Routed VTI carrying IPv6

candlerb

Has anyone got a routed VTI IPSEC connection carrying IPv6 traffic to work?

I have done the following:

• Create Phase 1 (IKEv2, dual stack) between two IPv4 endpoints, both pfSense 2.4.4_3
• Add phase 2 entry: mode Routed (VTI), local 10.9.1.17/29, remote 10.9.1.18 (this works)
• Add phase 2 entry: mode Routed (VTI), local fdef:7cd9:58f4:4026::2/125, remote fdef:7cd9:58f4:4026::1

IPSEC status shows both phase 2 entries are up, but the IPv6 address is not added to the ipsecNNNN interface (or indeed any interface)

Near end:

ipsec1000: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
	tunnel inet XX.XX.XX.XX --> YY.YY.YY.YY
	inet6 fe80::ae1f:6bff:feXX:XXXX%ipsec1000 prefixlen 64 scopeid 0xb
	inet 10.9.1.17 --> 10.9.1.18 netmask 0xfffffff8
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	reqid: 1000
	groups: ipsec

Far end:

ipsec4000: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
	tunnel inet YY.YY.YY.YY --> XX.XX.XX.XX
	inet6 fe80::20a:f7ff:feXX:XXXX%ipsec4000 prefixlen 64 scopeid 0x10
	inet 10.9.1.18 --> 10.9.1.17 netmask 0xfffffff8
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	reqid: 4000
	groups: ipsec

However, I can ping the link-local v6 address of the far side, which proves the tunnel is working:

/root: ping6 -I ipsec1000 fe80::20a:f7ff:feXX:XXXX
PING6(56=40+8+8 bytes) fe80::ae1f:6bff:feXX:XXXX%ipsec1000 --> fe80::20a:f7ff:feXX:XXXX
16 bytes from fe80::20a:f7ff:feXX:XXXX%ipsec1000, icmp_seq=0 hlim=64 time=1.756 ms
16 bytes from fe80::20a:f7ff:feXX:XXXX%ipsec1000, icmp_seq=1 hlim=64 time=1.672 ms
16 bytes from fe80::20a:f7ff:feXX:XXXX%ipsec1000, icmp_seq=2 hlim=64 time=1.821 ms

So it seems something is preventing the configured v6 address from being added - although I guess I might be able to route traffic using just the link-local addresses.

Any clues? Thanks!