# Passthrough For proper IPv6 Neighbor Discovery (RFC 4861)
#
# The unicast Neighbor Advertisement reply message must be sent
# in plaintext) even if we have an IPsec SA for the destination,
# because the other end might have crashed or rebooted and lost
# its IPsec SA with our end. It will use IPv6 Neighbor Discovery
# to find our end again. Without this policy hole, the neighbor
# discovery answer packet is caught by the kernel and encrypted.
# As a result, the rebooted end won't be able to find us and won't
# be able to send us an IKE packet to re-establish the IPsec SA.
#
# While the Neighbor Solicitation is multicast and would not
# not be caught by the IPsec stack, we use it in the configuration
# to limit the range of ipv6-icmp covered. In a way, this would
# only need to be an outbound SA, but SA's come in bundles, so we
# need an unbound SA as well. Leaving protoport empty or set to
# any ipv6-icmp would cause us to send out more unencrypted traffic,
# which would be dropped once the IPsec SA has re-established.
# So we set the inbound protoport to ipv6-icmp Neighbor Advertisement.
# (solution by Jaroslav Aster)
#
# Configuration
#
# ipv6-icmp Neighbor Solicitation is Type 135, Code 0.
# ipv6-icmp Neighbor Advertisement is Type 136, Code 0.
# As per RFC 4301/5996, icmp type is put in the most significant 8 bits
# and the icmp code is in the least significant 8 bits of port field.
# proto is 58 (ipv6-icmp)
# type = 135 (0x87) or 136 (0x88)
# code = 0 (0x00)
# so "port" in protoport is 0x8700 (34560) for Neighbor Solicitation.
# so "port" in protoport is 0x8800 (34816) for Neighbor Advertisement.
conn v6neighbor-hole-in
left=::1
leftsubnet=::0/0
leftprotoport=58/34560
rightprotoport=58/34816
rightsubnet=::0/0
right=::0
connaddrfamily=ipv6
authby=never
type=passthrough
auto=route
priority=10
conn v6neighbor-hole-out
left=::1
leftsubnet=::0/0
leftprotoport=58/34816
rightprotoport=58/34560
rightsubnet=::0/0
right=::0
connaddrfamily=ipv6
authby=never
type=passthrough
auto=route
priority=10