L2TP/IPSec with IPv6 Connection?

We have a VPN that works fine for Windows and Android on IPv4, but I can’t seem to get it to work on IPv6.

Initially I had trouble with ph2 packets in the log, but I fixed that by creating an IPv6 specific policy in /ip ipsec policy:

 2 T   ;;; ipv6
       group=default src-address=::/0 dst-address=::/0 protocol=all proposal=l2tp-proposal template=yes

Here’s the /ip ipsec proposal:

 1    name="l2tp-proposal" auth-algorithms=sha256,sha1,md5 enc-algorithms=aes-256-cbc,aes-128-cbc,3des lifetime=30m pfs-group=modp1024

Here’s /interface l2tp-server server

enabled: yes
max-mtu: 1450
max-mru: 1450
mrru: disabled
authentication: mschap2
keepalive-timeout: 30
max-sessions: unlimited
default-profile: l2tp-profile
use-ipsec: yes
ipsec-secret: hunter2
allow-fast-path: no

Here’s the ppp profile:

 1   name="l2tp-profile" local-address=xxx.xxx.xxx.254 remote-address=internal-pool remote-ipv6-prefix-pool=office-internal-new use-ipv6=yes use-mpls=default use-compression=default use-encryption=default only-one=default change-tcp-mss=yes use-upnp=default
     address-list="" dns-server=xxx.xxx.xxx.xxx on-up="" on-down=""

I don’t get any errors in the logs, it just repeatedly tries to initiate the session. Any guidance or configs I can cargo cult are welcome!

Same here … In MIkroTik you are given the option for a remote-ipv6-prefix-pool and use-ipv6 toggle option in the PPP profile. This implies I want to assign an entire /64 to my VPN user. I don’t, I want them to get a single address like IPv4 with a “local-address” option for the IPv6 side of that connection.

Just for clarity this doesn’t make IPv6 on my Android through VPN work. It simply consumes an IPv6 prefix from my ISP issued pool.

/frustrating, MikroTik, IPv6 is real. I promise you.

What VPN service are you using ?

Did you ever manage to get this working correctly?