Ipv6 to ipv6 isec tunnel

Is dpd configured on both ends? On first image, when tunnels are up, all counter remains in 0, eventhough they were established almost half an hour before… Other end is also vyos?
Make sure dpd is configured in both ends… In many scenarios, if no traffic goes through the tunnel, they goes down. Maybe you can leave a simple ping through the tunnel, and see if this is the case or not.

Hello @devashish
A future request has been created: ⚓ T4631 Add port and protocol to nat66

if we configured dpd on both end then tunnel is up but so many tunnel is created and both end is vyos
but without dpd the tunnel is down after some time even we leave a ping through the tunnel

Try LTS image that doesn’t have such issues

@Viacheslav Viacheslav
in LTS 1.3.1 NAT66 is not available

Hello @devashish

Added commands: protocol and port in the source and destination of the nat66 rules.
You can use the new features in the latest 1.4 release.
Download the latest versions from: https://vyos.net/get/nightly-builds/

Hello RyVolodya

Thanks for the response , we have put the same commands for our server which is behind the firewall but port forwarding is not working , below are the commands we use for that. please let us know what is missing or what need to configure now .

set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 action ‘accept’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 description ‘wsrv150’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 destination address ‘fdeb:b39a:29f8:bfd5::41’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 destination port ‘3389’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 log ‘disable’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 protocol ‘tcp’
set nat66 destination rule 30 description ‘wsrv150’
set nat66 destination rule 30 destination address ‘6407:dfc0:1::90’
set nat66 destination rule 30 destination port ‘9296’
set nat66 destination rule 30 inbound-interface ‘any’
set nat66 destination rule 30 protocol ‘tcp’
set nat66 destination rule 30 translation address ‘fdeb:b39a:29f8:bfd5::41’
set nat66 destination rule 30 translation port ‘3389’
set nat66 source rule 30 description ‘SNAT wsrv150’
set nat66 source rule 30 outbound-interface ‘eth1’
set nat66 source rule 30 protocol ‘all’
set nat66 source rule 30 source prefix ‘fdeb:b39a:29f8:bfd5::41/128’
set nat66 source rule 30 translation address ‘6407:dfc0:1::90’

Hello @devashish
Give me more information please.

  1. show ipv6 route
  2. on which interface you applied the FIREWALL_IN_IPV6 rule

vyos@vyos-ipv6-ipv6-ipsec-v171:~$ sh ipv6 route
Codes: K - kernel route, C - connected, S - static, R - RIPng,
O - OSPFv3, I - IS-IS, B - BGP, N - NHRP, T - Table,
v - VNC, V - VNC-Direct, A - Babel, F - PBR,
f - OpenFabric,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup
t - trapped, o - offload failure

S>* ::/0 [1/0] via 6407:dfc0:1::1, eth1, weight 1, 3d22h17m
C>* 6407:dfc0:1::/48 is directly connected, eth1, 3d22h17m
C>* fdeb:b39a:29f8:bfd5::/64 is directly connected, eth2, 3d22h17m
C * fe80::/64 is directly connected, eth1, 3d22h17m
C * fe80::/64 is directly connected, eth0, 3d22h17m
C * fe80::/64 is directly connected, eth2, 3d22h17m
C>* fe80::/64 is directly connected, lo, 3d22h17m
vyos@vyos-ipv6-ipv6-ipsec-v171:~$

########################################

Firewall In rule is configured on “eth1”

########################################

vyos@vyos-ipv6-ipv6-ipsec-v171:~$ sh int
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description


eth0 172.17.21.171/16 u/u
eth1 6407:dfc0:1::90/48 u/u RED-IPV6
6407:dfc0:1::85/48
eth2 fdeb:b39a:29f8:bfd5::1/64 u/u LAN-IPV6
lo 127.0.0.1/8 u/u
::1/128
vyos@vyos-ipv6-ipv6-ipsec-v171:~$

Hello @devashish

  1. Try change command:
    set nat66 destination rule 30 inbound-interface eth1
    You must specify the inbound-interface.
  2. Apply a firewall on the eth2 interface on the output

Dear RyVolodya

We have configured the same but still not able to access RDP via forwarded port 9296 and we didnt understand your given point number 2.

set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 action ‘accept’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 description ‘wsrv150’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 destination address ‘fdeb:b39a:29f8:bfd5::41’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 destination port ‘3389’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 log ‘2disable’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 protocol ‘tcp’
set nat66 destination rule 30 description ‘wsrv150’
set nat66 destination rule 30 destination address ‘6407:dfc0:1::90’
set nat66 destination rule 30 destination port ‘9296’
set nat66 destination rule 30 inbound-interface 'eth1’
set nat66 destination rule 30 protocol ‘tcp’
set nat66 destination rule 30 translation address ‘fdeb:b39a:29f8:bfd5::41’
set nat66 destination rule 30 translation port ‘3389’
set nat66 source rule 30 description ‘SNAT wsrv150’
set nat66 source rule 30 outbound-interface ‘eth1’
set nat66 source rule 30 protocol ‘all’
set nat66 source rule 30 source prefix ‘fdeb:b39a:29f8:bfd5::41/128’
set nat66 source rule 30 translation address ‘6407:dfc0:1::90’

Hello @devashish,
If I understood correctly, you applied the FIREWALL_IN_IPV6 firewall to the eth1 port.
If the firewall is applied to port eth1, then change the settings to port eth2:
set interfaces ethernet eth2 firewall out ipv6-name 'FIREWALL_IN_IPV6'

Also, instead of applying 1 firewall filter rule per open port that is open in dNAT, you can use connection-status matching criteria.

hello volodya

below are my firewall configuration, Please let us know if need to change anything.

eth0 = 172.17.21.171/16
eth1 = 6407:dfc0:1::85/48
eth2 = fdeb:b39a:29f8:bfd5::1/64

set firewall ipv6-name FIREWALL_IN_IPV6 default-action ‘drop’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 1 action ‘accept’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 1 description ‘Established Connections’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 1 state established ‘enable’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 1 state related ‘enable’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 2 action ‘accept’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 2 description ‘PING Incoming’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 2 destination address ‘0::0/0’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 2 protocol ‘icmpv6’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 2 source address ‘0::0/0’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 action ‘accept’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 description ‘wsrv150’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 destination address ‘fdeb:b39a:29f8:bfd5::41’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 destination port ‘3389’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 log ‘disable’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 protocol ‘tcp’
set firewall ipv6-name FIREWALL_OUT_IPV6 default-action ‘drop’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 1 action ‘accept’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 1 description ‘Established Connections’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 1 state established ‘enable’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 1 state related ‘enable’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 2 action ‘accept’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 2 description ‘DNS Outgoing’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 2 destination port ‘53’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 2 protocol ‘udp’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 3 action ‘accept’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 3 description ‘PING Outgoing’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 3 destination address ‘0::0/0’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 3 protocol ‘icmpv6’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 3 source address ‘0::0/0’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 4 action ‘accept’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 4 description ‘TCP Outgoing’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 4 destination address ‘0::0/0’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 4 protocol ‘tcp’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 4 source address ‘0::0/0’
set interfaces ethernet eth0 address ‘172.17.21.171/16’
set interfaces ethernet eth1 address ‘6407:dfc0:1::85/48’
set interfaces ethernet eth1 address ‘6407:dfc0:1::90/48’
set interfaces ethernet eth1 description ‘RED-IPV6’
set interfaces ethernet eth1 firewall in ipv6-name ‘FIREWALL_IN_IPV6’
set interfaces ethernet eth2 address ‘fdeb:b39a:29f8:bfd5::1/64’
set interfaces ethernet eth2 description ‘LAN-IPV6’
set interfaces ethernet eth2 firewall out ipv6-name ‘FIREWALL_OUT_IPV6’
set interfaces loopback lo
set nat66 destination rule 30 description ‘wsrv150’
set nat66 destination rule 30 destination address ‘6407:dfc0:1::90’
set nat66 destination rule 30 destination port ‘9296’
set nat66 destination rule 30 inbound-interface ‘eth1’
set nat66 destination rule 30 protocol ‘tcp’
set nat66 destination rule 30 translation address ‘fdeb:b39a:29f8:bfd5::41’
set nat66 destination rule 30 translation port ‘3389’
set nat66 source rule 5 destination prefix ‘fd3f:4f0f:8fce:d02a::/64’
set nat66 source rule 5 exclude
set nat66 source rule 5 outbound-interface ‘eth1’
set nat66 source rule 5 source prefix ‘fdeb:b39a:29f8:bfd5::/64’
set nat66 source rule 30 description ‘SNAT wsrv150’
set nat66 source rule 30 outbound-interface ‘eth2’
set nat66 source rule 30 protocol ‘all’
set nat66 source rule 30 source prefix ‘fdeb:b39a:29f8:bfd5::41/128’
set nat66 source rule 30 translation address ‘6407:dfc0:1::90’
set nat66 source rule 9999 outbound-interface ‘eth1’
set nat66 source rule 9999 protocol ‘all’
set nat66 source rule 9999 source prefix ‘fdeb:b39a:29f8:bfd5::/64’
set nat66 source rule 9999 translation address ‘masquerade’
set protocols static route6 0::0/0 next-hop 6407:dfc0:1::1
set service ssh listen-address ‘172.17.21.171’
set service ssh port ‘1024’
set system config-management commit-revisions ‘100’
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system console device ttyS0 speed ‘115200’
set system host-name ‘vyos-ipv6-ipv6-ipsec-v171’
set system login user vyos authentication encrypted-password ‘$6$maPkFhMwSTmRZRht$uV90qDZPsYpB2jZIf8SjyMpcefgrSsR7aYJKiLJWHyK0S2jCWvihVvDZLMupDSbatNWB1uQe1BialwkCzDC.00’
set system login user vyos authentication plaintext-password ‘’
set system name-server ‘2001:4860:4860::8888’
set system name-server ‘2001:4860:4860::8844’
set system ntp server time1.vyos.net
set system ntp server time2.vyos.net
set system ntp server time3.vyos.net
set system syslog global facility all level ‘info’
set system syslog global facility protocols level ‘debug’
set vpn ipsec esp-group office-srv-esp compression ‘disable’
set vpn ipsec esp-group office-srv-esp lifetime ‘1800’
set vpn ipsec esp-group office-srv-esp mode ‘tunnel’
set vpn ipsec esp-group office-srv-esp pfs ‘enable’
set vpn ipsec esp-group office-srv-esp proposal 1 encryption ‘aes256’
set vpn ipsec esp-group office-srv-esp proposal 1 hash ‘sha1’
set vpn ipsec ike-group office-srv-ike ikev2-reauth ‘no’
set vpn ipsec ike-group office-srv-ike key-exchange ‘ikev2’
set vpn ipsec ike-group office-srv-ike lifetime ‘3600’
set vpn ipsec ike-group office-srv-ike proposal 1 encryption ‘aes256’
set vpn ipsec ike-group office-srv-ike proposal 1 hash ‘sha1’
set vpn ipsec interface ‘eth1’
set vpn ipsec site-to-site peer 6407:dfc0:2::85 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 6407:dfc0:2::85 authentication pre-shared-secret ‘SomePreSharedKey’
set vpn ipsec site-to-site peer 6407:dfc0:2::85 ike-group ‘office-srv-ike’
set vpn ipsec site-to-site peer 6407:dfc0:2::85 local-address ‘6407:dfc0:1::85’
set vpn ipsec site-to-site peer 6407:dfc0:2::85 tunnel 0 esp-group ‘office-srv-esp’
set vpn ipsec site-to-site peer 6407:dfc0:2::85 tunnel 0 local prefix ‘fdeb:b39a:29f8:bfd5::/64’
set vpn ipsec site-to-site peer 6407:dfc0:2::85 tunnel 0 remote prefix ‘fd3f:4f0f:8fce:d02a::/64’
vyos@vyos-ipv6-ipv6-ipsec-v171:~$

Hello @devashish,
Thanks for sharing the configuration.
Your firewall rules do not allow port 9296, it must be allowed in the FIREWALL_IN_IPV6 rule. You also need to add a new rule and allow port 3389 to be output.

Change next rules:

set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 action ‘accept’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 description ‘wsrv150’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 destination address ‘fdeb:b39a:29f8:bfd5::41’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 destination port ‘9296’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 log ‘disable’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 protocol ‘tcp’

Add rules:

set firewall ipv6-name FIREWALL_OUT_IPV6 rule 5 action ‘accept’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 5 description ‘RDP’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 5 destination address ‘fdeb:b39a:29f8:bfd5::41’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 5 protocol ‘tcp’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 5 destination port ‘3389’

Try this configuration.

Dear volodya

We have configured the above configuration and configuration is below like that. please let us know what about port mapping on destination rule on rule number 30 ???

set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 action ‘accept’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 description ‘wsrv150’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 destination address ‘fdeb:b39a:29f8:bfd5::41’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 destination port ‘9296’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 log ‘disable’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 protocol ‘tcp’
set nat66 destination rule 30 description ‘wsrv150’
set nat66 destination rule 30 destination address ‘‘6407:dfc0:1::90’
set nat66 destination rule 30 destination port ‘9296’
set nat66 destination rule 30 inbound-interface ‘eth1’
set nat66 destination rule 30 protocol ‘tcp’
set nat66 destination rule 30 translation address ‘fdeb:b39a:29f8:bfd5::41’
set nat66 destination rule 30 translation port ‘3389’
set nat66 source rule 30 description ‘SNAT wsrv150’
set nat66 source rule 30 outbound-interface ‘eth2’
set nat66 source rule 30 protocol ‘all’
set nat66 source rule 30 source prefix ‘fdeb:b39a:29f8:bfd5::41/128’
set nat66 source rule 30 translation address ‘‘6407:dfc0:1::90’

Try change rule:
set nat66 source rule 30 outbound-interface ‘eth1’

not working .

We need to know what we need to change on the whole rule number 30 for port forwarding
we need internally port should be 3389 and externally it should be 9296 for remote access. Please check rule number 30 on above configuration

Changed the firewall rules:
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 destination address ‘6407:dfc0:1::90’

again not working after changing the same

Volodya i hope you know on ipv4 we are not putting public ip in “firewall in rule” for destination address , it always private IP of the server or system which is behind the firewall .

below are our current config

set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 action ‘accept’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 description ‘wsrv150’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 destination address ‘‘6407:dfc0:1::90’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 destination port ‘9296’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 log ‘disable’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 protocol ‘tcp’
set nat66 destination rule 30 description ‘wsrv150’
set nat66 destination rule 30 destination address ‘‘6407:dfc0:1::90’
set nat66 destination rule 30 destination port ‘9296’
set nat66 destination rule 30 inbound-interface ‘eth1’
set nat66 destination rule 30 protocol ‘tcp’
set nat66 destination rule 30 translation address ‘fdeb:b39a:29f8:bfd5::41’
set nat66 destination rule 30 translation port ‘3389’
set nat66 source rule 30 description ‘SNAT wsrv150’
set nat66 source rule 30 outbound-interface ‘eth1’
set nat66 source rule 30 protocol ‘all’
set nat66 source rule 30 source prefix ‘fdeb:b39a:29f8:bfd5::41/128’
set nat66 source rule 30 translation address ‘‘6407:dfc0:1::90’

do you have any working ipv6 configuration with port forwarding.