On Wed, Jul 02, 2003 at 07:26:34PM +1000, herbert wrote: > > This is so because any such packet will pass the IPCOMP selector test > as it is any to any. It also passes the policy check as there are no > explicit policies for packets coming from T. Before you point out the obvious there is an explicit policy for packets coming from T :) It allows them through with no templates specified and has a priority higher than the any to any policy for the tunnel. If you dislike that then simply introduce an ESP tunnel to T beneath the other tunnel. -- Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ ) Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
