Ip6in4 tunnel + ipsec encryption, is this possible?

  • Hello,

    I’ve been trying unsuccessfully to setup an SSG5 with a transport-mode vpn tunnel between two ipv4 endpoints that I then run proto 41 over to achieve an encrypted ipv6 tunnel.  I am able to get the transport ipsec nailed up (ping tests and packet capture on the remote end confirm the pings are esp-encapsulated) but when I try to target a proto 41 tunnel to the remote side, the proto 41 tunnel avoids the ipsec path and tries to send directly out, unencrypted.

    What we do is once we have the endpoints nailed up over ipv6, we then run bgp to dynamically adjust routes without needing policy/proxy-ids.  This method has been working like gangbusters with both linux (racoon+sit tunnels) and cisco (vpnmap + tunnel if’s), so the SSG5’s are the last items in my network I have to get this working on before we can really go whole-hog in our v6 mesh routing project.

    Has anyone tried this type of configuration before?  Any suggestions on how this can be implemented?  Someone with a bunch of ScreenOS knowledge mentioned to me that this might require cross-vrouter setup, but he didn’t get into detail before he had to depart, so I’m left wondering if this is the right path to take.

    disclaimer: I’m good with cisco and general networking, but am only so-so on ScreenOS, so if you are going to relate a topic, please toss me a link on where I can read up on the concept.

    Thanks in advance,