IPv6 and IPSec in real life....

[David Burgess]

itojun@iijlab.net wrote:
> 
> >Network A is a pair of Windows machine on a NAT enabled Cisco 675.
> >In order for these to become IPv6, we would need to upgrade them
> >to W2K and install the IPv6 package from Microsoft.  That would
> >make the connection from A to B work, but that forces me to upgrade
> >all of the servers in Network B to W2K.
> >
> >Network B is an IPv4 and IPv6 enabled network, using KAME and NetBSD.
> >
> >Network C is an IPv4 network which Network B can route for Network A
> >(if network A becomes an IPv6 network).
> >
> >The Internet (for purposes of this situation) should be viewed as
> >primarilty IPv4.
> >
> >Everyone on Networks A and B needs to be able to share resources.
> >Everyone on Networks A and B needs to be able to see into Network
> >C.  No one from the Internet should be able to see into A, B, or C.
> 
>         If your goal is to setup IPv6 connectivity
>         among A, B and C,  You just need to take the following steps:
>         1. make edge router for A, B and C (which has global IPv4 address -
>            outside of NAT) to be IPv4/v6 dual stack.
>         2. establish IPv6-over-IPv4 tunnel among edge routers,
>         3. populate native IPv6 network into A, B and C.
>            now A, B and C has IPv6 connectivity.
> 
>         NAT is IPv4-only thing.  You can just ignore them when you think about
>         IPv6 interconnection.
>         (In case you want IPv4 VPN, this is not the best place to ask)

Thank you for the quick response.

The more I think about it, the more I think your suggestion will work
out the best.  I can set up V6 over V4 routing between firewalls in both 
enclaves.  This avoids the problem with the massive upgrades, but adds
another computer into the mix.  



> 
> itojun