Properly routing IPv6 across site-to-site IPSEC tunnel

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Properly routing IPv6 across site-to-site IPSEC tunnel

L0 Member

Configuration:

I have two /56 IPv6 prefixes, one which is used in our Bay Area office, and one which is unused. I have taken a /64 from the unused /56 prefix and assigned it for use by our office in The Netherlands. They will use DHCP to assign the addresses to a small set of workstations that need to send IPv6 traffic across our site-to-site tunnel (PA-820 and PA-220 endpoints) and out our local ISP (to bypass GeoIP filtering that is making testing difficult for the engineering team there).

 

I believe what I need to do is create a PBF rule on the NL side PA that takes the source interface/zone and IPv6 range and forwards packets to the tunnel interface as egress. I 'm fairly certain that I need to define a next-hop IP, and I am uncertain how to proceed. Do I need to assign IPv6 to both tunnel interfaces, and if so, what is the correct way to determine IPs for these. IPv6 is enabled on the tunnel interfaces so they presumably have link-local IPv6 addresses I can get from the CLI, but I am not sure if these are the correct way to proceed . On the local side, the traffic should just follow the default route to the internet and return traffic should route back through our edge and I'll just need to set up a static route for the /64 block to route back across the tunnel to NL.

Any input is appreciated.

 

Thanks

1 REPLY 1

Cyber Elite
Cyber Elite

Hi @Antonio_719 ,

 

You can forward traffic to tunnel interface directly without mentioning any IP address as a next hop. PFB snap for ref. Did you tried this? This should work as per your requirement.

 

SutareMayur_0-1635415210207.png

 

Hope it helps!

M
  • 1661 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!