Hi, > 1. Why is the policy_Y set, if after negotiating the ESP parameters and > configuring the ESP SA, it remains unassociated with any ESP SA?
Only the outbound policy is explicitly associated with an SA (to switch SAs in a controlled way during rekeying). The inbound policy is still associated with the inbound SA (or SAs during rekeying) of this CHILD_SA via reqid. Use `ip -s xfrm policy` to see statistics. > 2. Is it possible to configure for a TCP connection not two ESP SAs, > each acting in its own direction, but one? For example, an exotic case > where I only need to apply encryption in one direction? SAs are always negotiated in pairs (one in each direction, they are unidirectional). I guess if you really wanted to, you could manually delete policies and SAs you don't need afterwards (on both ends). It's also possible to selectively protect traffic using marks. Regards, Tobias