Friday, January 4, 2013

DHCPv6 on fortigates

IPV6 allows for SLAAC and DHCPv6 client support. I'm putting this post together to show you how I setup DHCPv6 on a fortigate and how a linux host was configured for client operations;

1: Lets look at my  fortigate interface cfg;

( note I changed the ipv6 address since this is a real firewall and to protect the innocent )

config system interface
    edit "port15"
        set vdom "root"
        set ip
        set allowaccess ping https ssh snmp
        set type physical
        set alias "mgmt_network-2960"
            config ipv6
                set ip6-address 2001:418:100a:3::1/64
                set ip6-allowaccess https ssh snmp
                set ip6-manage-flag enable
                set ip6-other-flag enable

                    config ip6-prefix-list
                        edit 2001:418:100a:3::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                            set preferred-life-time 600
                            set valid-life-time 600
                        edit 2001:419:100a:3::/64
                            set preferred-life-time 600
                            set valid-life-time 600
                set ip6-reachable-time 3000
                set ip6-send-adv enable

Okay and here's how my  DHCPv6 server was configured for;

config system dhcp6 server
    edit 1
        set domain ""
        set interface "port15"
            config ip-range
                edit 1
                    set end-ip 2001:418:100a:3::14
                    set start-ip 2001:418:100a:3::10
        set lease-time 3600
        set subnet 2001:418:100a:3::/64
        set dns-server1 2001:4860:4860::8888
        set dns-server2 2001:4860:4860::4444

On my CentOS hosts, I used the following cfgs;

[root@localhost etc]# cat dhcp6c.conf
# See dhcp6c.conf(5) man page for details.
interface eth1 {
#    information-only;
#    send rapid-commit;

#  request ntp-servers;
    request prefix-delegation;
    request domain-search-list;
    request domain-name-servers;
    #request temp-address;

And for the network script;

[root@localhost etc]# cat /etc/sys*/network

Okay so that's the jest of the cfg and here's a dump of the request and reply from my DHCPv6 client and server

( the client request )

Internet Protocol Version 6
    0110 .... = Version: 6
        [0110 .... = This field makes the filter "ip.version == 6" possible: 6]
    .... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000
    .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
    Payload length: 60
    Next header: UDP (0x11)
    Hop limit: 64
    Source: fe80::d6be:d9ff:fef0:76de (fe80::d6be:d9ff:fef0:76de)
    Destination: ff02::1:2 (ff02::1:2)
User Datagram Protocol, Src Port: dhcpv6-client (546), Dst Port: dhcpv6-server (547)
    Source port: dhcpv6-client (546)
    Destination port: dhcpv6-server (547)
    Length: 60
    Checksum: 0xebbc [correct]
        [Good Checksum: True]
        [Bad Checksum: False]
    Message type: Solicit (1)
    Transaction-ID: 0x00285f05
    Client Identifier
        option type: 1
        option length: 14
        DUID type: link-layer address plus time (1)
        Hardware type: Ethernet (1)
        Time: 410132715
        Link-layer address: 48:6a:e8:75:51:2b
    Elapsed time
        option type: 8
        option length: 2
        elapsed-time: 0 ms
    Identity Association for Prefix Delegation
        option type: 25
        option length: 12
        IAID: 3732336857
        T1: 0
        T2: 0
    Option Request
        option type: 6
        option length: 4
        Requested Option code: Domain Search List (24)
        Requested Option code: DNS recursive name server (23)

So to debug this from the firewall;
FG3K0B3I1XXXXX # diag debug application  dhcp6s 1

FG3K0B3I1XXXXX # diag debug enable

And to debug from the  the client side  ;

dhcp6c -f  -d -c /etc/dhcp6c.conf -D "ethernet_name_here"

I hope  you found this post interesting and helpful

Ken Felix
Freelance Network & Security Engineer
kfelix at hyperfeed dot com


  1. This comment has been removed by the author.

  2. Did you tried to use a windows vista dhcpv6 client ? Using this configuration my laptop obtain an IPv6 address, but when I try to ping others IPv6s the below message appears: PING: Transmisison failed. General failure..

  3. *Actually it was a Windows 7 client..

  4. I'm having the same issue with "General Failure."