I wonder how an IPv6 RAC-node gets to know any router, if it is connected in an IPv6/Ipsec/Ikev2 VPN scenario. IKEv2 configuration payload only assigns an address+ netmask and gives DHCPv6 server address, but DHCPv6 does not have any options for publishing routers. Therefore to get to know routers, Router-solicitation/advertisement is needed. The RAC host is allowed to send its Router solicitation to with its source IPv6 address assigned by IKEv2 Configuration payload, destination address however has to be link-scope all routers multicast. -> first link local address. The router answers by sending a router advertisement, which again has a link-local source address. But having a selector for link-scope all routers multicast in SPD/SAD is not a good idea, if the scope of this SPD entry is not bound to a virtual interface representing the VPN tunnel (which is possible by RFC2401 and 2401bis)-> router solicitations on other interfaces of host shall not be sent through tunnel but at link of that inferface. Without that mechanism the funny situation would arise, that no routers are known for the VPN, allthough the RAC should be virtually connected to it. But it is clear that all packets intented for VPNīs address range have to be sent accross VPN-tunnel anyway, and the prefixes served are the INTERNAL_IP_SUBNETS from IKEv2 configuration payload. Any comments ? Best regards Peter
-------------------------------------------------------------------- IETF IPv6 working group mailing list [EMAIL PROTECTED] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------