Hello, Assuming two sites having to use NPt to map IPv6 IP Alias from WAN to fd00::/64 like on the LAN.
For instance: Site A: a:b:c:1000::1/56 is the WAN IPv6. And a:b:c:1001::1/64 (IP Alias on WAN) match with fd01::1/64 on LAN through NPt. Site B: w:x:y:1000::1/56 is the WAN IPv6. And w:x:y:1002::1/64 (IP Alias on WAN) match with fd02::1/64 on LAN through NPt. IPsec with a phase1 IKEv2 (over IPv6, but same issue with IPv4) between WAN IPs. Along with a phase2 (tunnel6) defined between fd01::/64 and fd02::/64. IPsec connection shows up, including phase2. But nothing walks through the tunnel. For instance Site A LAN fd01::2 pings some Site B LAN fd02::2, and nothing is routed through the tunnel. I'm quite persuaded it has to do with the NPt. When does exactly the NPt translation occurs and how does it interact with IPsec tunnels defined? That would help understand where this is failing and if there is a path to a solution. Shouldn't the phase2 tunnel6 be defined in terms of a:b:c:1001::/64 and w:x:y:1002::/64 instead of fd01::/64 and fd02::/64? Obviously since I'm asking, I tested that without success, but I could have mixed up something during all the attempts I did. Would some NPt translation be needed on the IPsec interface itself? If I'm setting up an IPv4 configuration, I have no issue: using both LAN networks on the phase2 tunnel definition and it works fine. I tried to find similar configuration examples but couldn't yet find anything giving me clues. -- Meilleures salutations, Met vriendelijke groeten, Best Regards, Olivier Mascia, integral.be/om _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
