ScreenOS ip6in4 tunnel over transport mode ipsec?
I've done tons of IPv6 on ScreenOS. Both natively and tunnels. I've done exactly what you're asking about (although, not with a Cisco at the other end). Here's what to do.
Get rid of the 6in4 stuff. Use only one tunnel interface, and unset the proxy-id on both sides. Build the tunnel with v4 endpoints then route the remote v6 prefix as well as the remote v4 prefix to the tunnel interface.
Update: As requested, example config.
Notes:
- Local v6 supernet is fd28:e1f3:d650:1000::/56
- Remote v6 supernet is fd28:e1f3:d650:2000::/56
- Significant v4 portions have been left out because I think you get it.
.
set interface ethernet0/0 zone Untrust
set interface ethernet0/0 ip 5.6.7.8/27
set interface ethernet0/0 route
set interface ethernet0/2 zone Trust
set interface ethernet0/2 ip 192.168.10.1/24
set interface ethernet0/2 route
set interface ethernet0/2 ipv6 mode router
set interface ethernet0/2 ipv6 enable
set interface ethernet0/2 ipv6 ip fd28:e1f3:d650:1010::/64
set interface ethernet0/2 ipv6 nd nud
set interface ethernet0/2 ipv6 ra link-address
set interface ethernet0/2 ipv6 ra link-mtu
set interface ethernet0/2 ipv6 ra managed
set interface ethernet0/2 ipv6 ra other
set interface ethernet0/2 ipv6 ra preference high
set interface ethernet0/2 ipv6 ra prefix fd28:e1f3:d650:1010::/64
set interface ethernet0/2 ipv6 ra reachable-time
set interface ethernet0/2 ipv6 ra retransmit-time
set interface ethernet0/2 ipv6 ra transmit
set zone name v6remote
set interface tunnel.20 ip unnumbered interface ethernet0/0
set interface tunnel.20 zone v6remote
set interface tunnel.20 ipv6 mode host
set interface tunnel.20 ipv6 enable
set interface tunnel.20 ipv6 nd dad-count 0
set interface tunnel.20 ipv6 nd nud
set ike p1-proposal AES256-SHA preshare group2 esp aes256 sha-1 second 28800
set ike p2-proposal AES256-SHA group2 esp aes256 sha-1 second 3600
set ike gateway gateway2v6remote address 10.255.255.1 Main outgoing-interface ethernet0/0 preshare "secret-word" proposal AES256-SHA
set vpn tunnel2v6remote gateway gateway2v6remote replay tunnel idletime 0 proposal AES256-SHA
set vpn tunnel2v6remote bind interface tunnel.20
set policy from v6remote to trust v6remote v6local ANY permit log count
set policy from trust to v6remote v6local v6remote ANY permit log count
set route fd28:e1f3:d650:2000::/56 interface tunnel.20 gateway ::