I think the problem is with my firewall – I didn’t allow ULA addresses in my IPv6 firewall. I’ll confirm this soon.
I added the ipv6_ula() function to my IPv6 firewall.
Now it’s good !!
function ipv6_ula()
{
echo " |";
echo " + IPv6 - Addrs Unique Locale Area -----------------------";
# Allow Link-Local addresses
# network range : fc00:0000:0000:0000:0000:0000:0000:0000-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
echo " |\\";
$IP6TABLE -A INPUT -s fc00::/7 -j ACCEPT
$IP6TABLE -A FORWARD -s fc00::/7 -d fc00::/7 -j ACCEPT
$IP6TABLE -A OUTPUT -d fc00::/7 -j ACCEPT
echo " | +--> "fc00::/7 : ACCEPT;
echo " | |";
echo " |" + IPv6 - Addrs Unique Locale Area : [OK]
}
function ipv6_multicast()
{
echo " |";
echo " + IPv6 - Addrs Multicast -----------------------";
# Allow multicast
# network range : ff00:0000:0000:0000:0000:0000:0000:0000-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
echo " |\\";
$IP6TABLE -A INPUT -d ff00::/8 -j ACCEPT
$IP6TABLE -A FORWARD -s ff00::/8 -d ff00::/8 -j ACCEPT
$IP6TABLE -A OUTPUT -d ff00::/8 -j ACCEPT
echo " | +--> "ff00::/8 : ACCEPT;
echo " | |";
echo " |" + IPv6 - Addrs Multicast : [OK]
}
function ipv6_link_local()
{
echo " |";
echo " + IPv6 - Addrs Link-Local Unicast -----------------------";
# Allow Link-Local addresses
# network range : fe80:0000:0000:0000:0000:0000:0000:0000-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
echo " |\\";
$IP6TABLE -A INPUT -s fe80::/10 -j ACCEPT
$IP6TABLE -A FORWARD -s fe80::/10 -d fe80::/10 -j ACCEPT
$IP6TABLE -A OUTPUT -d fe80::/10 -j ACCEPT
echo " | +--> "fe80::/10 : ACCEPT;
echo " | |";
echo " | "+ IPv6 - Addrs Link-Local : [OK]
}
function ipv6_strongswan()
{
# Default ------------------
echo " |";
echo " + IPv6 - Addrs Site-Local Secure Area Network -------------------------";
# Allow Secure Area Network addresses
# network range : fec0:0000:0000:0000:0000:0000:0000:0000-feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
echo " |\\";
$IP6TABLE -A INPUT -s fec0::/10 -j ACCEPT
$IP6TABLE -A FORWARD -s fec0::/10 -d fec0::/10 -j ACCEPT
$IP6TABLE -A OUTPUT -d fec0::/10 -j ACCEPT
echo " | +--> "fec0::/10 : ACCEPT;
echo " | |";
echo " | "+ IPv6 - Addrs Secure Area Network : [OK]
# Add ------------------
echo " |";
# Allow Forwarding SLAN (fec0::/10) <> ULA (fc00::/7)
# network range : fc00:0000:0000:0000:0000:0000:0000:0000-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
echo " + IPv6 - Forwarding Addrs SWAN 2 ULA Networks -------------------------";
echo " |\\";
$IP6TABLE -A FORWARD -s fec0::/10 -d fc00::/7 -j ACCEPT
$IP6TABLE -A FORWARD -d fec0::/10 -s fc00::/7 -j ACCEPT
echo " | +--> fec0::/10 <?> fc00::/7 : ACCEPT";
echo " | |";
echo " | "+ IPv6 - Forwarding Addrs SWAN 2 ULA Networks : [OK]
echo " |";
}
Below is the firewall I made for myself 
I have a page in French with the Linux ip6tables firewall on ICMPv6 / IPv6.
And yet, checking my latest strongSwan tests (conf 4), everything was working fine from my subnets (containers) some time ago. I must have made a mistake.
That was it ! I had not authorized the forward of ULA networks.
Now it works correctly.
SubNetUK (LXC) <> SiteUK <> SiteDE (AC) <> SiteFR <> SubNetFR (LXC) - OK ping
SubNetUK (LXC) <> SiteUK <> SiteDE (AC) <> SiteFR <> SubNetFR (LXC) - OK services
Romain.
AND with the MASQUERADE… it’s now good too 
For example, to be able to “surf” with the router IP (do ULA NAT as in IPv4 for a network or for 1 machine (-s fc00:41d0:801:2000::1) except for the destination of another ULA network (! -d fc00::/7)) :
ip6tables -t nat -A POSTROUTING -o vmbr0 -s fc00:41d0:801:2000::1 ! -d fc00::/7 -j MASQUERADE
The function “nat_v6()” becomes :
WAN_IF=vmbr0
LXC_IF=vmbr1
function nat_v6()
{
# NET FOR LXC EXCEPT TO THE ULA NETWORK
$IP6TABLE -t nat -A POSTROUTING -o $WAN_IF -i $LXC_IF ! -d fc00::/7 -j MASQUERADE
echo " "+ NAT : [OK]
}
Good luck, thanks again to your LinuX Containers developer team.
See you later.
Romain (LAB3W.ORJ)
Founder ZW3B.FR|EU|TV|NET|COM|BLOG