Hello! > > Is it due to the fact that you used tunnel addresses from SA to restore > > addresses to apply selector and that this information is not available > > for plain tunnel? > > Well I could be wrong. The scenario is as follows: > > A <--------------> B > ESP(transport) > > The SA selector is set to only allow src == A and dst == B. > To allow it to carry IPIP packets with the current setup, Actually, I think you are right, it is exactly what I said. We have lost knowledge that src/dst _were_ tunnel's ones, this is the problem. > should be a barrier for IPSEC transforms: Sigh, I did not plan to clear secpath ever. It was expected to accumulate all the path through stack and kept forever, maybe, even given to end user if he wants. Sweet dreams. :-) I do not see anything bad with your suggestion, eventually each segment of secpath might be cleared immediately after it is verified against policy and this happens right before packet reaches decapsulation in IPIP tunnel, so it is OK. But it still does not look good to lose information just to allow to pass easier through some poorly designed test. Maybe, there is some way to fixt the test yet... Alexey - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
