IPV6 allows for SLAAC and DHCPv6 client support. I'm putting this post together to show you how I setup DHCPv6 on a fortigate and how a linux host was configured for client operations;
1: Lets look at my fortigate interface cfg;
( note I changed the ipv6 address since this is a real firewall and to protect the innocent )
config system interface
edit "port15"
set vdom "root"
set ip 10.100.100.1 255.255.255.0
set allowaccess ping https ssh snmp
set type physical
set alias "mgmt_network-2960"
config ipv6
set ip6-address 2001:418:100a:3::1/64
set ip6-allowaccess https ssh snmp
set ip6-manage-flag enable
set ip6-other-flag enable
config ip6-prefix-list
edit 2001:418:100a:3::/64
set autonomous-flag enable
set onlink-flag enable
set preferred-life-time 600
set valid-life-time 600
next
edit 2001:419:100a:3::/64
set preferred-life-time 600
set valid-life-time 600
next
end
set ip6-reachable-time 3000
set ip6-send-adv enable
end
next
end
Okay and here's how my DHCPv6 server was configured for;
config system dhcp6 server
edit 1
set domain "mydomain.com"
set interface "port15"
config ip-range
edit 1
set end-ip 2001:418:100a:3::14
set start-ip 2001:418:100a:3::10
next
end
set lease-time 3600
set subnet 2001:418:100a:3::/64
set dns-server1 2001:4860:4860::8888
set dns-server2 2001:4860:4860::4444
next
end
On my CentOS hosts, I used the following cfgs;
[root@localhost etc]# cat dhcp6c.conf
#
# See dhcp6c.conf(5) man page for details.
#
interface eth1 {
# information-only;
# send rapid-commit;
# request ntp-servers;
request prefix-delegation;
request domain-search-list;
request domain-name-servers;
#request temp-address;
};
And for the network script;
[root@localhost etc]# cat /etc/sys*/network
NETWORKING=yes
NETWORKING_IPV6=yes
#HOSTNAME=localhost.localdomain
DHCPV6C=yes
Okay so that's the jest of the cfg and here's a dump of the request and reply from my DHCPv6 client and server
( the client request )
Internet Protocol Version 6
0110 .... = Version: 6
[0110 .... = This field makes the filter "ip.version == 6" possible: 6]
.... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000
.... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
Payload length: 60
Next header: UDP (0x11)
Hop limit: 64
Source: fe80::d6be:d9ff:fef0:76de (fe80::d6be:d9ff:fef0:76de)
Destination: ff02::1:2 (ff02::1:2)
User Datagram Protocol, Src Port: dhcpv6-client (546), Dst Port: dhcpv6-server (547)
Source port: dhcpv6-client (546)
Destination port: dhcpv6-server (547)
Length: 60
Checksum: 0xebbc [correct]
[Good Checksum: True]
[Bad Checksum: False]
DHCPv6
Message type: Solicit (1)
Transaction-ID: 0x00285f05
Client Identifier
option type: 1
option length: 14
DUID type: link-layer address plus time (1)
Hardware type: Ethernet (1)
Time: 410132715
Link-layer address: 48:6a:e8:75:51:2b
Elapsed time
option type: 8
option length: 2
elapsed-time: 0 ms
Identity Association for Prefix Delegation
option type: 25
option length: 12
IAID: 3732336857
T1: 0
T2: 0
Option Request
option type: 6
option length: 4
Requested Option code: Domain Search List (24)
Requested Option code: DNS recursive name server (23)
So to debug this from the firewall;
(FGT)
FG3K0B3I1XXXXX # diag debug application dhcp6s 1
FG3K0B3I1XXXXX # diag debug enable
And to debug from the the client side ;
dhcp6c -f -d -c /etc/dhcp6c.conf -D "ethernet_name_here"
I hope you found this post interesting and helpful
Ken Felix
Freelance Network & Security Engineer
kfelix at hyperfeed dot com
This comment has been removed by the author.
ReplyDeleteDid you tried to use a windows vista dhcpv6 client ? Using this configuration my laptop obtain an IPv6 address, but when I try to ping others IPv6s the below message appears: PING: Transmisison failed. General failure..
ReplyDelete*Actually it was a Windows 7 client..
ReplyDeleteI'm having the same issue with "General Failure."
ReplyDelete