Wednesday, May 26, 2021

SDWAN fortios ipv6

 Okay here's a new twist . Can you do SDWAN with ipv6 ? Will yes.


Okay so a friend of mine is looking at SDWAN and they are in a all ipv6 environment. I'm going to demo ho w you do SDWAN on fortigate and with ipv6. Keep in mind SDWAN ipv6 addr-mode and configuration is done from cli-only.


Okat 1st what I did was use my 2 ipv6 SIT-tunnels. These are used for ipv6 connectivity since my local-ISP does not even offer ipv6.


Here's a basic tunnel setup;

config system sit-tunnel

    edit "HE"

        set source 199.188.xxx.xxx

        set destination 216.66.80.26

        set ip6 2001:470:1f07:427::2/64

    next

    edit "CH"

        set source 199.188.xxx.xxx

        set destination 85.202.203.249

        set ip6 2a09:4c0:fe0:7a::2/64

    next

end

Next we stick these two interfaces in a SDWAN zone. I named mine simply ipv6;


config system sdwan

    set status enable

    config zone

        edit "virtual-wan-link"

        next

        edit "ipv6"

        next

    end

    config members

        edit 1

            set interface "HE"

            set zone "ipv6"

        next

        edit 2

            set interface "CH"

            set zone "ipv6"

        next

    end


You will need a ipv6 policy in order to use the sdwan and traffic exiting to the ipv6 backbone



config firewall policy

    edit 6

        set name "ipv6-sdwan"

        set uuid 9e0adc14-bdb6-51eb-0138-794f8740485f

        set srcintf "internal"

        set dstintf "ipv6"

        set srcaddr6 "all"

        set dstaddr6 "all"

        set action accept

        set schedule "always"

        set service "ALL"

        set nat enable

    next

end


Notice I used "nat" egress since I have 2 different originating networks so we need to SNAT. My inside lan is configured using private address;



config system interface

    edit "internal"

        set vdom "root"

        set ip 192.168.1.99 255.255.255.0

        set allowaccess ping https ssh snmp

        set type hard-switch

        set stp enable

        set role lan

        set snmp-index 6

        config ipv6

            set ip6-address 2001:db8:99::1/64

            set ip6-allowaccess https ssh snmp

            set ip6-send-adv enable

            config ip6-prefix-list

                edit 2001:db8:99::/64

                next

            end

        end

    next

end


Now you can build sdwan rules & health checks and such but you have to use cli and set the addr-mode type


e.g



       edit "quad9"

            set addr-mode ipv6

            set server "2620:fe::9"

            set detect-mode prefer-passive

            set threshold-warning-packetloss 20

            set threshold-alert-packetloss 30

            set members 1 2

        next

    end

    config service

        edit 2

            set name "ipv6-tunnels"

            set addr-mode ipv6

            set input-device "internal"

            set priority-members 2

            set dst6 "sjc"

            set src6 "all"

        next

    end


So treat the sdwan fo ipv6 in the same fashion a ipv4.













NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \