Hello! > The current IPSec implementation has a distinction in the security > policy between transport and tunnel SAs. Because they really provide severely distinct levels of security. > way to do this. This distinction duplicates work already done by the > ipip driver. We have a tunneling system already, we should use it. No problems with this. Transport mode SA will relay IPIP packets to corresponding IPIP tunnels and difference in security policy will be lost as you desire. :-) So, we support both of approaches. > restricts packets under a tunnel SA to be IPIP only. No, it really has a restriction, but it sounds different. There are no "tunnel" or "transport" SAs, specs allow to use one SA both for transport and tunnel modes. IKE can negotiate transport or tunnel or "any" SA. Apparently, the software negotiates SA in "any" mode. This is OK, you just load ipip module and UP tunl0 device. Alexey - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
