IPv6 and IPSec in real life....

David Burgess burgess@mitre.org
Thu, 06 Apr 2000 08:41:02 -0500 

itojun@iijlab.net wrote:
> 
> >Here's what I have right now:
> >
> >(Best viewed in a fixed font)
> >
> >+-----+
> >|     |          A:  Windows 95 machine using a Random Address
> >|  A  |-----+        from a local ISP.
> >|     |     |    B:  NetBSD-current running KAME
> >+-----+     |    C:  Corporate Office
> >            |            +-----+
> >+---+  +----+-----+      |     |
> >| C |--| Internet +------+  B  +-------{ Local non-routable network }
> >+---+  +----+-----+      |     |
> >                         +-----+
> >
> >Here's where I want to end up:
> >
> >+-----+
> >|     |          A:  Cisco 675 ADSL router (with a new static address)
> >|  A  |-----+        connected to a pair of Win-95  machines (with
> >|     |     |        non-routable NATed addresses).
> >+-----+     |    B:  NetBSD-current running KAME
> >            |    C:  Corporate Office
> >            |            +-----+
> >+---+  +----+-----+      |     |
> >| C |--| Internet +------+  B  +-------{ Local non-routable network }
> >+---+  +----+-----+      |     |
> >                         +-----+
> >
> >Clearly, I need a VPN solution, and since (B) already has IPSec and
> >IPv6 loaded and working, could someone make some recommendations
> >about what I need to research to figure out a workable solution for
> >the Interconnect.
> 
>         It is not very clear, from the diagram, what you are trying to achieve.
>         Which part of the diagram is IPv6 network, and which part is IPv4?

Network A is a pair of Windows machine on a NAT enabled Cisco 675.  
In order for these to become IPv6, we would need to upgrade them
to W2K and install the IPv6 package from Microsoft.  That would
make the connection from A to B work, but that forces me to upgrade
all of the servers in Network B to W2K.

Network B is an IPv4 and IPv6 enabled network, using KAME and NetBSD.

Network C is an IPv4 network which Network B can route for Network A
(if network A becomes an IPv6 network).  

The Internet (for purposes of this situation) should be viewed as
primarilty IPv4.

Everyone on Networks A and B needs to be able to share resources. 
Everyone on Networks A and B needs to be able to see into Network
C.  No one from the Internet should be able to see into A, B, or C.

> 
> itojun