Hello,
I am having a problem with setting up GRE tunnels over IPv6.
Here are the basic configurations of the 2 routers
ROUTER-1
```
set firewall all-ping 'enable'
set firewall broadcast-ping 'disable'
set firewall config-trap 'disable'
set firewall ipv6-name wan-local-6 default-action 'drop'
set firewall ipv6-name wan-local-6 enable-default-log
set firewall ipv6-name wan-local-6 rule 10 action 'drop'
set firewall ipv6-name wan-local-6 rule 10 log 'enable'
set firewall ipv6-name wan-local-6 rule 10 state invalid 'enable'
set firewall ipv6-name wan-local-6 rule 20 action 'accept'
set firewall ipv6-name wan-local-6 rule 20 log 'enable'
set firewall ipv6-name wan-local-6 rule 20 state established 'enable'
set firewall ipv6-name wan-local-6 rule 20 state related 'enable'
set firewall ipv6-name wan-local-6 rule 30 action 'accept'
set firewall ipv6-name wan-local-6 rule 30 log 'enable'
set firewall ipv6-name wan-local-6 rule 30 protocol 'gre'
set firewall ipv6-name wan-local-6 rule 40 action 'accept'
set firewall ipv6-name wan-local-6 rule 40 protocol 'ipv6-icmp'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall ip-src-route 'disable'
set firewall log-martians 'enable'
set firewall name wan-local default-action 'drop'
set firewall name wan-local enable-default-log
set firewall name wan-local rule 10 action 'drop'
set firewall name wan-local rule 10 log 'enable'
set firewall name wan-local rule 10 state invalid 'enable'
set firewall name wan-local rule 20 action 'accept'
set firewall name wan-local rule 20 log 'enable'
set firewall name wan-local rule 20 state established 'enable'
set firewall name wan-local rule 20 state related 'enable'
set firewall name wan-local rule 30 action 'accept'
set firewall name wan-local rule 30 log 'enable'
set firewall name wan-local rule 30 protocol 'gre'
set firewall name wan-local rule 40 action 'accept'
set firewall name wan-local rule 40 protocol 'icmp'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'disable'
set interfaces ethernet eth0 address '198.51.100.1/24'
set interfaces ethernet eth0 address '2001:db8:1000::1/64'
set interfaces ethernet eth0 firewall local ipv6-name 'wan-local-6'
set interfaces ethernet eth0 firewall local name 'wan-local'
set interfaces ethernet eth0 hw-id '0c:d8:6a:66:03:00'
set interfaces ethernet eth1 hw-id '0c:d8:6a:66:03:01'
set interfaces ethernet eth2 hw-id '0c:d8:6a:66:03:02'
set interfaces loopback lo
set interfaces tunnel tun0 address 'fd00::1/64'
set interfaces tunnel tun0 address '10.0.0.1/30'
set interfaces tunnel tun0 encapsulation 'ip6gre'
set interfaces tunnel tun0 local-ip '2001:db8:1000::1'
set interfaces tunnel tun0 multicast 'enable'
set interfaces tunnel tun0 remote-ip '2001:db8:1000::2'
set interfaces tunnel tun0 source-interface 'eth0'
set interfaces tunnel tun1 address 'fd01::1/64'
set interfaces tunnel tun1 address '10.1.1.1/30'
set interfaces tunnel tun1 encapsulation 'gre'
set interfaces tunnel tun1 local-ip '198.51.100.1'
set interfaces tunnel tun1 remote-ip '198.51.100.2'
set interfaces tunnel tun1 source-interface 'eth0'
set system config-management commit-revisions '100'
set system console device ttyS0 speed '115200'
set system host-name 'vyos'
set system login user vyos authentication encrypted-password '$6$ztLNDTcT7$9Zjtmyy8.4/Bh99nqe5/Osc8lEzhPzzEqE5lpecJdOYiRNF7Z.Q2kAp3MHGXxsvjPjf9pxtQLjPKvsRyea4he/'
set system login user vyos authentication plaintext-password ''
set system ntp server 0.pool.ntp.org
set system ntp server 1.pool.ntp.org
set system ntp server 2.pool.ntp.org
set system syslog global facility all level 'info'
set system syslog global facility protocols level 'debug'
```
ROUTER-2
```
set firewall all-ping 'enable'
set firewall broadcast-ping 'disable'
set firewall config-trap 'disable'
set firewall ipv6-name wan-local-6 default-action 'drop'
set firewall ipv6-name wan-local-6 enable-default-log
set firewall ipv6-name wan-local-6 rule 10 action 'drop'
set firewall ipv6-name wan-local-6 rule 10 log 'enable'
set firewall ipv6-name wan-local-6 rule 10 state invalid 'enable'
set firewall ipv6-name wan-local-6 rule 20 action 'accept'
set firewall ipv6-name wan-local-6 rule 20 log 'enable'
set firewall ipv6-name wan-local-6 rule 20 state established 'enable'
set firewall ipv6-name wan-local-6 rule 20 state related 'enable'
set firewall ipv6-name wan-local-6 rule 30 action 'accept'
set firewall ipv6-name wan-local-6 rule 30 log 'enable'
set firewall ipv6-name wan-local-6 rule 30 protocol 'gre'
set firewall ipv6-name wan-local-6 rule 40 action 'accept'
set firewall ipv6-name wan-local-6 rule 40 protocol 'ipv6-icmp'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall ip-src-route 'disable'
set firewall log-martians 'enable'
set firewall name wan-local default-action 'drop'
set firewall name wan-local enable-default-log
set firewall name wan-local rule 10 action 'drop'
set firewall name wan-local rule 10 log 'enable'
set firewall name wan-local rule 10 state invalid 'enable'
set firewall name wan-local rule 20 action 'accept'
set firewall name wan-local rule 20 log 'enable'
set firewall name wan-local rule 20 state established 'enable'
set firewall name wan-local rule 20 state related 'enable'
set firewall name wan-local rule 30 action 'accept'
set firewall name wan-local rule 30 log 'enable'
set firewall name wan-local rule 30 protocol 'gre'
set firewall name wan-local rule 40 action 'accept'
set firewall name wan-local rule 40 protocol 'icmp'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'disable'
set interfaces ethernet eth0 address '198.51.100.2/24'
set interfaces ethernet eth0 address '2001:db8:1000::2/64'
set interfaces ethernet eth0 firewall local ipv6-name 'wan-local-6'
set interfaces ethernet eth0 firewall local name 'wan-local'
set interfaces ethernet eth0 hw-id '0c:d8:6a:b7:90:00'
set interfaces ethernet eth1 hw-id '0c:d8:6a:b7:90:01'
set interfaces ethernet eth2 hw-id '0c:d8:6a:b7:90:02'
set interfaces loopback lo
set interfaces tunnel tun0 address 'fd00::2/64'
set interfaces tunnel tun0 address '10.0.0.2/30'
set interfaces tunnel tun0 encapsulation 'ip6gre'
set interfaces tunnel tun0 local-ip '2001:db8:1000::2'
set interfaces tunnel tun0 multicast 'enable'
set interfaces tunnel tun0 remote-ip '2001:db8:1000::1'
set interfaces tunnel tun0 source-interface 'eth0'
set interfaces tunnel tun1 address 'fd01::2/64'
set interfaces tunnel tun1 address '10.1.1.2/30'
set interfaces tunnel tun1 encapsulation 'gre'
set interfaces tunnel tun1 local-ip '198.51.100.2'
set interfaces tunnel tun1 remote-ip '198.51.100.1'
set interfaces tunnel tun1 source-interface 'eth0'
set system config-management commit-revisions '100'
set system console device ttyS0 speed '115200'
set system host-name 'vyos'
set system login user vyos authentication encrypted-password '$6$bXuwE0gi.CjpQRv$TFbrTmtcqCQ9f6Df.yqygi99R8M/8vR1NDfado2ESXBzv0tGlVbdRKjdlHZGw9pNrpEWUG5m0BdMnrJqkbDpv/'
set system login user vyos authentication plaintext-password ''
set system ntp server 0.pool.ntp.org
set system ntp server 1.pool.ntp.org
set system ntp server 2.pool.ntp.org
set system syslog global facility all level 'info'
set system syslog global facility protocols level 'debug'
```
When the tunnel is established, it is impossible to reach the remote network if it applies an ingress filtering policy.
This is what the logs go back to; GRE is constantly seen as an invalid stream.
```
vyos@router2:~$ ping fd00::1
PING fd00::1(fd00::1) 56 data bytes
--- fd00::1 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
```
```
root@router1:~# tail -f /var/log/messages
Mar 1 09:09:56 router1 kernel: [ 303.025798] [wan-in-6-10-D] IN=eth0 OUT= MAC=0c:d8:6a:66:03:00:0c:d8:6a:b7:90:00:86:dd SRC=2001:0db8:1000:0000:0000:0000:0000:0002 DST=2001:0db8:1000:0000:0000:0000:0000:0001 LEN=136 TC=0 HOPLIMIT=64 FLOWLBL=825134 PROTO=47
```
In pure IPv4 mode, it works without problems.
```
vyos@router2:~$ ping fd01::1 count 1
PING fd01::1(fd01::1) 56 data bytes
64 bytes from fd01::1: icmp_seq=1 ttl=64 time=3.24 ms
--- fd01::1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 3.238/3.238/3.238/0.000 ms
```
```
root@router1:~# tail -f /var/log/messages -n0
Mar 1 09:21:11 router1 kernel: [ 977.976415] [wan-in-30-A] IN=eth0 OUT= MAC=0c:d8:6a:66:03:00:0c:d8:6a:b7:90:00:08:00 SRC=198.51.100.2 DST=198.51.100.1 LEN=128 TOS=0x00 PREC=0x00 TTL=255 ID=64348 DF PROTO=47
```
This problem is reproducible under VyOS 1.3.x and 1.4.x.
Thanks for your help,
Regards,