IPSec Phase 1 IPv4 Phase 2 IPv6

[sachaz]

Hi,

I'm trying to do something like this:

ServerZZTop ----- FirewallA [OPNSense] o===(IPSEC)===o FirewallB [OpenBSD] ----- Internet

ServerZZTop have a public IPv4/6

Phase 1 Type: IPv4 IKE v1
Phase 2 Type:  ESP IPv4 tunnel
Phase 2 Type:  ESP IPv6 tunnel

Yes I got I phase 2 for an IPv4 tunnel AND another one for an IPv6 tunnel, Strongswan is suposed to work like this(https://www.strongswan.org/testing/testresults/ipv6/net2net-ip6-in-ip4-ikev1/).

1st problem is the following message when I try to modify my phase 1: "There is a Phase 2 using IPv6, you cannot use IPv4".

When I mount the tunnel:

• If I ping from FirewallA to ServerZZTop the IPv4 tunnel is working: I can ping  from Internet ServerZZTop IPv4
• During 5 second after tunnel mounting I can ping  from Internet ServerZZTop IPv6 then the ICMP packet is coming to ServerZZTop but there is only outgoing "ICMP6, neighbor solicitation"  on my  ServerZZTop Interface
• I have to set mtu 1378 to ServerZZTop's interface to make IPv4 work fine
• In FirewallA IPSec logs, I got: "installing route failed: ::/0 via $(FirewallA Default IPv4 Gateway) src $(FirewallA IPv6 Gateway for ServerZZTop) dev pppoe0"

I'm stucked to make the IPv6 Phase2 and I don't understand why I have this message from OPNSense (my 1st problem)

Kind regards

[sachaz]

All of this is fixed now: https://atelier.aquilenet.fr/projects/services/wiki/Librehosting