Hi everyone,
Been running IKEv2 RA over IPV4 with 0 problems, but want to implement IPv6 access.
Current RA routes all traffic through the VyOS instance, which is what I want
OS: VyOS 1.5-rolling-202311090023
IPSEC IKEv2 Config
NOTE: Firewall is all on default-action: accept
Configuration
firewall {
ipv4 {
forward {
filter {
default-action accept
rule 1 {
action accept
state {
established enable
}
}
rule 2 {
action accept
state {
invalid enable
}
}
}
}
input {
filter {
default-action accept
rule 1 {
action accept
state {
established enable
}
}
rule 2 {
action accept
state {
invalid enable
}
}
rule 3 {
action accept
destination {
port 500,4500
}
inbound-interface {
name eth1
}
log enable
protocol tcp_udp
}
rule 4 {
action accept
destination {
port 22
}
log enable
protocol tcp
source {
group {
network-group LAN-Addresses
}
}
}
rule 5 {
action accept
destination {
port 32400
}
inbound-interface {
name eth1
}
log enable
protocol tcp_udp
}
rule 6 {
action accept
destination {
port 25565
}
inbound-interface {
name eth1
}
log enable
protocol tcp_udp
}
rule 9 {
action accept
destination {
port 53
}
log enable
protocol tcp_udp
source {
group {
network-group LAN-Addresses
}
}
}
rule 10 {
action accept
destination {
port 161
}
log enable
protocol udp
source {
group {
network-group LAN-Addresses
}
}
}
rule 11 {
action accept
destination {
port 123
}
log enable
protocol udp
source {
group {
network-group LAN-Addresses
}
}
}
}
}
output {
filter {
default-action accept
rule 1 {
action accept
state {
established enable
}
}
rule 2 {
action accept
state {
invalid enable
}
}
}
}
}
ipv6 {
forward {
filter {
default-action accept
enable-default-log
}
}
input {
filter {
default-action accept
enable-default-log
}
}
output {
filter {
default-action accept
enable-default-log
}
}
}
}
nat {
source {
rule 9 {
destination {
group {
network-group LAN-Addresses
}
}
exclude
outbound-interface {
name eth1
}
source {
address 10.0.10.0/24
}
}
rule 15 {
outbound-interface {
name eth1
}
source {
address 10.0.10.0/24
}
translation {
address masquerade
}
}
vpn {
ipsec {
esp-group RemoteAccessESP {
proposal 1 {
encryption aes256gcm128
hash sha256
}
}
ike-group RemoteAccessIKE {
key-exchange ikev2
proposal 1 {
dh-group 14
encryption aes256ctr
hash sha256
}
proposal 2 {
dh-group 14
encryption aes256gcm128
hash sha256
}
proposal 3 {
dh-group 28
encryption aes256
hash sha256
}
proposal 4 {
dh-group 14
encryption aes256
hash sha256
}
}
interface eth1
options {
virtual-ip
}
remote-access {
connection XX_MOBILE {
authentication {
client-mode eap-mschapv2
local-id id
local-users {
.....
}
server-mode x509
x509 {
ca-certificate ca
certificate certificatae
}
}
esp-group RemoteAccessESP
ike-group RemoteAccessIKE
local {
prefix 0.0.0.0/0
prefix ::/0
}
pool MOBILE
}
pool MOBILE {
name-server 10.0.50.1
prefix 10.0.10.0/24
}
pool MOBILE-v6 {
name-server fe80::268a:7ff:feb5:ee5f
prefix FC00::/120
}
}
}
}
My site to site IPv6 works no problems.
When I connect to the RA over IPv6, nothing works on the client.
I can’t ping anything on IPv4, including the VyOS instance itself.
I’ve tested this on iOS (latest) and OSX (latest), but as soon as I connect back to the RA over IPv4, everything works perfectly again.
I’ve tried adding nat66 rules, but this still doesn’t work.