>Even if the policy is specified as "required", it looks (at least, to
>me) that SA (destination address, Security Protocol(AH/ESP), and SPI)
>is properly established. I don't see anything that can prevent it from
>working if the policy is specified as 'require'.
>
>Will anybody here help me understand this?
IKE is not the issue, SA establishment is not the issue. the issue bites
you when you actually receive AH tunnel packet which matches "require"
policy (inbound). they will get rejected.
we (KAME) are at this moment using 1-bit mbuf flag to remember which mbuf
is authenticated or not. this way, we cannot handle tunelled AH case.
check out the latest manpage for a little bit better description:
http://www.kame.net/dev/cvsweb.cgi/kame/kame/kame/man/man4/ipsec.4
itojun
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
