Properly routing IPv6 across site-to-site IPSEC tunnel

Antonio_719 — Fri, 29 Oct 2021 16:43:07 GMT

Configuration:

I have two /56 IPv6 prefixes, one which is used in our Bay Area office, and one which is unused. I have taken a /64 from the unused /56 prefix and assigned it for use by our office in The Netherlands. They will use DHCP to assign the addresses to a small set of workstations that need to send IPv6 traffic across our site-to-site tunnel (PA-820 and PA-220 endpoints) and out our local ISP (to bypass GeoIP filtering that is making testing difficult for the engineering team there).

I believe what I need to do is create a PBF rule on the NL side PA that takes the source interface/zone and IPv6 range and forwards packets to the tunnel interface as egress. I 'm fairly certain that I need to define a next-hop IP, and I am uncertain how to proceed. Do I need to assign IPv6 to both tunnel interfaces, and if so, what is the correct way to determine IPs for these. IPv6 is enabled on the tunnel interfaces so they presumably have link-local IPv6 addresses I can get from the CLI, but I am not sure if these are the correct way to proceed . On the local side, the traffic should just follow the default route to the internet and return traffic should route back through our edge and I'll just need to set up a static route for the /64 block to route back across the tunnel to NL.

Any input is appreciated.

Thanks

Re: Properly routing IPv6 across site-to-site IPSEC tunnel

SutareMayur — Thu, 28 Oct 2021 10:00:40 GMT

Hi @Antonio_719 ,

You can forward traffic to tunnel interface directly without mentioning any IP address as a next hop. PFB snap for ref. Did you tried this? This should work as per your requirement.

Hope it helps!

topic Properly routing IPv6 across site-to-site IPSEC tunnel in General Topics

Properly routing IPv6 across site-to-site IPSEC tunnel

Re: Properly routing IPv6 across site-to-site IPSEC tunnel