Ipv6 to ipv6 isec tunnel

General questions
,
1

Hi Team

Kindly find the our test scenario with vyos 1.4.0 rolling version. for security concern i am not putting my original ipv6 address

Test scenario 1

vyos1

ipv6 wan ip is : fdeb:b39a:29f8:bfd5::2/64 (dummy ipv6)

gateway is : fdeb:b39a:29f8:bfd5::1/64 (dummy ipv6)

internal network ip is : fdf5:38f:45302fd::2/64

vyos2

ipv6 wan ip is : fd83:a256:300b:a04::2/64 (dummy ipv6)

gateway is : fd83:a256:300b:a04::1/64 (dummy ipv6)

internal network ip is : fd02:91a2:b520:9588::2

Tunnel status is blank (not up not down ) see the image

image
image903×131 2.27 KB

Test scenario 2 with ipv6 and ipv4

vyos1

ipv6 wan ip is : fdeb:b39a:29f8:bfd5::2/64 (dummy IPV6)

gateway is : fdeb:b39a:29f8:bfd5::1/64

internal network ip is : 192.168.1.1/24

vyos2

ipv6 wan ip is : fd83:a256:300b:a04::2/64 (dummy ipv6)

gateway is : fd83:a256:300b:a04::1/64

internal network ip is : 10.10.0.1/16

Internet is not working on firewall

Kindly share the config file for both scenario

and the given doc is showing tunnel with ipv4 address only

2

Hello @rahulk,

Could you please explain which tunnel you want to configure GRE, SIT (IPv 6 over IPv 4) or site-to-site?
Perhaps our documentation will help you:
Tunnel configuration documentation:
https://docs.vyos.io/en/latest/configuration/interfaces/tunnel.html
GRE IPSec tunnel configuration documentation:
https://support.vyos.io/en/kb/articles/gre-over-ipsec-for-secure-tunneling-2

3

Hi
Thanx for reply

We are using site-to-site (ipsec vpn) with iv6 to ipv6

4

Hi RyVolodya

Below are the config of both vyos-1 and vyos-2

VYOS-1

vyos@vyos:~$ sh configuration commands | grep ipsec
set vpn ipsec esp-group grp-ESP compression ‘disable’
set vpn ipsec esp-group grp-ESP lifetime ‘28800’
set vpn ipsec esp-group grp-ESP mode ‘tunnel’
set vpn ipsec esp-group grp-ESP pfs ‘dh-group14’
set vpn ipsec esp-group grp-ESP proposal 10 encryption ‘aes256gcm128’
set vpn ipsec esp-group grp-ESP proposal 10 hash ‘sha256’
set vpn ipsec ike-group grp-IKE dead-peer-detection action ‘hold’
set vpn ipsec ike-group grp-IKE dead-peer-detection interval ‘30’
set vpn ipsec ike-group grp-IKE dead-peer-detection timeout ‘120’
set vpn ipsec ike-group grp-IKE ikev2-reauth ‘no’
set vpn ipsec ike-group grp-IKE key-exchange ‘ikev2’
set vpn ipsec ike-group grp-IKE lifetime ‘86400’
set vpn ipsec ike-group grp-IKE mobike ‘disable’
set vpn ipsec ike-group grp-IKE proposal 10 dh-group ‘14’
set vpn ipsec ike-group grp-IKE proposal 10 encryption ‘aes256gcm128’
set vpn ipsec ike-group grp-IKE proposal 10 hash ‘sha256’
set vpn ipsec interface ‘eth1’
set vpn ipsec site-to-site peer 2608:f6d0:2::120 authentication id ‘2608:f6d0:1::50’
set vpn ipsec site-to-site peer 2608:f6d0:2::120 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 2608:f6d0:2::120 authentication pre-shared-secret ‘123456’
set vpn ipsec site-to-site peer 2608:f6d0:2::120 authentication remote-id ‘2608:f6d0:2::120’
set vpn ipsec site-to-site peer 2608:f6d0:2::120 connection-type ‘initiate’
set vpn ipsec site-to-site peer 2608:f6d0:2::120 ike-group ‘grp-IKE’
set vpn ipsec site-to-site peer 2608:f6d0:2::120 ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer 2608:f6d0:2::120 local-address ‘2608:f6d0:1::50’
set vpn ipsec site-to-site peer 2608:f6d0:2::120 tunnel 0 esp-group ‘grp-ESP’
set vpn ipsec site-to-site peer 2608:f6d0:2::120 tunnel 0 local prefix ‘fdeb:b39a:29f8:bfd5::/64’
set vpn ipsec site-to-site peer 2608:f6d0:2::120 tunnel 0 remote prefix ‘fd3f:4f0f:8fce02a::/64’
vyos@vyos:~$
vyos@vyos:~$
vyos@vyos:~$ sh vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal

peer_2608-f6d0-2–120_tunnel_0 down 1s 0B/0B 0B/0B 2608:f6d0:2::120 2608:f6d0:2::120 AES_GCM_16_256/MODP_2048
peer_2608-f6d0-2–120_tunnel_0 down 1s 0B/0B 0B/0B 2608:f6d0:2::120 2608:f6d0:2::120 AES_GCM_16_256/MODP_2048
peer_2608-f6d0-2–120_tunnel_0 down 1s 0B/0B 0B/0B 2608:f6d0:2::120 2608:f6d0:2::120 AES_GCM_16_256/MODP_2048
peer_2608-f6d0-2–120_tunnel_0 down 1s 0B/0B 0B/0B 2608:f6d0:2::120 2608:f6d0:2::120 AES_GCM_16_256/MODP_2048
peer_2608-f6d0-2–120_tunnel_0 down 2s 0B/0B 0B/0B 2608:f6d0:2::120 2608:f6d0:2::120 AES_GCM_16_256/MODP_2048
peer_2608-f6d0-2–120_tunnel_0 down 2s 0B/0B 0B/0B 2608:f6d0:2::120 2608:f6d0:2::120 AES_GCM_16_256/MODP_2048
peer_2608-f6d0-2–120_tunnel_0 down 3s 0B/0B 0B/0B 2608:f6d0:2::120 2608:f6d0:2::120 AES_GCM_16_256/MODP_2048
peer_2608-f6d0-2–120_tunnel_0 down 3s 0B/0B 0B/0B 2608:f6d0:2::120 2608:f6d0:2::120 AES_GCM_16_256/MODP_2048
peer_2608-f6d0-2–120_tunnel_0 down 3s 0B/0B 0B/0B 2608:f6d0:2::120 2608:f6d0:2::120 AES_GCM_16_256/MODP_2048
peer_2608-f6d0-2–120_tunnel_0 down 3s 0B/0B 0B/0B 2608:f6d0:2::120 2608:f6d0:2::120 AES_GCM_16_256/MODP_2048
peer_2608-f6d0-2–120_tunnel_0 down 4s 0B/0B 0B/0B 2608:f6d0:2::120 2608:f6d0:2::120 AES_GCM_16_256/MODP_2048
peer_2608-f6d0-2–120_tunnel_0 down 4s 0B/0B 0B/0B 2608:f6d0:2::120 2608:f6d0:2::120 AES_GCM_16_256/MODP_2048
peer_2608-f6d0-2–120_tunnel_0 down 5s 0B/0B 0B/0B 2608:f6d0:2::120 2608:f6d0:2::120 AES_GCM_16_256/MODP_2048
peer_2608-f6d0-2–120_tunnel_0 down 5s 0B/0B 0B/0B 2608:f6d0:2::120 2608:f6d0:2::120 AES_GCM_16_256/MODP_2048
peer_2608-f6d0-2–120_tunnel_0 up 0B/0B 0B/0B 2608:f6d0:2::120 2608:f6d0:2::120 AES_GCM_16_256/MODP_2048
peer_2608-f6d0-2–120_tunnel_0 up 0B/0B 0B/0B 2608:f6d0:2::120 2608:f6d0:2::120 AES_GCM_16_256/MODP_2048
vyos@vyos:~$
vyos@vyos:~$

########################################################

VYOS-2

vyos@vyos:~$
vyos@vyos:~$ sh configuration commands | grep ipsec
set vpn ipsec esp-group grp-ESP compression ‘disable’
set vpn ipsec esp-group grp-ESP lifetime ‘28800’
set vpn ipsec esp-group grp-ESP mode ‘tunnel’
set vpn ipsec esp-group grp-ESP pfs ‘dh-group14’
set vpn ipsec esp-group grp-ESP proposal 10 encryption ‘aes256gcm128’
set vpn ipsec esp-group grp-ESP proposal 10 hash ‘sha256’
set vpn ipsec ike-group grp-IKE dead-peer-detection action ‘hold’
set vpn ipsec ike-group grp-IKE dead-peer-detection interval ‘30’
set vpn ipsec ike-group grp-IKE dead-peer-detection timeout ‘120’
set vpn ipsec ike-group grp-IKE ikev2-reauth ‘no’
set vpn ipsec ike-group grp-IKE key-exchange ‘ikev2’
set vpn ipsec ike-group grp-IKE lifetime ‘86400’
set vpn ipsec ike-group grp-IKE mobike ‘disable’
set vpn ipsec ike-group grp-IKE proposal 10 dh-group ‘14’
set vpn ipsec ike-group grp-IKE proposal 10 encryption ‘aes256gcm128’
set vpn ipsec ike-group grp-IKE proposal 10 hash ‘sha256’
set vpn ipsec interface ‘eth1’
set vpn ipsec site-to-site peer 2608:f6d0:1::50 authentication id ‘2608:f6d0:2::120’
set vpn ipsec site-to-site peer 2608:f6d0:1::50 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 2608:f6d0:1::50 authentication pre-shared-secret ‘123456’
set vpn ipsec site-to-site peer 2608:f6d0:1::50 authentication remote-id ‘2608:f6d0:1::50’
set vpn ipsec site-to-site peer 2608:f6d0:1::50 connection-type ‘initiate’
set vpn ipsec site-to-site peer 2608:f6d0:1::50 ike-group ‘grp-IKE’
set vpn ipsec site-to-site peer 2608:f6d0:1::50 ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer 2608:f6d0:1::50 local-address ‘2608:f6d0:2::120’
set vpn ipsec site-to-site peer 2608:f6d0:1::50 tunnel 0 esp-group ‘grp-ESP’
set vpn ipsec site-to-site peer 2608:f6d0:1::50 tunnel 0 local prefix ‘fd3f:4f0f:8fce02a::/64’
set vpn ipsec site-to-site peer 2608:f6d0:1::50 tunnel 0 remote prefix ‘fdeb:b39a:29f8:bfd5::/64’
vyos@vyos:~$
vyos@vyos:~$
vyos@vyos:~$ sh vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal

peer_2608-f6d0-1–50_tunnel_0 down 1s 0B/0B 0B/0B 2608:f6d0:1::50 2608:f6d0:1::50 AES_GCM_16_256/MODP_2048
peer_2608-f6d0-1–50_tunnel_0 down 1s 0B/0B 0B/0B 2608:f6d0:1::50 2608:f6d0:1::50 AES_GCM_16_256/MODP_2048
peer_2608-f6d0-1–50_tunnel_0 down 1s 0B/0B 0B/0B 2608:f6d0:1::50 2608:f6d0:1::50 AES_GCM_16_256/MODP_2048
peer_2608-f6d0-1–50_tunnel_0 down 1s 0B/0B 0B/0B 2608:f6d0:1::50 2608:f6d0:1::50 AES_GCM_16_256/MODP_2048
peer_2608-f6d0-1–50_tunnel_0 down 2s 0B/0B 0B/0B 2608:f6d0:1::50 2608:f6d0:1::50 AES_GCM_16_256/MODP_2048
peer_2608-f6d0-1–50_tunnel_0 down 2s 0B/0B 0B/0B 2608:f6d0:1::50 2608:f6d0:1::50 AES_GCM_16_256/MODP_2048
peer_2608-f6d0-1–50_tunnel_0 down 2s 0B/0B 0B/0B 2608:f6d0:1::50 2608:f6d0:1::50 AES_GCM_16_256/MODP_2048
peer_2608-f6d0-1–50_tunnel_0 down 2s 0B/0B 0B/0B 2608:f6d0:1::50 2608:f6d0:1::50 AES_GCM_16_256/MODP_2048
peer_2608-f6d0-1–50_tunnel_0 down 3s 0B/0B 0B/0B 2608:f6d0:1::50 2608:f6d0:1::50 AES_GCM_16_256/MODP_2048
peer_2608-f6d0-1–50_tunnel_0 down 3s 0B/0B 0B/0B 2608:f6d0:1::50 2608:f6d0:1::50 AES_GCM_16_256/MODP_2048
peer_2608-f6d0-1–50_tunnel_0 down 4s 0B/0B 0B/0B 2608:f6d0:1::50 2608:f6d0:1::50 AES_GCM_16_256/MODP_2048
peer_2608-f6d0-1–50_tunnel_0 down 4s 0B/0B 0B/0B 2608:f6d0:1::50 2608:f6d0:1::50 AES_GCM_16_256/MODP_2048
peer_2608-f6d0-1–50_tunnel_0 down 4s 0B/0B 0B/0B 2608:f6d0:1::50 2608:f6d0:1::50 AES_GCM_16_256/MODP_2048
peer_2608-f6d0-1–50_tunnel_0 down 5s 0B/0B 0B/0B 2608:f6d0:1::50 2608:f6d0:1::50 AES_GCM_16_256/MODP_2048
peer_2608-f6d0-1–50_tunnel_0 down 5s 0B/0B 0B/0B 2608:f6d0:1::50 2608:f6d0:1::50 AES_GCM_16_256/MODP_2048
peer_2608-f6d0-1–50_tunnel_0 down 0B/0B 0B/0B 2608:f6d0:1::50 2608:f6d0:1::50 AES_GCM_16_256/MODP_2048
peer_2608-f6d0-1–50_tunnel_0 up 0B/0B 0B/0B 2608:f6d0:1::50 2608:f6d0:1::50 AES_GCM_16_256/MODP_2048
peer_2608-f6d0-1–50_tunnel_0 up 0B/0B 0B/0B 2608:f6d0:1::50 2608:f6d0:1::50 AES_GCM_16_256/MODP_2048
vyos@vyos:~$
vyos@vyos:~$

Public ipv6 is pingable from both side but we are not able to ping private ipv6 from both end

and in our tunnel status we found the multiple tunnel even we created 1 tunnel only

please let us know if we do something wrong

Thanks for support

5

Hi
we configured the ipv6 ipsec tunnel again and the 1 tunnel is showing up but the remote local ip is not able to ping from 1 server to another server

Vyos-1

set vpn ipsec interface ‘eth3’
set vpn ipsec log level ‘1’
set vpn ipsec ike-group i2k2_IKE close-action ‘none’
set vpn ipsec ike-group i2k2_IKE dead-peer-detection action ‘clear’
set vpn ipsec ike-group i2k2_IKE dead-peer-detection interval ‘30’
set vpn ipsec ike-group i2k2_IKE dead-peer-detection timeout ‘90’
set vpn ipsec ike-group i2k2_IKE ikev2-reauth ‘no’
set vpn ipsec ike-group i2k2_IKE key-exchange ‘ikev2’
set vpn ipsec ike-group i2k2_IKE lifetime ‘86400’
set vpn ipsec ike-group i2k2_IKE proposal 1 dh-group ‘21’
set vpn ipsec ike-group i2k2_IKE proposal 1 encryption ‘aes256’
set vpn ipsec ike-group i2k2_IKE proposal 1 hash ‘sha512’
set vpn ipsec esp-group i2k2_ESP compression ‘disable’
set vpn ipsec esp-group i2k2_ESP lifetime ‘3600’
set vpn ipsec esp-group i2k2_ESP mode ‘tunnel’
set vpn ipsec esp-group i2k2_ESP pfs ‘dh-group21’
set vpn ipsec esp-group i2k2_ESP proposal 1 encryption ‘aes256’
set vpn ipsec esp-group i2k2_ESP proposal 1 hash ‘sha512’
set vpn ipsec site-to-site peer xxxx:yyyy:2::201 authentication id ‘xxxx:yyyy:1::85’
set vpn ipsec site-to-site peer xxxx:yyyy:2::201 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer xxxx:yyyy:2::201 authentication pre-shared-secret ‘12345678’
set vpn ipsec site-to-site peer xxxx:yyyy:2::201 connection-type ‘initiate’
set vpn ipsec site-to-site peer xxxx:yyyy:2::201 default-esp-group ‘i2k2_ESP’
set vpn ipsec site-to-site peer xxxx:yyyy:2::201 ike-group ‘i2k2_IKE’
set vpn ipsec site-to-site peer xxxx:yyyy:2::201 ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer xxxx:yyyy:2::201 local-address ‘xxxx:yyyy:1::85’
set vpn ipsec site-to-site peer xxxx:yyyy:2::201 tunnel 0 local prefix ‘fdeb:b39a:29f8:bfd5::/64’
set vpn ipsec site-to-site peer xxxx:yyyy:2::201 tunnel 0 remote prefix ‘fd3f:4f0f:8fce:d02a::/64’

vyos@vyos:~$ sh vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal

peer_2407-e9c0-2–201_tunnel_0 up 4m39s 0B/0B 0B/0B xxxx:yyyy:2::201 xxxx:yyyy:2::201 AES_CBC_256/HMAC_SHA2_512_256

Vyos-2

set vpn ipsec interface ‘eth3’
set vpn ipsec log level ‘1’
set vpn ipsec ike-group i2k2_IKE close-action ‘none’
set vpn ipsec ike-group i2k2_IKE dead-peer-detection action ‘clear’
set vpn ipsec ike-group i2k2_IKE dead-peer-detection interval ‘30’
set vpn ipsec ike-group i2k2_IKE dead-peer-detection timeout ‘90’
set vpn ipsec ike-group i2k2_IKE ikev2-reauth ‘no’
set vpn ipsec ike-group i2k2_IKE key-exchange ‘ikev2’
set vpn ipsec ike-group i2k2_IKE lifetime ‘86400’
set vpn ipsec ike-group i2k2_IKE proposal 1 dh-group ‘21’
set vpn ipsec ike-group i2k2_IKE proposal 1 encryption ‘aes256’
set vpn ipsec ike-group i2k2_IKE proposal 1 hash ‘sha512’
set vpn ipsec esp-group i2k2_ESP compression ‘disable’
set vpn ipsec esp-group i2k2_ESP lifetime ‘3600’
set vpn ipsec esp-group i2k2_ESP mode ‘tunnel’
set vpn ipsec esp-group i2k2_ESP pfs ‘dh-group21’
set vpn ipsec esp-group i2k2_ESP proposal 1 encryption ‘aes256’
set vpn ipsec esp-group i2k2_ESP proposal 1 hash ‘sha512’
set vpn ipsec site-to-site peer xxxx:yyyy:1::85 authentication id ‘xxxx:yyyy:2::201’
set vpn ipsec site-to-site peer xxxx:yyyy:1::85 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer xxxx:yyyy:1::85 authentication pre-shared-secret ‘12345678’
set vpn ipsec site-to-site peer xxxx:yyyy:1::85 connection-type ‘initiate’
set vpn ipsec site-to-site peer xxxx:yyyy:1::85 default-esp-group ‘i2k2_ESP’
set vpn ipsec site-to-site peer xxxx:yyyy:1::85 ike-group ‘i2k2_IKE’
set vpn ipsec site-to-site peer xxxx:yyyy:1::85 ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer xxxx:yyyy:1::85 local-address ‘xxxx:yyyy:2::201’
set vpn ipsec site-to-site peer xxxx:yyyy:1::85 tunnel 0 local prefix ‘fd3f:4f0f:8fce:d02a::/64’
set vpn ipsec site-to-site peer xxxx:yyyy:1::85 tunnel 0 remote prefix ‘fdeb:b39a:29f8:bfd5::/64’

vyos@vyos:~$ sh vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal

peer_2407-e9c0-1–85_tunnel_0 up 5m24s 0B/0B 0B/0B xxxx:yyyy:1::85 xxxx:yyyy:1::85 AES_CBC_256/HMAC_SHA2_512_256

6

Hello @rahulk
There may be routing issues.
Can you provide your routing configuration on vyos1 and vyos2:
vyos@vyos:~$ show ipv6 route table all
If you are using nat66 please also provide the nat66 configuration.

7

Hi RyVolodya

Kindly find my blow config and ipv6 route table for both vyos

vyos-1

vyos@vyos:~$ sh configuration commands
set firewall ipv6-name FIREWALL_IN_IPV6 default-action ‘drop’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 1 action ‘accept’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 1 description ‘Established Connections’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 1 state established ‘enable’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 1 state related ‘enable’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 2 action ‘accept’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 2 description ‘PING Incoming’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 2 destination address ‘0::0/0’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 2 protocol ‘icmpv6’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 2 source address ‘0::0/0’
set firewall ipv6-name FIREWALL_OUT_IPV6 default-action ‘drop’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 1 action ‘accept’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 1 description ‘Established Connections’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 1 state established ‘enable’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 1 state related ‘enable’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 2 action ‘accept’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 2 description ‘DNS Outgoing’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 2 destination port ‘53’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 2 protocol ‘udp’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 3 action ‘accept’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 3 description ‘PING Outgoing’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 3 destination address ‘0::0/0’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 3 protocol ‘icmpv6’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 3 source address ‘0::0/0’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 4 action ‘accept’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 4 description ‘TCP Outgoing’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 4 destination address ‘0::0/0’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 4 protocol ‘tcp’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 4 source address ‘0::0/0’
set firewall ipv6-src-route ‘enable’
set firewall name FIREWALL_IN default-action ‘drop’
set firewall name FIREWALL_IN rule 1 action ‘accept’
set firewall name FIREWALL_IN rule 1 description ‘Established Connections’
set firewall name FIREWALL_IN rule 1 state established ‘enable’
set firewall name FIREWALL_IN rule 1 state related ‘enable’
set firewall name FIREWALL_IN rule 2 action ‘accept’
set firewall name FIREWALL_IN rule 2 description ‘PING Incoming’
set firewall name FIREWALL_IN rule 2 destination address ‘0.0.0.0/0’
set firewall name FIREWALL_IN rule 2 protocol ‘icmp’
set firewall name FIREWALL_IN rule 2 source address ‘0.0.0.0/0’
set firewall name FIREWALL_OUT default-action ‘drop’
set firewall name FIREWALL_OUT rule 1 action ‘accept’
set firewall name FIREWALL_OUT rule 1 description ‘Established Connections’
set firewall name FIREWALL_OUT rule 1 state established ‘enable’
set firewall name FIREWALL_OUT rule 1 state related ‘enable’
set firewall name FIREWALL_OUT rule 2 action ‘accept’
set firewall name FIREWALL_OUT rule 2 description ‘DNS Outgoing’
set firewall name FIREWALL_OUT rule 2 destination port ‘53’
set firewall name FIREWALL_OUT rule 2 protocol ‘udp’
set firewall name FIREWALL_OUT rule 3 action ‘accept’
set firewall name FIREWALL_OUT rule 3 description ‘PING Outgoing’
set firewall name FIREWALL_OUT rule 3 destination address ‘0.0.0.0/0’
set firewall name FIREWALL_OUT rule 3 protocol ‘icmp’
set firewall name FIREWALL_OUT rule 3 source address ‘0.0.0.0/0’
set firewall name FIREWALL_OUT rule 4 action ‘accept’
set firewall name FIREWALL_OUT rule 4 description ‘TCP Outgoing’
set firewall name FIREWALL_OUT rule 4 destination address ‘0.0.0.0/0’
set firewall name FIREWALL_OUT rule 4 protocol ‘tcp’
set firewall name FIREWALL_OUT rule 4 source address ‘0.0.0.0/0’
set interfaces ethernet eth0 address ‘172.17.21.171/16’
set interfaces ethernet eth0 description ‘BLUE-MGMT’
set interfaces ethernet eth1 address ‘xxx:yyy.zzz.50/24’
set interfaces ethernet eth1 description ‘RED-IPV4’
set interfaces ethernet eth1 firewall in name ‘FIREWALL_IN’
set interfaces ethernet eth2 address ‘10.10.0.1/16’
set interfaces ethernet eth2 description ‘LAN-IPV4’
set interfaces ethernet eth2 firewall out name ‘FIREWALL_OUT’
set interfaces ethernet eth3 address ‘xxxx:yyyy:1::85/48’
set interfaces ethernet eth3 description ‘RED-IPV6’
set interfaces ethernet eth3 firewall in ipv6-name ‘FIREWALL_IN_IPV6’
set interfaces ethernet eth4 address ‘fdeb:b39a:29f8:bfd5::1/64’
set interfaces ethernet eth4 description ‘LAN-IPV6’
set interfaces ethernet eth4 firewall out ipv6-name ‘FIREWALL_OUT_IPV6’
set interfaces loopback lo
set nat source rule 9999 outbound-interface ‘eth1’
set nat source rule 9999 source address ‘10.10.0.0/16’
set nat source rule 9999 translation address ‘masquerade’
set nat66 source rule 9999 outbound-interface ‘eth3’
set nat66 source rule 9999 source prefix ‘fdeb:b39a:29f8:bfd5::/64’
set nat66 source rule 9999 translation address ‘masquerade’
set protocols static route 0.0.0.0/0 next-hop xxx:yyy.zzz.1
set protocols static route6 0::0/0 next-hop xxxx:yyyy:1::1
set service ssh listen-address ‘172.17.21.171’
set service ssh port ‘1024’
set system config-management commit-revisions ‘100’
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system console device ttyS0 speed ‘115200’
set system host-name ‘vyos’
set system login user vyos authentication encrypted-password ‘$6$Vf2wE8loVFa9jFcL$z3.1B.bkQjgHRwPg2lfUpJ2ZQQrT4qJbhvAWC7nYXfBttFDuzQYasNYdRvM72itC7EA0NHFD80/46665hYoMd/’
set system login user vyos authentication plaintext-password ‘’
set system name-server ‘8.8.8.8’
set system name-server ‘8.8.4.4’
set system name-server ‘2001:4860:4860::8888’
set system name-server ‘2001:4860:4860::8844’
set system ntp server time1.vyos.net
set system ntp server time2.vyos.net
set system ntp server time3.vyos.net
set system syslog global facility all level ‘info’
set system syslog global facility protocols level ‘debug’
set system time-zone ‘Asia/Kolkata’

vyos@vyos:~$ show ipv6 route table all
Codes: K - kernel route, C - connected, S - static, R - RIPng,
O - OSPFv3, I - IS-IS, B - BGP, N - NHRP, T - Table,
v - VNC, V - VNC-Direct, A - Babel, F - PBR,
f - OpenFabric,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup
t - trapped, o - offload failure

VRF default table 254:
S>* ::/0 [1/0] via xxxx:yyyy:1::1, eth3, weight 1, 3d19h39m
C>* xxxx:yyyy:1::/48 is directly connected, eth3, 3d22h53m
C>* fdeb:b39a:29f8:bfd5::/64 is directly connected, eth4, 3d22h53m
C * fe80::/64 is directly connected, eth3, 3d22h53m
C * fe80::/64 is directly connected, eth4, 3d22h53m
C * fe80::/64 is directly connected, eth1, 3d22h53m
C * fe80::/64 is directly connected, eth0, 3d22h53m
C * fe80::/64 is directly connected, eth2, 3d22h53m
C>* fe80::/64 is directly connected, lo, 3d22h53m

vyos-2

vyos@vyos:~$ sh configuration commands
set firewall ipv6-name FIREWALL_IN_IPV6 default-action ‘drop’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 1 action ‘accept’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 1 description ‘Established Connections’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 1 state established ‘enable’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 1 state related ‘enable’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 2 action ‘accept’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 2 description ‘PING Incoming’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 2 destination address ‘0::0/0’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 2 protocol ‘icmpv6’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 2 source address ‘0::0/0’
set firewall ipv6-name FIREWALL_OUT_IPV6 default-action ‘drop’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 1 action ‘accept’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 1 description ‘Established Connections’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 1 state established ‘enable’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 1 state related ‘enable’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 2 action ‘accept’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 2 description ‘DNS Outgoing’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 2 destination port ‘53’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 2 protocol ‘udp’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 3 action ‘accept’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 3 description ‘PING Outgoing’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 3 destination address ‘0::0/0’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 3 protocol ‘icmpv6’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 3 source address ‘0::0/0’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 4 action ‘accept’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 4 description ‘TCP Outgoing’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 4 destination address ‘0::0/0’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 4 protocol ‘tcp’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 4 source address ‘0::0/0’
set firewall ipv6-src-route ‘enable’
set firewall name FIREWALL_IN default-action ‘drop’
set firewall name FIREWALL_IN rule 1 action ‘accept’
set firewall name FIREWALL_IN rule 1 description ‘Established Connections’
set firewall name FIREWALL_IN rule 1 state established ‘enable’
set firewall name FIREWALL_IN rule 1 state related ‘enable’
set firewall name FIREWALL_IN rule 2 action ‘accept’
set firewall name FIREWALL_IN rule 2 description ‘PING Incoming’
set firewall name FIREWALL_IN rule 2 destination address ‘0.0.0.0/0’
set firewall name FIREWALL_IN rule 2 protocol ‘icmp’
set firewall name FIREWALL_IN rule 2 source address ‘0.0.0.0/0’
set firewall name FIREWALL_OUT default-action ‘drop’
set firewall name FIREWALL_OUT rule 1 action ‘accept’
set firewall name FIREWALL_OUT rule 1 description ‘Established Connections’
set firewall name FIREWALL_OUT rule 1 state established ‘enable’
set firewall name FIREWALL_OUT rule 1 state related ‘enable’
set firewall name FIREWALL_OUT rule 2 action ‘accept’
set firewall name FIREWALL_OUT rule 2 description ‘DNS Outgoing’
set firewall name FIREWALL_OUT rule 2 destination port ‘53’
set firewall name FIREWALL_OUT rule 2 protocol ‘udp’
set firewall name FIREWALL_OUT rule 3 action ‘accept’
set firewall name FIREWALL_OUT rule 3 description ‘PING Outgoing’
set firewall name FIREWALL_OUT rule 3 destination address ‘0.0.0.0/0’
set firewall name FIREWALL_OUT rule 3 protocol ‘icmp’
set firewall name FIREWALL_OUT rule 3 source address ‘0.0.0.0/0’
set firewall name FIREWALL_OUT rule 4 action ‘accept’
set firewall name FIREWALL_OUT rule 4 description ‘TCP Outgoing’
set firewall name FIREWALL_OUT rule 4 destination address ‘0.0.0.0/0’
set firewall name FIREWALL_OUT rule 4 protocol ‘tcp’
set firewall name FIREWALL_OUT rule 4 source address ‘0.0.0.0/0’
set interfaces ethernet eth0 address ‘172.17.21.172/16’
set interfaces ethernet eth0 description ‘BLUE-MGMT’
set interfaces ethernet eth1 address ‘xxx:yyy.zzz.201/24’
set interfaces ethernet eth1 description ‘RED-IPV4’
set interfaces ethernet eth1 firewall in name ‘FIREWALL_IN’
set interfaces ethernet eth2 address ‘10.20.0.1/16’
set interfaces ethernet eth2 description ‘LAN-IPV4’
set interfaces ethernet eth2 firewall out name ‘FIREWALL_OUT’
set interfaces ethernet eth3 address ‘xxxx:yyyy:2::201/48’
set interfaces ethernet eth3 description ‘RED-IPV6’
set interfaces ethernet eth3 firewall in ipv6-name ‘FIREWALL_IN_IPV6’
set interfaces ethernet eth4 address ‘fd3f:4f0f:8fce:d02a::1/64’
set interfaces ethernet eth4 description ‘LAN-IPV6’
set interfaces ethernet eth4 firewall out ipv6-name ‘FIREWALL_OUT_IPV6’
set interfaces loopback lo
set nat source rule 9999 outbound-interface ‘eth1’
set nat source rule 9999 protocol ‘all’
set nat source rule 9999 source address ‘10.20.0.0/16’
set nat source rule 9999 translation address ‘masquerade’
set nat66 source rule 9999 outbound-interface ‘eth3’
set nat66 source rule 9999 source prefix ‘fd3f:4f0f:8fce:d02a::/64’
set nat66 source rule 9999 translation address ‘masquerade’
set protocols static route 0.0.0.0/0 next-hop xxx:yyy.zzz.1
set protocols static route6 0::0/0 next-hop xxxx:yyyy:2::1
set service ssh listen-address ‘172.17.21.172’
set service ssh port ‘1024’
set system config-management commit-revisions ‘100’
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system console device ttyS0 speed ‘115200’
set system host-name ‘vyos’
set system login user vyos authentication encrypted-password ‘$6$ikR3GMS/n12713cU$E3M.ngUORr99cHR0/Sz4XFvkjEzgZlqqsglewG7RWzOmvV4txMkk3MiwmJmFDhsQi8nUOh.SmoltDRrKiUMvP/’
set system login user vyos authentication plaintext-password ‘’
set system name-server ‘8.8.8.8’
set system name-server ‘8.8.4.4’
set system name-server ‘2001:4860:4860::8888’
set system name-server ‘2001:4860:4860::8844’
set system ntp server time1.vyos.net
set system ntp server time2.vyos.net
set system ntp server time3.vyos.net
set system syslog global facility all level ‘info’
set system syslog global facility protocols level ‘debug’

vyos@vyos:~$ show ipv6 route table all
Codes: K - kernel route, C - connected, S - static, R - RIPng,
O - OSPFv3, I - IS-IS, B - BGP, N - NHRP, T - Table,
v - VNC, V - VNC-Direct, A - Babel, F - PBR,
f - OpenFabric,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup
t - trapped, o - offload failure

VRF default table 254:
S>* ::/0 [1/0] via xxxx:yyyy:2::1, eth3, weight 1, 3d22h54m
C>* xxxx:yyyy:2::/48 is directly connected, eth3, 3d22h54m
C>* fd3f:4f0f:8fce:d02a::/64 is directly connected, eth4, 3d22h54m
C * fe80::/64 is directly connected, eth3, 3d22h54m
C * fe80::/64 is directly connected, eth1, 3d22h54m
C * fe80::/64 is directly connected, eth4, 3d22h54m
C * fe80::/64 is directly connected, eth2, 3d22h54m
C * fe80::/64 is directly connected, eth0, 3d22h54m
C>* fe80::/64 is directly connected, lo, 3d22h54m

8

Hello @rahulk

Try changing the IPv6 address 0::0/0 to ::/0 in your configuration.
I don`t see vpn site-to-site in your configuration.

9

Hi RyVolodya

my apology to send previous config without site-to-site vpn

Kindly now find my blow my new config and ipv6 route table for both vyos now site-to-site vpn is there and we try to use ::/0 instead of 0::0/0 but again its not working

Vyos-1

vyos@vyos:~$ sh configuration commands
set firewall ipv6-name FIREWALL_IN_IPV6 default-action ‘drop’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 1 action ‘accept’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 1 description ‘Established Connections’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 1 state established ‘enable’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 1 state related ‘enable’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 2 action ‘accept’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 2 description ‘PING Incoming’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 2 destination address ‘0::0/0’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 2 protocol ‘icmpv6’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 2 source address ‘0::0/0’
set firewall ipv6-name FIREWALL_OUT_IPV6 default-action ‘drop’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 1 action ‘accept’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 1 description ‘Established Connections’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 1 state established ‘enable’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 1 state related ‘enable’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 2 action ‘accept’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 2 description ‘DNS Outgoing’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 2 destination port ‘53’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 2 protocol ‘udp’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 3 action ‘accept’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 3 description ‘PING Outgoing’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 3 destination address ‘0::0/0’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 3 protocol ‘icmpv6’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 3 source address ‘0::0/0’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 4 action ‘accept’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 4 description ‘TCP Outgoing’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 4 destination address ‘0::0/0’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 4 protocol ‘tcp’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 4 source address ‘0::0/0’
set firewall ipv6-src-route ‘enable’
set firewall name FIREWALL_IN default-action ‘drop’
set firewall name FIREWALL_IN rule 1 action ‘accept’
set firewall name FIREWALL_IN rule 1 description ‘Established Connections’
set firewall name FIREWALL_IN rule 1 state established ‘enable’
set firewall name FIREWALL_IN rule 1 state related ‘enable’
set firewall name FIREWALL_IN rule 2 action ‘accept’
set firewall name FIREWALL_IN rule 2 description ‘PING Incoming’
set firewall name FIREWALL_IN rule 2 destination address ‘0.0.0.0/0’
set firewall name FIREWALL_IN rule 2 protocol ‘icmp’
set firewall name FIREWALL_IN rule 2 source address ‘0.0.0.0/0’
set firewall name FIREWALL_OUT default-action ‘drop’
set firewall name FIREWALL_OUT rule 1 action ‘accept’
set firewall name FIREWALL_OUT rule 1 description ‘Established Connections’
set firewall name FIREWALL_OUT rule 1 state established ‘enable’
set firewall name FIREWALL_OUT rule 1 state related ‘enable’
set firewall name FIREWALL_OUT rule 2 action ‘accept’
set firewall name FIREWALL_OUT rule 2 description ‘DNS Outgoing’
set firewall name FIREWALL_OUT rule 2 destination port ‘53’
set firewall name FIREWALL_OUT rule 2 protocol ‘udp’
set firewall name FIREWALL_OUT rule 3 action ‘accept’
set firewall name FIREWALL_OUT rule 3 description ‘PING Outgoing’
set firewall name FIREWALL_OUT rule 3 destination address ‘0.0.0.0/0’
set firewall name FIREWALL_OUT rule 3 protocol ‘icmp’
set firewall name FIREWALL_OUT rule 3 source address ‘0.0.0.0/0’
set firewall name FIREWALL_OUT rule 4 action ‘accept’
set firewall name FIREWALL_OUT rule 4 description ‘TCP Outgoing’
set firewall name FIREWALL_OUT rule 4 destination address ‘0.0.0.0/0’
set firewall name FIREWALL_OUT rule 4 protocol ‘tcp’
set firewall name FIREWALL_OUT rule 4 source address ‘0.0.0.0/0’
set interfaces ethernet eth0 address ‘172.17.21.171/16’
set interfaces ethernet eth0 description ‘BLUE-MGMT’
set interfaces ethernet eth1 address ‘xxx:yyy.136.50/24’
set interfaces ethernet eth1 description ‘RED-IPV4’
set interfaces ethernet eth1 firewall in name ‘FIREWALL_IN’
set interfaces ethernet eth2 address ‘10.10.0.1/16’
set interfaces ethernet eth2 description ‘LAN-IPV4’
set interfaces ethernet eth2 firewall out name ‘FIREWALL_OUT’
set interfaces ethernet eth3 address ‘xxxx:yyyy:1::85/48’
set interfaces ethernet eth3 description ‘RED-IPV6’
set interfaces ethernet eth3 firewall in ipv6-name ‘FIREWALL_IN_IPV6’
set interfaces ethernet eth4 address ‘fdeb:b39a:29f8:bfd5::1/64’
set interfaces ethernet eth4 description ‘LAN-IPV6’
set interfaces ethernet eth4 firewall out ipv6-name ‘FIREWALL_OUT_IPV6’
set interfaces loopback lo
set nat source rule 9999 outbound-interface ‘eth1’
set nat source rule 9999 source address ‘10.10.0.0/16’
set nat source rule 9999 translation address ‘masquerade’
set nat66 source rule 9999 outbound-interface ‘eth3’
set nat66 source rule 9999 source prefix ‘fdeb:b39a:29f8:bfd5::/64’
set nat66 source rule 9999 translation address ‘masquerade’
set protocols static route 0.0.0.0/0 next-hop xxx:yyy.136.1
set protocols static route6 ::/0 next-hop xxxx:yyyy:1::1
set service ssh listen-address ‘172.17.21.171’
set service ssh port ‘1024’
set system config-management commit-revisions ‘100’
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system console device ttyS0 speed ‘115200’
set system host-name ‘vyos’
set system login user vyos authentication encrypted-password ‘$6$Vf2wE8loVFa9jFcL$z3.1B.bkQjgHRwPg2lfUpJ2ZQQrT4qJbhvAWC7nYXfBttFDuzQYasNYdRvM72itC7EA0NHFD80/46665hYoMd/’
set system login user vyos authentication plaintext-password ‘’
set system name-server ‘8.8.8.8’
set system name-server ‘8.8.4.4’
set system name-server ‘2001:4860:4860::8888’
set system name-server ‘2001:4860:4860::8844’
set system ntp server time1.vyos.net
set system ntp server time2.vyos.net
set system ntp server time3.vyos.net
set system syslog global facility all level ‘info’
set system syslog global facility protocols level ‘debug’
set system time-zone ‘Asia/Kolkata’
set vpn ipsec esp-group i2k2_ESP compression ‘disable’
set vpn ipsec esp-group i2k2_ESP lifetime ‘3600’
set vpn ipsec esp-group i2k2_ESP mode ‘tunnel’
set vpn ipsec esp-group i2k2_ESP pfs ‘dh-group21’
set vpn ipsec esp-group i2k2_ESP proposal 1 encryption ‘aes256’
set vpn ipsec esp-group i2k2_ESP proposal 1 hash ‘sha512’
set vpn ipsec ike-group i2k2_IKE close-action ‘none’
set vpn ipsec ike-group i2k2_IKE dead-peer-detection action ‘clear’
set vpn ipsec ike-group i2k2_IKE dead-peer-detection interval ‘30’
set vpn ipsec ike-group i2k2_IKE dead-peer-detection timeout ‘90’
set vpn ipsec ike-group i2k2_IKE ikev2-reauth ‘no’
set vpn ipsec ike-group i2k2_IKE key-exchange ‘ikev2’
set vpn ipsec ike-group i2k2_IKE lifetime ‘86400’
set vpn ipsec ike-group i2k2_IKE proposal 1 dh-group ‘21’
set vpn ipsec ike-group i2k2_IKE proposal 1 encryption ‘aes256’
set vpn ipsec ike-group i2k2_IKE proposal 1 hash ‘sha512’
set vpn ipsec interface ‘eth3’
set vpn ipsec log level ‘1’
set vpn ipsec site-to-site peer xxxx:yyyy:2::201 authentication id ‘xxxx:yyyy:1::85’
set vpn ipsec site-to-site peer xxxx:yyyy:2::201 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer xxxx:yyyy:2::201 authentication pre-shared-secret ‘12345678’
set vpn ipsec site-to-site peer xxxx:yyyy:2::201 connection-type ‘initiate’
set vpn ipsec site-to-site peer xxxx:yyyy:2::201 default-esp-group ‘i2k2_ESP’
set vpn ipsec site-to-site peer xxxx:yyyy:2::201 ike-group ‘i2k2_IKE’
set vpn ipsec site-to-site peer xxxx:yyyy:2::201 ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer xxxx:yyyy:2::201 local-address ‘xxxx:yyyy:1::85’
set vpn ipsec site-to-site peer xxxx:yyyy:2::201 tunnel 0 local prefix ‘fdeb:b39a:29f8:bfd5::/64’
set vpn ipsec site-to-site peer xxxx:yyyy:2::201 tunnel 0 remote prefix ‘fd3f:4f0f:8fce:d02a::/64’

vyos@vyos:~$ show ipv6 route table all
Codes: K - kernel route, C - connected, S - static, R - RIPng,
O - OSPFv3, I - IS-IS, B - BGP, N - NHRP, T - Table,
v - VNC, V - VNC-Direct, A - Babel, F - PBR,
f - OpenFabric,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup
t - trapped, o - offload failure

VRF default table 220:
K>* fd3f:4f0f:8fce:d02a::/64 [0/1024] via xxxx:yyyy:1::1, eth3, src fdeb:b39a:29f8:bfd5::1, 00:01:22

VRF default table 254:
S>* ::/0 [1/0] via xxxx:yyyy:1::1, eth3, weight 1, 3d23h19m
C>* xxxx:yyyy:1::/48 is directly connected, eth3, 4d02h34m
C>* fdeb:b39a:29f8:bfd5::/64 is directly connected, eth4, 4d02h34m
C * fe80::/64 is directly connected, eth3, 4d02h34m
C * fe80::/64 is directly connected, eth4, 4d02h34m
C * fe80::/64 is directly connected, eth1, 4d02h34m
C * fe80::/64 is directly connected, eth0, 4d02h34m
C * fe80::/64 is directly connected, eth2, 4d02h34m
C>* fe80::/64 is directly connected, lo, 4d02h34m

Vyos-2

vyos@vyos:~$ sh configuration commands
set firewall ipv6-name FIREWALL_IN_IPV6 default-action ‘drop’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 1 action ‘accept’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 1 description ‘Established Connections’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 1 state established ‘enable’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 1 state related ‘enable’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 2 action ‘accept’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 2 description ‘PING Incoming’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 2 destination address ‘0::0/0’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 2 protocol ‘icmpv6’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 2 source address ‘0::0/0’
set firewall ipv6-name FIREWALL_OUT_IPV6 default-action ‘drop’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 1 action ‘accept’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 1 description ‘Established Connections’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 1 state established ‘enable’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 1 state related ‘enable’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 2 action ‘accept’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 2 description ‘DNS Outgoing’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 2 destination port ‘53’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 2 protocol ‘udp’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 3 action ‘accept’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 3 description ‘PING Outgoing’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 3 destination address ‘0::0/0’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 3 protocol ‘icmpv6’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 3 source address ‘0::0/0’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 4 action ‘accept’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 4 description ‘TCP Outgoing’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 4 destination address ‘0::0/0’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 4 protocol ‘tcp’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 4 source address ‘0::0/0’
set firewall ipv6-src-route ‘enable’
set firewall name FIREWALL_IN default-action ‘drop’
set firewall name FIREWALL_IN rule 1 action ‘accept’
set firewall name FIREWALL_IN rule 1 description ‘Established Connections’
set firewall name FIREWALL_IN rule 1 state established ‘enable’
set firewall name FIREWALL_IN rule 1 state related ‘enable’
set firewall name FIREWALL_IN rule 2 action ‘accept’
set firewall name FIREWALL_IN rule 2 description ‘PING Incoming’
set firewall name FIREWALL_IN rule 2 destination address ‘0.0.0.0/0’
set firewall name FIREWALL_IN rule 2 protocol ‘icmp’
set firewall name FIREWALL_IN rule 2 source address ‘0.0.0.0/0’
set firewall name FIREWALL_OUT default-action ‘drop’
set firewall name FIREWALL_OUT rule 1 action ‘accept’
set firewall name FIREWALL_OUT rule 1 description ‘Established Connections’
set firewall name FIREWALL_OUT rule 1 state established ‘enable’
set firewall name FIREWALL_OUT rule 1 state related ‘enable’
set firewall name FIREWALL_OUT rule 2 action ‘accept’
set firewall name FIREWALL_OUT rule 2 description ‘DNS Outgoing’
set firewall name FIREWALL_OUT rule 2 destination port ‘53’
set firewall name FIREWALL_OUT rule 2 protocol ‘udp’
set firewall name FIREWALL_OUT rule 3 action ‘accept’
set firewall name FIREWALL_OUT rule 3 description ‘PING Outgoing’
set firewall name FIREWALL_OUT rule 3 destination address ‘0.0.0.0/0’
set firewall name FIREWALL_OUT rule 3 protocol ‘icmp’
set firewall name FIREWALL_OUT rule 3 source address ‘0.0.0.0/0’
set firewall name FIREWALL_OUT rule 4 action ‘accept’
set firewall name FIREWALL_OUT rule 4 description ‘TCP Outgoing’
set firewall name FIREWALL_OUT rule 4 destination address ‘0.0.0.0/0’
set firewall name FIREWALL_OUT rule 4 protocol ‘tcp’
set firewall name FIREWALL_OUT rule 4 source address ‘0.0.0.0/0’
set interfaces ethernet eth0 address ‘172.17.21.172/16’
set interfaces ethernet eth0 description ‘BLUE-MGMT’
set interfaces ethernet eth1 address ‘xxx:yyy.136.201/24’
set interfaces ethernet eth1 description ‘RED-IPV4’
set interfaces ethernet eth1 firewall in name ‘FIREWALL_IN’
set interfaces ethernet eth2 address ‘10.20.0.1/16’
set interfaces ethernet eth2 description ‘LAN-IPV4’
set interfaces ethernet eth2 firewall out name ‘FIREWALL_OUT’
set interfaces ethernet eth3 address ‘xxxx:yyyy:2::201/48’
set interfaces ethernet eth3 description ‘RED-IPV6’
set interfaces ethernet eth3 firewall in ipv6-name ‘FIREWALL_IN_IPV6’
set interfaces ethernet eth4 address ‘fd3f:4f0f:8fce02a::1/64’
set interfaces ethernet eth4 description ‘LAN-IPV6’
set interfaces ethernet eth4 firewall out ipv6-name ‘FIREWALL_OUT_IPV6’
set interfaces loopback lo
set nat source rule 9999 outbound-interface ‘eth1’
set nat source rule 9999 protocol ‘all’
set nat source rule 9999 source address ‘10.20.0.0/16’
set nat source rule 9999 translation address ‘masquerade’
set nat66 source rule 9999 outbound-interface ‘eth3’
set nat66 source rule 9999 source prefix ‘fd3f:4f0f:8fce02a::/64’
set nat66 source rule 9999 translation address ‘masquerade’
set protocols static route 0.0.0.0/0 next-hop xxx:yyy.136.1
set protocols static route6 ::/0 next-hop xxxx:yyyy:2::1
set service ssh listen-address ‘172.17.21.172’
set service ssh port ‘1024’
set system config-management commit-revisions ‘100’
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system console device ttyS0 speed ‘115200’
set system host-name ‘vyos’
set system login user vyos authentication encrypted-password ‘$6$ikR3GMS/n12713cU$E3M.ngUORr99cHR0/Sz4XFvkjEzgZlqqsglewG7RWzOmvV4txMkk3MiwmJmFDhsQi8nUOh.SmoltDRrKiUMvP/’
set system login user vyos authentication plaintext-password ‘’
set system name-server ‘8.8.8.8’
set system name-server ‘8.8.4.4’
set system name-server ‘2001:4860:4860::8888’
set system name-server ‘2001:4860:4860::8844’
set system ntp server time1.vyos.net
set system ntp server time2.vyos.net
set system ntp server time3.vyos.net
set system syslog global facility all level ‘info’
set system syslog global facility protocols level ‘debug’
set vpn ipsec esp-group i2k2_ESP compression ‘disable’
set vpn ipsec esp-group i2k2_ESP lifetime ‘3600’
set vpn ipsec esp-group i2k2_ESP mode ‘tunnel’
set vpn ipsec esp-group i2k2_ESP pfs ‘dh-group21’
set vpn ipsec esp-group i2k2_ESP proposal 1 encryption ‘aes256’
set vpn ipsec esp-group i2k2_ESP proposal 1 hash ‘sha512’
set vpn ipsec ike-group i2k2_IKE close-action ‘none’
set vpn ipsec ike-group i2k2_IKE dead-peer-detection action ‘clear’
set vpn ipsec ike-group i2k2_IKE dead-peer-detection interval ‘30’
set vpn ipsec ike-group i2k2_IKE dead-peer-detection timeout ‘90’
set vpn ipsec ike-group i2k2_IKE ikev2-reauth ‘no’
set vpn ipsec ike-group i2k2_IKE key-exchange ‘ikev2’
set vpn ipsec ike-group i2k2_IKE lifetime ‘86400’
set vpn ipsec ike-group i2k2_IKE proposal 1 dh-group ‘21’
set vpn ipsec ike-group i2k2_IKE proposal 1 encryption ‘aes256’
set vpn ipsec ike-group i2k2_IKE proposal 1 hash ‘sha512’
set vpn ipsec interface ‘eth3’
set vpn ipsec log level ‘1’
set vpn ipsec site-to-site peer xxxx:yyyy:1::85 authentication id ‘xxxx:yyyy:2::201’
set vpn ipsec site-to-site peer xxxx:yyyy:1::85 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer xxxx:yyyy:1::85 authentication pre-shared-secret ‘12345678’
set vpn ipsec site-to-site peer xxxx:yyyy:1::85 connection-type ‘initiate’
set vpn ipsec site-to-site peer xxxx:yyyy:1::85 default-esp-group ‘i2k2_ESP’
set vpn ipsec site-to-site peer xxxx:yyyy:1::85 ike-group ‘i2k2_IKE’
set vpn ipsec site-to-site peer xxxx:yyyy:1::85 ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer xxxx:yyyy:1::85 local-address ‘xxxx:yyyy:2::201’
set vpn ipsec site-to-site peer xxxx:yyyy:1::85 tunnel 0 local prefix ‘fd3f:4f0f:8fce:d02a::/64’
set vpn ipsec site-to-site peer xxxx:yyyy:1::85 tunnel 0 remote prefix ‘fdeb:b39a:29f8:bfd5::/64’

vyos@vyos:~$ show ipv6 route table all
Codes: K - kernel route, C - connected, S - static, R - RIPng,
O - OSPFv3, I - IS-IS, B - BGP, N - NHRP, T - Table,
v - VNC, V - VNC-Direct, A - Babel, F - PBR,
f - OpenFabric,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup
t - trapped, o - offload failure

VRF default table 220:
K>* fdeb:b39a:29f8:bfd5::/64 [0/1024] via xxxx:yyyy:2::1, eth3, src fd3f:4f0f:8fce:d02a::1, 00:03:00

VRF default table 254:
S>* ::/0 [1/0] via xxxx:yyyy:2::1, eth3, weight 1, 4d02h36m
C>* xxxx:yyyy:2::/48 is directly connected, eth3, 4d02h36m
C>* fd3f:4f0f:8fce:d02a::/64 is directly connected, eth4, 4d02h36m
C * fe80::/64 is directly connected, eth3, 4d02h36m
C * fe80::/64 is directly connected, eth1, 4d02h36m
C * fe80::/64 is directly connected, eth4, 4d02h36m
C * fe80::/64 is directly connected, eth2, 4d02h36m
C * fe80::/64 is directly connected, eth0, 4d02h36m
C>* fe80::/64 is directly connected, lo, 4d02h36m

10

Problem might be on NAT66.
Your config on VyOS-1:

#Interface IP address
set interfaces ethernet eth3 address ‘xxxx:yyyy:1::85/48’

#NAT66
set nat66 source rule 9999 outbound-interface ‘eth3’
set nat66 source rule 9999 source prefix ‘fdeb:b39a:29f8:bfd5::/64’
set nat66 source rule 9999 translation address ‘masquerade’

#IPSEC
set vpn ipsec interface ‘eth3’
set vpn ipsec site-to-site peer xxxx:yyyy:2::201 tunnel 0 local prefix ‘fdeb:b39a:29f8:bfd5::/64’
set vpn ipsec site-to-site peer xxxx:yyyy:2::201 tunnel 0 remote prefix ‘fd3f:4f0f:8fce:d02a::/64’

So traffic generated from local prefix fdeb:b39a:29f8:bfd5::/64 is source NATed, and then it doesn’t match traffic selectors defined in the site-to-site configuration.

Is tunnel established? If so, please provide output of show vpn ipsec sa, and let see if counters are increased there.

1 Like
11

Please help us to know what wrong with the configuration, because tunnel status showing UP but we are not able to reach both end private subnet

12

Hello everyone,

Everything is fine with the configuration. Currently, there is no option in the nat66 rules to exclude prefixes for private ipv6 networks. @n.fort wrote what the problem is:

We have created a future request where it will be possible to add an exception for the destination prefix to the nat66 rules.
https://phabricator.vyos.net/T4586

13

Exclude option sounds better for this case

1 Like
14

Hello @rahulk
We added new features in nat66 and now you can add destination prefix exceptions.
Update your VyOS to the latest rolling version.

Nat66 configuration:
VyOS-1:

set nat66 source rule 9999 destination prefix '!fd3f:4f0f:8fce:02a::/64'
set nat66 source rule 9999 outbound-interface 'eth3'
set nat66 source rule 9999 source prefix 'fdeb:b39a:29f8:bfd5::/64'
set nat66 source rule 9999 translation address 'masquerade'

VyOS-2:

set nat66 source rule 9999 destination prefix '!fdeb:b39a:29f8:bfd5::/64'
set nat66 source rule 9999 outbound-interface 'eth3'
set nat66 source rule 9999 source prefix 'fd3f:4f0f:8fce:02a::/64'
set nat66 source rule 9999 translation address 'masquerade'

In the network laboratory, it works well

15

Also exclude option was recently merged in this PR.

Unfortunately, there are certain issues on image building. But when a newer nightly build gets publish, both features will be available. So check regularly out nightly builds for update.

16

@RyVolodya Thnx a lot for giving us the support for ipv6 to ipv6 ipsec tunnel
now the tunnel is working fine

can you please suggest us how to do port forwarding with ipv6 and how to use ipv6(Public) and ipv4 (internal) ip Translation

17

@n.fort Thnx a lot we checked exclude option it is also working fine

18

@n.fort @RyVolodya tunnel is created and working fine but after some time it is down automatically when we restart the vpn then it comes up again

19

@rahulk we use below commands for server behind the firewall but some commands are not available and we can only use one to one port not able to use port forwarding.

set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 action accept
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 description wsrv150
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 destination address fdeb:b39a:29f8:bfd5::41
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 destination port ‘3389’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 log disable
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 protocol tcp

set nat66 destination rule 30 description wsrv150
set nat66 destination rule 30 destination address XXXX:YYYY:1::90
set nat66 destination rule 30 inbound-interface any
set nat66 destination rule 30 translation address fdeb:b39a:29f8:bfd5::41

set nat66 source rule 30 description ‘SNAT-wsrv150’
set nat66 source rule 30 outbound-interface eth2
set nat66 source rule 30 source prefix fdeb:b39a:29f8:bfd5::41
set nat66 source rule 30 translation address XXXX:YYYY:1::90

Below commands are not available :-

set nat66 destination rule 30 destination port 5726 ( not available )
set nat66 destination rule 30 protocol tcp ( not available )
set nat66 source rule 30 protocol all ( not available )

We are also waiting for NAT64 .

20

HI kindly find the vpn status after some time
1st and 2nd image when we check the status of tunnel after creating the tunnel

image

image

3rd and 4th image vpn status after some time

image

image
image875×62 35.9 KB

Kindly suggest