[Question]
Is it the correct behavior of Windows 10 that when establishing an IPv6 VPN connection (L2TP/IPsec), ISAKMP-based IKE message exchange is conducted with Windows 10's IPv6 address as the source?
[Background]
Upon inspecting the packet flow of IPv6 VPN connections (L2TP/IPsec) on Windows 10, the following sequence of communication was observed:
VPN Configuration on Windows 10:
Server name or address: Enter any IPv6 address
VPN type: L2TP/IPsec with a pre-shared key
(1) IKE message exchange via ISAKMP
Windows 10 (source: IPv6 address) ⇔ VPN Server
(2) IKE message exchange via ISAKMP
Windows 10 (source: Temporary IPv6 address) ⇔ VPN Server
(3) Encrypted communication via ESP
Windows 10 (source: Temporary IPv6 address) ⇔ VPN Server
(4) Ultimately, the VPN connection is established using a temporary IPv6 address.
As an experiment, when the Windows Firewall feature was used to block packets of (1) with the IPv6 address as the source, (2) with a temporary IPv6 address as the source did not occur, and the VPN connection was not established. Therefore, it appears that the IKE message exchange with the IPv6 address as the source in (1) is necessary.
However, from the perspective of the VPN server, (1) and (2) have different source addresses, suggesting that two different VPN connection requests are being received. Therefore, in the configuration of the VPN server, there should be no issues if it can handle multiple VPN clients (2 or more). But if the VPN server is configured to allow only one VPN client, (1) may occupy the available resources, preventing the establishment of the VPN connection with (2) using a temporary IPv6 address as the source.
I questioned whether the ISAKMP-based IKE message exchange with Windows 10's IPv6 address as the source is the correct behavior of Windows 10.