Hello! > A has an ESP transport SA to B, and on top of that, A has an ESP tunnel > SA to C via B: > > A <------> B <------> C > <transp> > <------tunnel-----> > > Normally packets coming from B must be protected by the transport SA. > However, packets arriving from C are accepted even if they only possess > the tunnel SA, bypassing the transport SA between A and B. I think you misplaced something in the picture, because transport SA between A and B cannot have any relationship to traffic from C. Well, you can guess, I did not understand the picture. :-) Anyway, let's think simpler: what policy do you set on output? Why is the symmetric reflection of this policy on input not enough? Alexey - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
