
    #6
    kallbrandt
    Silver Member
    • Total Posts : 98
    • Scores: 18
    • Reward points: 0
    • Joined: 2016/05/21 11:21:05
    • Status: offline
    Re: IPv6 on SSL client tunnel 2020/03/21 03:44:46 (permalink)
    0
    I don't understand why IPSec would be cumbersome - It is more to setup in the firewall obviously, but the same for the users, unless you go with fully manual setup on the client side. That doesn't scale even for SSLVPN, and would be impossible with IPsec VPN due to the plethora of settings that need to match on both ends. I bake the FortiClient msi/exe with the build tool so that all settings are included. It is then easy to push out with AD policies or your package deployment tool of choice. Or just offer the baked client for downloading in the VPN-portal/elsewhere. All the users have to do is to type their credentials correctly (hard enough...).

    Richie
    NSE7
    #7
    ispcolohost
    Silver Member
    • Total Posts : 84
    • Scores: -1
    • Reward points: 0
    • Joined: 2014/11/18 08:06:51
    • Status: offline
    Re: IPv6 on SSL client tunnel 2020/03/21 10:06:51 (permalink)
    0
    I was just thinking from the perspective of either certificate management and/or not wanting a common pre-shared key.  We have a lot of BYOD among our users, and ssl-based with radius auth makes it quite easy for them to self configure on any device type of their choosing by just knowing the target.  The auth and 2fa work the same regardless of device type and they don't require possession of, or knowledge of, anything beyond their normal credentials.  If they lose a device or they quit/term, we only have one change to make and they're out of every system.
    #8
    kallbrandt
    Silver Member
    • Total Posts : 98
    • Scores: 18
    • Reward points: 0
    • Joined: 2016/05/21 11:21:05
    • Status: offline
    Re: IPv6 on SSL client tunnel 2020/03/21 13:10:47 (permalink)
    0
    SSLVPN will always be easier, both to set up and to manage. It sucks that they haven't fixed the dual stack issue, since the competition (Palo Alto, Cisco and others) can run dual stack SSLVPN without any problems. But for the time being, the only solution with a Fortigate is to go IPSec. And a commonly known, hardcoded PSK in the client isn't that big of a deal, since you would use XAUTH + 2FA in addition to the PSK if you go with the free FortiClient IPSec (IKE1 only). Basically, the PSK is just there in the client because it has to be (in our case, we chose not to use certificates, just because we have non-internal devices too). We use a PrivacyIdea radius server for handling the 2FA (+ any TOTP app of your choice), wich in our case is a 6-digit TOTP code that the users append after their password. Same solution för SSLVPN as for the IPSec. Actually for everything that utilize 2FA. It works and scales well, and since the FortiClient is pre-baked with all the settings, there really is no difference between SSLVPN/IPsec in the handling from the users perspective.
    There seems to be a bug in 6.0.9 regarding SSLVPN also. Some models (like 600D) seems to suffer from severe packet loss, making for example RDP almost impossible. So we had to deploy both SSLVPN and IPsec as backup way in. IPsec is rock solid. Dual stack is basically just icing on the cake mostly for the IT staff, since they had to go IPsec anyway...

    Richie
    NSE7
    #9
    kotheram
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/12/20 14:03:52
    • Status: offline
    Re: IPv6 on SSL client tunnel 2020/03/26 02:25:28 (permalink)
    0
    Support ticket resolution:
    >>>
    This configuration is currently not supported by either the firewall or FortiClient.

    They 've been already NFR's regarding this feature but still is not available.

    0251189 NFR - Dual stack IPv4/IPv6 over Forticlient access IPSec and SSL VPN
    0266721 Forticlient Support for simultaneous IPv4 and IPv6 address assignment over IPSec and SSL tunnel

    Please feel free to talk with your sales representative about NFR.

    All NFR(new feature request) or development roadmap cases have to be worked through Fortinet regional sales partner channel or the Systems Engineer (SE) that covers your territory.
    <<<
     
    So, guys, please, contact your partners and ask them to escalate those NFRs.
     
    Right now, you can use IPv6 tunnel over IPv6 connectivity and IPv4 tunnel over IPv4 connectivity.
    #10
    trailblazer
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/05/18 02:28:43
    • Status: offline
    Re: IPv6 on SSL client tunnel 2020/05/18 02:35:04 (permalink)
    0
    I was testing with this just now and this thread confirms my findings (on 6.2.3)...

    Too bad ARIN hasn't run out of IPv4 yet, that might have expedited this as dual stack would become the new 'normal'. This is just a security risk, plain and simple.
    post edited by trailblazer - 2020/05/18 03:36:41
    #11
    emnoc
    Expert Member
    • Total Posts : 5748
    • Scores: 373
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: IPv6 on SSL client tunnel 2020/05/18 13:41:23 (permalink)
    0
    No, ipv6 and ipv4 with a client connecting with ipv6 is not doable. NFR has been submitted awhile back on this one .
     
     
    Ken Felix
     

    PCNSE 
    NSE 
    StrongSwan  
    #12
    Jump to:
    © 2020 APG vNext Commercial Version 5.5