On 11.12.2016 14:58, Slawa Olhovchenkov wrote: >> No. An encapsulated by gif(4) packet is considered as own packet. The >> described change is related to transport mode policies, that are match >> forwarded packets, i.e. when source and destination addresses are not >> our own. In this case we can't handle the returned packets. > > What difference with source packets? > Whu you can handle sourced and can't handle returned packets?
IPsec is a set of protocol handlers - ESP/AH/IPcomp. Inbound packets are handled by security association with given destination address and SPI. If returned packets aren't destined to your address, protocol handlers will not handle them. Outbound packets are handled by matching security policy. A needed security association are looking using the address selector from security policy. If security association that matches to a packet is found, a packet will be handled by protocol handler. -- WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
