I have 2 systems A and B linked together using a Strongswan IPv4 IKEv2 VPN. A client (C) connected to A can access the public IPv4 internet via B using the VPN. I am trying to enable C to access the public internet using IPv6 via B i.e. IPv6 packets originating at C are encapsulated by A and sent to B for decapsulation and forwarding.
I believe this is working correctly up to the point where the packet should enter the FORWARD table - but they don't.
On B IPv6 forwarding is enabled
sysctl net.ipv6.conf.default.forwarding
net.ipv6.conf.default.forwarding = 1
When I ping from C
ping -6 -c1 -I fd00::1000 2a00:...:2377
...
1 packets transmitted, 0 received, 100% packet loss, time 0ms
on B using tcpdump I see
14:02:00.014233 IP6 fd00::1000 > 2a00:...:2377: ICMP6, echo request, seq 1, length 64
and on B when using the ip6tables TRACE target I see
Sep 15 14:02:00 host kernel: TRACE: raw:PREROUTING:policy:3 IN=eth0 OUT= MAC=52:54:00:0e:e3:c4:52:54:00:fd:ed:24:08:00 SRC=fd00:0000:0000:0000:0000:0000:0000:1000 DST=2a00:...:2377 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=24923 SEQ=1
Sep 15 14:02:00 host kernel: TRACE: mangle:PREROUTING:policy:1 IN=eth0 OUT= MAC=52:54:00:0e:e3:c4:52:54:00:fd:ed:24:08:00 SRC=fd00:0000:0000:0000:0000:0000:0000:1000 DST=2a00:...:2377 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=24923 SEQ=1
Sep 15 14:02:00 host kernel: TRACE: nat:PREROUTING:policy:1 IN=eth0 OUT= MAC=52:54:00:0e:e3:c4:52:54:00:fd:ed:24:08:00 SRC=fd00:0000:0000:0000:0000:0000:0000:1000 DST=2a00:...:2377 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=24923 SEQ=1
Using a netfilter flow diagram it appears that packets are getting to the 'routing decision' but no further.
Other than the rules to enable tracing the IPv6 firewall is empty and set to ACCEPT everything.
The system B can ping the target system OK the routing table looks like this
ip -6 r g 2a00:...:2377
2a00:...:2377 via 2a00:..:0:3:1 dev eth0 proto static src fe80::5054:ff:fe0e:e3c4 metric 100 pref medium
Can anyone point me in the right direction to figure out what is (not) going on ?