I have a VPS with an IPv4 (/32) and an IPv6 (/128).

I've set up Strongswan and my IPv4 IPSec server works just fine - I'm using it all the time.

I'm trying to get it to work with IPv6 and so far it's not working at all. Since I only have a /128 IPv6 address and no prefix, I need to use NAT. My server is listening on IPv6, and it is possible to connect using IPv6 exclusively. I'm assigning a Unique Local Address (ULA) to my clients, and they receive it properly.

I've configured NAT to translate my ULA prefix into my server's address - exactly like I did in IPv4. But it doesn't work, and the NAT rule has 0 hit.

I believe there is a routing problem. For my IPv4 IPSec network, a routing rule is added like this in table 220 by Charon:

ip route show table 220
 172.28.0.3 dev eth0  proto static

... but for my IPv6 ULA network, it shows like this:

ip route show table all
 fd00:dead:dead:dead::1 via 2001:29da:405:5f00::1 dev eth0  table 220  proto static  metric 1024

with 2001:29da:405:5f00::1 being the IPv6 default gateway of my server.

Here is what I have in IPSec.conf:

leftauth=pubkey
    leftcert=X.crt
    leftsendcert=always
    leftsubnet=0.0.0.0/0,::/0

    rightsourceip=172.28.0.0/23, fd00:DEAD:DEAD:DEAD:0:0:0:0/64
    rightdns=208.67.220.220,208.67.222.222,2606:4700:4700:0:0:0:0:1111,2001:4860:4860:0:0:0:0:8888

Has anybody got any idea ? Where should I look at ?