Routed VTI carrying IPv6



  • Has anyone got a routed VTI IPSEC connection carrying IPv6 traffic to work?

    I have done the following:

    • Create Phase 1 (IKEv2, dual stack) between two IPv4 endpoints, both pfSense 2.4.4_3
    • Add phase 2 entry: mode Routed (VTI), local 10.9.1.17/29, remote 10.9.1.18 (this works)
    • Add phase 2 entry: mode Routed (VTI), local fdef:7cd9:58f4:4026::2/125, remote fdef:7cd9:58f4:4026::1

    IPSEC status shows both phase 2 entries are up, but the IPv6 address is not added to the ipsecNNNN interface (or indeed any interface)

    Near end:

    ipsec1000: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
    	tunnel inet XX.XX.XX.XX --> YY.YY.YY.YY
    	inet6 fe80::ae1f:6bff:feXX:XXXX%ipsec1000 prefixlen 64 scopeid 0xb
    	inet 10.9.1.17 --> 10.9.1.18 netmask 0xfffffff8
    	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
    	reqid: 1000
    	groups: ipsec
    

    Far end:

    ipsec4000: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
    	tunnel inet YY.YY.YY.YY --> XX.XX.XX.XX
    	inet6 fe80::20a:f7ff:feXX:XXXX%ipsec4000 prefixlen 64 scopeid 0x10
    	inet 10.9.1.18 --> 10.9.1.17 netmask 0xfffffff8
    	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
    	reqid: 4000
    	groups: ipsec
    

    However, I can ping the link-local v6 address of the far side, which proves the tunnel is working:

    /root: ping6 -I ipsec1000 fe80::20a:f7ff:feXX:XXXX
    PING6(56=40+8+8 bytes) fe80::ae1f:6bff:feXX:XXXX%ipsec1000 --> fe80::20a:f7ff:feXX:XXXX
    16 bytes from fe80::20a:f7ff:feXX:XXXX%ipsec1000, icmp_seq=0 hlim=64 time=1.756 ms
    16 bytes from fe80::20a:f7ff:feXX:XXXX%ipsec1000, icmp_seq=1 hlim=64 time=1.672 ms
    16 bytes from fe80::20a:f7ff:feXX:XXXX%ipsec1000, icmp_seq=2 hlim=64 time=1.821 ms
    

    So it seems something is preventing the configured v6 address from being added - although I guess I might be able to route traffic using just the link-local addresses.

    Any clues? Thanks!


Log in to reply