On Sat, Sep 17, 2011 at 9:47 AM, Jason White <jason@jasonjgw.net> wrote:
Richard Andrews <bflatmaj7th@gmail.com> wrote:
Kernel mode ESP does not create an interface so I would not expect any neighbourhood discovery associated with IPsec. Maybe the IPv6 stack is trying to find a router which knows a path to the peer.
I think so. It's fine without an IPSec tunnel, but, for whatever reason, not when a tunnel is in place.
Yet you say the tunnel appears to work. "ipsec statusall" should show a child SA with an ID number in {} braces on both peers. One reason I prefer NAT-T mode is that the same UDP socket is used for IKE and ESP; it's very difficult to have keying work but not transport. That issue has been a frequent frustration with traditional IPsec for me.