> Le 12 mai 2016 à 11:11, Olivier Mascia <[email protected]> a écrit : > > Assuming two sites having to use NPt to map IPv6 IP Alias from WAN to > fd00::/64 like on the LAN. > > For instance: > > Site A: a:b:c:1000::1/56 is the WAN IPv6. And a:b:c:1001::1/64 (IP Alias on > WAN) match with fd01::1/64 on LAN through NPt. > Site B: w:x:y:1000::1/56 is the WAN IPv6. And w:x:y:1002::1/64 (IP Alias on > WAN) match with fd02::1/64 on LAN through NPt. > > IPsec with a phase1 IKEv2 (over IPv6, but same issue with IPv4) between WAN > IPs. > Along with a phase2 (tunnel6) defined between fd01::/64 and fd02::/64. > > IPsec connection shows up, including phase2. But nothing walks through the > tunnel. > For instance Site A LAN fd01::2 pings some Site B LAN fd02::2, and nothing is > routed through the tunnel. > I'm quite persuaded it has to do with the NPt. > > When does exactly the NPt translation occurs and how does it interact with > IPsec tunnels defined? That would help understand where this is failing and > if there is a path to a solution.
Some more experiments and searches later... NPt doesn't seem to be the culprit, 2.3-REL looks like it is. One of the ends is 2.2.2 (a nearly exactly one year old release - 14 Apr 2015), and the other is 2.3. From the 2.3 site (pinging the remote) I can capture the right ESP packets going out through the WAN interface. On the other end 2.2.2 site, I can capture on the ipsec interface both the incoming echo requests and the outgoing echo replies. I can also track the corresponding outgoing ESP packets on its WAN interface. But the 2.3 site does not get *anything*. I can't even see an incoming ESP packet (we're taking IPv6 here all along) on its WAN. -- Meilleures salutations, Met vriendelijke groeten, Best Regards, Olivier Mascia, integral.be/om _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
