Fortigate100D Vdom nat64 Policy over IPsec

Hello,

i have the following configuration on a vdom on a fortigate 100d.

Here is an access from external IPv6 to a IPv4 address after the VPN-Tunnel.

In the config change the ipv6 source address to a ipv4 address.

The ipv6 destination address what has a route to the foritgate vdom is change in the firewall to the destionation ipv4 networks

you can see in the config lines...

It doesnt work, i think the problem is the DNAT Line in the debug output:

Debug:

id=20085 trace_id=2008 func=resolve_ip6_tuple_fast line=3285 msg="vd-mgmt received a packet(proto=6, X:X:X:X::251:55591->fd71:83f4:eb:1::a41:20e:22) from Untrust." id=20085 trace_id=2008 func=resolve_ip6_tuple line=3384 msg="allocate a new session-005eac11" id=20085 trace_id=2008 func=get_new_addr6 line=768 msg="find NAT: IP-fd71:83fa:eb:1::a41:20e, port-22" id=20085 trace_id=2008 func=__ip6_session_run_tuple line=1812 msg="DNAT fd71:83f4:eb:1::a41:20e:22->fd71:83fa:eb:1::a41:20e:22" id=20085 trace_id=2008 func=fw6_pre_route_handler line=131 msg="VIP-fd71:83fa:eb:1::a41:20e:22, outdev-unknown" id=20085 trace_id=2008 func=vf_ip6_route_input line=920 msg="find a route: gw-fd71:83fa:eb:1::a41:20e via mgmt err 0 flags 85000001" id=20085 trace_id=2008 func=ip6_nat_af_input line=665 msg="nat64 ipv6 received a packet proto=6" id=20085 trace_id=2008 func=fw6_nat_af_sink_handler line=516 msg="Check nat af policy between Untrust -> vpn-mgmt" id=20085 trace_id=2008 func=get_new_addr6 line=768 msg="find NAT: IP-fd71:83fa:eb:1::c31e:82cc, port-18913" id=20085 trace_id=2008 func=init_ip_session_common line=4868 msg="allocate a new session-01e74813" id=20085 trace_id=2008 func=ipsecdev_hard_start_xmit line=157 msg="enter IPsec interface-vpn-mgmt" id=20085 trace_id=2008 func=esp_output4 line=846 msg="IPsec encrypt/auth" id=20085 trace_id=2008 func=ipsec_output_finish line=496 msg="send to 1XX.X.X.X via intf-Untrust"

Config:

config router static

edit 2 set dst 10.0.0.0 255.0.0.0 set device "vpn-mgmt" next edit 3 set dst 172.16.0.0 255.240.0.0 set device "vpn-mgmt" next edit 4 set dst 192.168.0.0 255.255.0.0 set device "vpn-mgmt" next

config system nat64 set status enable end

(prefix for NAT64 is fd71:83fa:eb:1::/96)

config firewall policy64 edit 1 set uuid a55b4c54-d1b8-51e6-04f3-6b9bca3482d5 set srcintf "Untrust" set dstintf "vpn-mgmt" set srcaddr "management" ->""is a ipv6 management ip-address group" set dstaddr "ipv6to4nat" set action accept set schedule "always" set service "ALL" set ippool enable set poolname "mgmt-ipv4" next end

config firewall vip64 edit "ipv6to4nat" set uuid 1c85ea2c-d1c9-51e6-0982-23aee21a8de0 set extip fd71:83f4:eb:1::1-fd71:83f4:eb:1::ffff:fffe set mappedip 0.0.0.1-255.255.255.254 next end

config firewall ippool edit "mgmt-ipv4" set type one-to-one set startip x.x.x.200 set endip x.x.x.207 next end

anyone a idea whats the problem?

The VPN works i can reach the ipv4 IPs when it is connected...