K 10
svn:author
V 2
ae
K 8
svn:date
V 27
2017-01-18T10:21:06.368553Z
K 7
svn:log
V 651
Do not require the presence of tunnel mode IPsec request for outbound
security policies used by IPSEC_FORWARD() method.

The rationale for this requirement was the need for handling encrypted
replies. We can handle replies, only if they are destined for our
addresses. And since we are doing forwarding, this usually means that
source address of packet is not our own. But some users reported, that
they are doing source address translation for forwarded packets. In this
case pfil(9) does NAT and source address becomes our own, then packet
is sent to forwarding routine, where it can be matched by security policy
with transport mode IPsec request.

END