This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 5%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
[Question]
Is it the correct behavior of Windows 10 that when establishing an IPv6 VPN connection (L2TP/IPsec), ISAKMP-based IKE message exchange is conducted with Windows 10's IPv6 address as the source?
[Background]
Upon inspecting the packet flow of IPv6 VPN connections (L2TP/IPsec) on Windows 10, the following sequence of communication was observed:
VPN Configuration on Windows 10:
Server name or address: Enter any IPv6 address VPN type: L2TP/IPsec with a pre-shared key
(1) IKE message exchange via ISAKMP Windows 10 (source: IPv6 address) ⇔ VPN Server
(2) IKE message exchange via ISAKMP Windows 10 (source: Temporary IPv6 address) ⇔ VPN Server
(3) Encrypted communication via ESP Windows 10 (source: Temporary IPv6 address) ⇔ VPN Server
(4) Ultimately, the VPN connection is established using a temporary IPv6 address.
As an experiment, when the Windows Firewall feature was used to block packets of (1) with the IPv6 address as the source, (2) with a temporary IPv6 address as the source did not occur, and the VPN connection was not established. Therefore, it appears that the IKE message exchange with the IPv6 address as the source in (1) is necessary.
However, from the perspective of the VPN server, (1) and (2) have different source addresses, suggesting that two different VPN connection requests are being received. Therefore, in the configuration of the VPN server, there should be no issues if it can handle multiple VPN clients (2 or more). But if the VPN server is configured to allow only one VPN client, (1) may occupy the available resources, preventing the establishment of the VPN connection with (2) using a temporary IPv6 address as the source.
I questioned whether the ISAKMP-based IKE message exchange with Windows 10's IPv6 address as the source is the correct behavior of Windows 10.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Hello there,
Yes this will be the correct behaviour.
Many small networks use a router with NAT functionality to share a single Internet address among all the computers on the network. The original version of IPSec drops a connection that goes through a NAT because it detects the NAT's address-mapping as packet tampering. Home networks frequently use a NAT. This blocks using L2TP/IPSec unless the client and the VPN gateway both support the emerging IPSec NAT-Traversal (NAT-T) standard. For more information, see the "NAT Traversal" section.
Hope this resolves your Query !!
--If the reply is helpful, please Upvote and Accept it as an answer--
You're welcome!
In this case, since you're using IPv6 addresses and not NAT, Is NAT traversal relevant in this case?