IPv6 over IPv4 IPSEC Tunnel

I am trying to setup an IPSEC vpn where the gateway endpoints are IPv4. Across that tunnel I need to route IPv6. Is this possible?

Following the standard IPSEC setup it calls for creating a vti but that apparently does not support IPv6 so I cannot do a standard routing setup with IPV6 addressed interfaces on both sides then using a static route.

Preferably something other than IP6IP6, GRE, etc…

Any suggestions?

Edit: This link says I can do IPv6, but the cli shows otherwise… On the latest 1.4 rolling release as of a couple of days ago…


Edit 2: So I set it up as a normal IPSEC. Looks like tunnel comes up partially but the auto route population isn’t working.

show vpn ipsec sa
peer_xxx-xxx-xxx-176_tunnel_1 up 33m39s 0B/0B 0/0 N/A AES_CBC_256/HMAC_SHA1_96/MODP_1024
peer_xxx-xxx-xxx-176_tunnel_1_passthough down N/A N/A N/A N/A N/A N/A

Now on latest 1.4 rolling release…

Edit 3: Sorry for all the updates… I am learning things as I go

So it does look like the route gets auto installed in table 220

vyos@vyos:~$ show ipv6 route table 220
Codes: K - kernel route, C - connected, S - static, R - RIPng,
O - OSPFv3, I - IS-IS, B - BGP, N - NHRP, T - Table,
v - VNC, V - VNC-Direct, A - Babel, F - PBR,
f - OpenFabric,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup
t - trapped, o - offload failure

VRF default table 220:
K>* 2605:6400:5dcd:8::/61 [0/1024] is directly connected, eth0, 00:41:34

But trying to route that that subnet from the outside does not work. How do I get this “leaked” into other routing tables, like the default table…

Use GRE tunnel inside the IPSEC tunnel. (it’s the predecessor of VTI)
GRE supports both IPv4 and IPv6 inner addresses

Since the traffic is just routed IPv6 internet traffic, I ended up just going with a 6in4 tunnel…

All up and working…

I appreciate what you did.