Thu Jul 11, 2019 5:35 pm
Hello,
IPv6 over IPSec/L2TP works well, it gives you prefix, but not address, so it's suitable for travel router that will share the prefix for you. The trick is in L2TP server's default IPv6 firewall rules:
/ipv6 firewall filter
...
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
....
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
I changed them to:
...
add action=accept chain=input comment="allow from VPN" in-interface-list=dynamic log=yes log-prefix=DYNACCEPT:
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
...
add action=accept chain=forward comment="allow from VPN" in-interface-list=dynamic log=yes log-prefix=DYNACCEPT:
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
and everything started to work. Client configuration:
/interface l2tp-client add name=l2tp-out1 connect-to=VpnServer user=VpnUser password=VpnPassword use-ipsec=yes ipsec-secret=VpnSecret allow=mschap2 add-default-route=yes allow-fast-path=yes disabled=no
/ipv6 dhcp-client add add-default-route=yes interface=l2tp-out1 pool-name=l2tp-ipv6 request=prefix
/ipv6 address add address=::/64 from-pool=l2tp-ipv6 interface=bridge advertise=yes disabled=no eui-64=no no-dad=no