IPv6 IPsec VPN Tunnel Palo Alto <-> FortiGate

Towards the global IPv6-only strategy ;) VPN tunnels will be used over IPv6, too. I configured a static IPsec site-to-site VPN between a Palo Alto Networks and a Fortinet FortiGate firewall via IPv6 only. I am using it for tunneling both Internet Protocols: IPv6 and legacy IP.

While it was quite easy to bring the tunnel “up”, I had some problems tunneling both Internet Protocols over the single phase 2 session. The reason was some kind of differences within the IPsec tunnel handling between those two firewall vendors. Here are the details along with more than 20 screenshots and some CLI listings.

Please note that I have many different VPN tutorials on my blog. Have a look at this list to find the appropriate post. This one here focusses on IPv6 tunneling.

Lab

My lab consists of a Palo Alto Networks PA-200 firewall with PAN-OS 8.0.3, and a Fortinet FortiWiFi 90D with Firmware Version v5.4.5, build1138. I am using some uncommon but highly secure crypto protocols: Diffie-Hellman group 20 (have a look here), AES-256, SHA-512 and a lifetime of 28800 s (IKE) respectively 3600 s (IPsec). The following figure shows the IP addressing scheme. Note that the VPN tunnel is established over IPv6 only while it tunnels IPv6 and legacy IP!

The configuration was almost straightforward. However, it took me a while to understand the handling of the phase 2 sessions: While Palo Alto simply establishes a single phase 2 tunnel and forwards IPv6 as well as IPv4 packets through it, FortiGate needs two different phase 2 tunnels, one for IPv6 and one for IPv4. That is: I configured two Proxy IDs on the Palo as well, one for IPv6 and another for IPv4.

Configuration Palo Alto

The configuration of the Palo firewall consists of the following steps: IKE Gateway, Tunnel Interface, IPsec Tunnel with Proxy IDs for IPv6 and IPv4, static routes for IPv6 and IPv4, dual-stack policies. Here we go:

Configuration FortiGate

Except the tunnel interface (which must not be added separately) and two separate policy sets (since FortiGate has a shit policy design which distinguishes between the Internet Protocols) the config on the FortiGate is very similar: IPsec Tunnel with Gateway, Authentication, Phase 1 Proposal and two Phase 2 Selectors (IPv6 and IPv4), as well as two static routes (IPv6 and IPv4) and four policies (IPv6 and IPv4). Let’s do this:

Monitoring

I had two Ubuntu clients, one behind each firewall. Rather than only pinging I did some file transfers via ssh/scp. Here are some traffic logs from both firewalls:

At the Tunnel Info from Palo Alto you can see the odd behaviour due to the phase 2 tunnel handling. All outgoing packets are sent via the IPv4 tunnel “fg:fg”. The counter for “Pkt Encap” at the IPv6 tunnel “fg:fg6” shows a 0:

On the FortiGate everything seems to be ok. The counters increased for both phase 2 tunnels, i.e., IPv6 and legacy IP.

Here are some CLI outputs from the Palo Alto:

And some CLI outputs from the FortiGate as well:

 

Conclusion

Yeah it works. Great. Two different firewall vendors, IPv6, uncommon protocols (DH20, SHA512), different Proxy ID handling, but still: it works. Keep on going, guys!

(But I am still a bit irritated about the phase 2 tunnels. Which is better? Palo Alto: simply establishing a single phase 2 and handling everything over it or FortiGate: different phase 2 tunnels for each Internet Protocol? I don’t know. But good to know how to circumvent it.)

Featured image: “Tunnel” by Alfred Schierholz is licensed under CC BY 2.0.

Leave a Reply

Your email address will not be published. Required fields are marked *