> Another theory is that the Ipv6 IPSec and the Ipv4 IPSec will be
> able to establish a security association with each other, as long as the key
> (Pre-shared secret) and the encryption settings are the same.
No, the IPSEC end-points see 6to4 as IPv6 protocol, so you run the
IPSEC as IPv6 ISPEC on the IPv6 packets with 6to4 addressesses. The
6to4 gateway operates on IPSECed packets.
IPv6(6to4-dst,6to4-src) TCP ...
--> apply IPSEC
IPv6(6to4-dst,6to4-src) ESP "encrypted TCP"
--> apply 6to4
IPv4 (ipv4-src, ipv4-dst) IPv6(6to4-dst,6to4-src) ESP "encrypted TCP"
(go over IPv4 internert)
--> apply 6to4
IPv6(6to4-dst,6to4-src) ESP "encrypted TCP"
--> apply IPSEC
IPv6(6to4-dst,6to4-src) TCP ...
Thus, 6to4 end-to-end IPSEC is same as any IPv6 ipsec. No special
handling needed.
Of course, alternatively, you could have policy applying to the IPv4
packet after 6to4 processing, but then the IPSEC association would be
between 6to4 gateways. But, this is totally independent of the other
IPSEC layer.
ipv6-host ----- 6to4-gw =============== 6to4-gw --------ipv6-host
<-----IPSEC 2 -------->
<---------------------IPSEC 1 ------------------------->
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
