jice/gist:188f18ab361d03bb9058

## gistfile1.txt
Problem Statement
-----------------

The Windows native VPN client does not configure the default IPv6 route through the tunnel, even if the negociated remote traffic selector is ::/0.

Causes
------

Windows sends router solicitations and awaits router advertisement from the other side. To this end, it uses link-local unicast and multicast addresses, just like a machine would on a broadcast-capable link (e.g. Ethernet).

If you only configured a Virtual IP (rightsourceip) in Strongswan, the traffic selectors negociated would not allow traffic coming from Windows having a source address of fe80::/10 through the tunnel, and sniffing the protected traffic would not reveal Windows attemps at router discovery.

Solution
--------

- Enable the libipsec plugin in Strongswan (this creates a ipsec0 interface in your system) to allow radvd to work
- Configure a static link-local address on ipsec0
  # ip a a fe80::1/64 dev ipsec0
- Use the radvd daemon to advertise the /64 prefix containing your rightsourceip + the MTU (e.g. 1400) on the ipsec0 interface
- Add fe80::/64 to remote traffic selectors in your connection in ipsec.conf (in addition to rightsourceip)
  rightsubnet=fe80::/64

Caveats
-------

- The configured link-local address on ipsec0 is not persistent through Strongswan restarts. Maybe use an up_down script ?
- radvd should be (re-)started only when the ipsec0 interface exists (when Strongswan has started) and the link-local address is configured
- I haven't tested communication between two Windows client connected to the same Strongswan server when both have a Virtual IP in the same /64. Windows seems to use Neighbor Discory over IPsec (for DAD only?) and the RA sent by a Windows VPN server says the /64 prefix is on-link...
	Problem Statement
	-----------------

	The Windows native VPN client does not configure the default IPv6 route through the tunnel, even if the negociated remote traffic selector is ::/0.

	Causes
	------

	Windows sends router solicitations and awaits router advertisement from the other side. To this end, it uses link-local unicast and multicast addresses, just like a machine would on a broadcast-capable link (e.g. Ethernet).

	If you only configured a Virtual IP (rightsourceip) in Strongswan, the traffic selectors negociated would not allow traffic coming from Windows having a source address of fe80::/10 through the tunnel, and sniffing the protected traffic would not reveal Windows attemps at router discovery.

	Solution
	--------

	- Enable the libipsec plugin in Strongswan (this creates a ipsec0 interface in your system) to allow radvd to work
	- Configure a static link-local address on ipsec0
	# ip a a fe80::1/64 dev ipsec0
	- Use the radvd daemon to advertise the /64 prefix containing your rightsourceip + the MTU (e.g. 1400) on the ipsec0 interface
	- Add fe80::/64 to remote traffic selectors in your connection in ipsec.conf (in addition to rightsourceip)
	rightsubnet=fe80::/64

	Caveats
	-------

	- The configured link-local address on ipsec0 is not persistent through Strongswan restarts. Maybe use an up_down script ?
	- radvd should be (re-)started only when the ipsec0 interface exists (when Strongswan has started) and the link-local address is configured
	- I haven't tested communication between two Windows client connected to the same Strongswan server when both have a Virtual IP in the same /64. Windows seems to use Neighbor Discory over IPsec (for DAD only?) and the RA sent by a Windows VPN server says the /64 prefix is on-link...