I guess my memory was playing tricks, and I have mistated the probable cause. From
http://tools.ietf.org/html//rfc4303
Code:
In tunnel mode, the "inner" IP header carries the ultimate (IP)
source and destination addresses, while an "outer" IP header contains
the addresses of the IPsec "peers", e.g., addresses of security
gateways. Mixed inner and outer IP versions are allowed, i.e., IPv6
over IPv4 and IPv4 over IPv6. In tunnel mode, ESP protects the
entire inner IP packet, including the entire inner IP header. The
position of ESP in tunnel mode, relative to the outer IP header, is
the same as for ESP in transport mode. The following diagram
illustrates ESP tunnel mode positioning for typical IPv4 and IPv6
packets.
BEFORE APPLYING ESP
----------------------------
IPv4 |orig IP hdr | | |
|(any options)| TCP | Data |
----------------------------
AFTER APPLYING ESP
-----------------------------------------------------------
IPv4 | new IP hdr* | | orig IP hdr* | | | ESP | ESP|
|(any options)| ESP | (any options) |TCP|Data|Trailer| ICV|
-----------------------------------------------------------
|<--------- encryption --------->|
|<------------- integrity ------------>|