Routed VTI carrying IPv6
-
Has anyone got a routed VTI IPSEC connection carrying IPv6 traffic to work?
I have done the following:
- Create Phase 1 (IKEv2, dual stack) between two IPv4 endpoints, both pfSense 2.4.4_3
- Add phase 2 entry: mode Routed (VTI), local
10.9.1.17/29
, remote10.9.1.18
(this works) - Add phase 2 entry: mode Routed (VTI), local
fdef:7cd9:58f4:4026::2/125
, remotefdef:7cd9:58f4:4026::1
IPSEC status shows both phase 2 entries are up, but the IPv6 address is not added to the ipsecNNNN interface (or indeed any interface)
Near end:
ipsec1000: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500 tunnel inet XX.XX.XX.XX --> YY.YY.YY.YY inet6 fe80::ae1f:6bff:feXX:XXXX%ipsec1000 prefixlen 64 scopeid 0xb inet 10.9.1.17 --> 10.9.1.18 netmask 0xfffffff8 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> reqid: 1000 groups: ipsec
Far end:
ipsec4000: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500 tunnel inet YY.YY.YY.YY --> XX.XX.XX.XX inet6 fe80::20a:f7ff:feXX:XXXX%ipsec4000 prefixlen 64 scopeid 0x10 inet 10.9.1.18 --> 10.9.1.17 netmask 0xfffffff8 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> reqid: 4000 groups: ipsec
However, I can ping the link-local v6 address of the far side, which proves the tunnel is working:
/root: ping6 -I ipsec1000 fe80::20a:f7ff:feXX:XXXX PING6(56=40+8+8 bytes) fe80::ae1f:6bff:feXX:XXXX%ipsec1000 --> fe80::20a:f7ff:feXX:XXXX 16 bytes from fe80::20a:f7ff:feXX:XXXX%ipsec1000, icmp_seq=0 hlim=64 time=1.756 ms 16 bytes from fe80::20a:f7ff:feXX:XXXX%ipsec1000, icmp_seq=1 hlim=64 time=1.672 ms 16 bytes from fe80::20a:f7ff:feXX:XXXX%ipsec1000, icmp_seq=2 hlim=64 time=1.821 ms
So it seems something is preventing the configured v6 address from being added - although I guess I might be able to route traffic using just the link-local addresses.
Any clues? Thanks!