IPsec with IPv6 only tunnel to UTM with one-sided routing problems

Question

Hello Community, 
 I have a strange problem. I have a successfully established IPsec connection between an UTM and a XG firewall. Both products have the latest firmware: UTM with 9.705-3 and the XG with SFOS 18.0.3 MR-3. The IPsec connection is established exclusively via IPv6. When I send a ping from the XG to a server in the zone of the UTM, I have 100% packet loss - tested via "Diagnostics" -> "Tools" -> "Ping". If I test the address via "Diagnostics" -> "Tools" -> "Route lookup", it also says correctly: "IPv6 is located on the ipsec0. IPv6 is not behind a router". If I use a ping from the UTM to a server in the XG network via "Support" -> "Tools" -> "Ping Check", all pings arrive (0% packet loss). Only when the ping from the UTM to the XG was successful can I now also ping successfully from the XG to the UTM. However, this only works for about 5 to 15 minutes (if no other traffic is active via the IPsec tunnel during this time). After that, no connection is possible from the XG to the UTM. Only when I send a ping from the UTM to the XG does it work again temporarily. I have been trying for days to find out where the error is, with the XG or with the UTM, and have also tried to enter static routes, unfortunately without success. What have I overlooked or where do I have to look to find the error? 
 Greetings Jan

JanZa · Accepted Answer

Hello, 
 in the meantime I have figured out myself why the IP packets sometimes don't work and sometimes do. As you can see from the picture in my first post, the firewalls (XG and UTM) are not directly on the Internet, but there are routers in front of them. One is a Fritz!Box 6591 Cable (Router 1, i.e. before the UTM from the cable network operator Vodafone [formerly Unitymedia]) and the other is a Fritz!Box 6660 Cable (Router 2, i.e. before the XG). In both routers, I forwarded the UDP port 500 to the firewalls behind them. The connection could be established without errors. But what was missing was the forwarding of the protocol ESP on both sides. Since I enabled it in both routers, the tunnel is stable. 
 Problem solved. I hope the explanation helps. 
 For the forum search also again in German: 
 [...] ich habe inzwischen selbst herausbekommen, warum die IP-Pakete mal nicht funktionieren und mal doch. Wie dem Bild aus meinem ersten Beitrag ersichtlich ist, sind die Firewalls (XG und UTM) nicht direkt im Internet, sondern vor Ihnen sind jeweils noch Router. Einmal eine Fritz!Box 6591 Cable (Router 1, also vor der UTM vom Kabelnetzbetreiber Vodafone [fr&uuml;her Unitymedia]) und eine Fritz!Box 6660 Cable (Router 2, also vor der XG). In beiden Routern habe ich den UDP Port 500 an die dahinterliegenden Firewalls weitergeleitet. Die Verbindung konnte ja auch ohne Fehler aufgebaut werden. Was aber gefehlt hat, war die Weiterleitung des Protokolls ESP auf beiden Seiten. Seit ich das in den beiden Routern freigeschaltet habe ist der Tunnel stabil. 
 Problem also gel&ouml;st. Ich hoffe die Erkl&auml;rung hilft.

IPsec with IPv6 only tunnel to UTM with one-sided routing problems

Top Replies