Hello, After setting up an ipsec tunnel according to http://www.freebsd.org/doc/handbook/ipsec.html I have a question: =20 Why you suggest using IPSEC tunnel mode when packets are already wrapped in IP-to-IP protocol (ipencap) and in fact already "tunneled". This only adds another unneeded header to the packet - picture in the article clearly shows this - src/dest IP for both outer headers are the same. Another issue with tunnel mode is that is impossible to watch traffic on gifX interfaces with tcpdump ( http://docs.freebsd.org/cgi/getmsg.cgi?fetch=3D236856+0+archive/2001/free= b sd-net/20010506.freebsd-net ) =20 Both of these problems are solved by using "transport" instead of "tunnel" keyword. Since traffic already encapsulated into ipencap, we clearly have point-to-point traffic and transport mode works just fine. =20 (Tested) =20 Regards, Dmitry Andrianov =20 _______________________________________________ freebsd-doc@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-doc To unsubscribe, send any mail to "freebsd-doc-unsubscribe@freebsd.org"