Alaa Dalghan wrote: > imposes too much processing overhead on the linux VPN gateway. The > required behavior is that the VPN gateway just RELAYS encrypted data > (ESP envelopes) without decrypting them. This is impossible in the > current ipsec implementation since"the end of a tunnel HAS ALWAYS to be > decrypted". > That can work only in case when you set esp's encryption keys manually and the same on all 30 your clients. Also, SPIs should be the same. I would not call such setup secure. Better way is to put all these clients into single subnet and configure them to require transport mode esp transformation in that subnet + employ automatic keying and auth by certs. And required subset of these scarry 900 tunnels will set up automatically. [Don't ask me how to configure this setup in windows -- I don't know]. > I hope that someone can help me with finding this portion of the code > and modify it. By the way I searched in the kernel file "esp4.c" but > can't seem to find what I want. Check xfrm*.c files, also net/xfrm directory. -- Aidas Kasparas IT administrator GM Consult Group, UAB - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/