I have setup a point to point transport ipsec session between a ScreenOS router (SSG-5) and a Cisco 3925. The ipsec transport itself works great, but as soon as I try to direct the protocol 41 traffic over the transport, the packets don't transit properly.
I assumed at first that you would need to create a tunnel for the ipsec connection, then target the ip6in4 tunnel with outgoing-interface of the ipsec tunnel, but screenos won't let you create a tunnel on a tunnel.
Additionally, I tried using a policy-based vpn but when I attempt to use "tunnel vpn" as a policy target it tells me unknown command? Is there a master on/off switch for policy based ipsec?
Below is what I think is the pertinent configuration, though I'll be more than happy to provide more info as required.
SCREENOS CONFIG:
---------------------------
set zone id 105 "mytunnel_TUNNEL"
set zone "mytunnel_TUNNEL" tcp-rst
set interface "tunnel.5" zone "mytunnel_TUNNEL"
set address "mytunnel_TUNNEL" "fdee:7e1e::/32" fdee:7e1e::/32
set ike gateway "micmplsv4" address 2.2.2.157 Main outgoing-interface "ethernet0/0" preshare "igdZeIcKNobfusol+CQcpIfvwnFwrxb5g==" sec-level compatible
set vpn "mytunnel" gateway "micmplsv4" no-replay transport idletime 0 sec-level compatible
set vpn "mytunnel" monitor optimized rekey
set vpn "mytunnel" id 0x16 bind interface tunnel.3
set vpn "mytunnel" proxy-id check
set vpn "mytunnel" proxy-id local-ip 8.8.8.10/32 remote-ip 2.2.2.157/32 "ANY"
set policy id 137 from "DMZ" to "mytunnel_TUNNEL" "fdbe:a922:a316:2::/64" "fdee:7e1e::/32" "ANY" permit
set policy id 136 from "mytunnel_TUNNEL" to "DMZ" "fdee:7e1e::/32" "fdbe:a922:a316:2::/64" "ANY" permit
set interface "tunnel.3" zone "Untrust"
set interface tunnel.3 ip unnumbered interface ethernet0/0
set vpn "mytunnel" id 0x16 bind interface tunnel.3
set route 2.2.2.157/32 interface tunnel.3
CISCO CONFIG:
------------------------------
ip access-list extended mic2pg
permit ip host 2.2.2.157 host 8.8.8.10
!
crypto ipsec transform-set transport-esp-3des-sha esp-3des esp-sha-hmac
mode transport
!
crypto map vpnmap 30 ipsec-isakmp
set peer 8.8.8.10
set transform-set transport-esp-3des-sha
match address mic2pg
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
ip address 2.2.2.157 255.255.255.224
crypto map vpnmap
!
interface Tunnel3
no ip address
ipv6 address FDEE:7E1E:100:F002::1/64
ipv6 enable
tunnel source 2.2.2.157
tunnel mode ipv6ip
tunnel destination 8.8.8.10
!
end
I've done tons of IPv6 on ScreenOS. Both natively and tunnels. I've done exactly what you're asking about (although, not with a Cisco at the other end). Here's what to do.
Get rid of the 6in4 stuff. Use only one tunnel interface, and unset the proxy-id on both sides. Build the tunnel with v4 endpoints then route the remote v6 prefix as well as the remote v4 prefix to the tunnel interface.
Update: As requested, example config.
Notes:
.
I know that there is a problem in ScreenOS with routing of 6in4 traffic directly. What people usually do is to create loopback interface for terminating end of 6in4 tunnel and then route IPv6 traffic through it. I use similar configuration for my 6in4 tunnel with sixxs, but I think general principle may be applicable to your case as well. Please check this link for more info especially "Update sept 13, 2009" part.