Hi,

I have some problems understanding tunnel and transport
modes -- can someone explain it in plain words.

I have one machine (flam) connected to Wi-Fi access point (ap).
Also I have laptop (chup) connected to access point via
radiointerface.  I want to organize ipsec between flam and chup.
Of course, access point knows nothing about ipsec.
I guess that I need to use tunnel mode?

How should ipsec.conf be written?  For example:

add flam chup esp XXX -E blowfish-cbc 0xXXX -A hmac-sha1 0xXXX ;
add flam chup ah XXX -A hmac-sha2-512 0xXXX ;
add flam chup ipcomp XXX -C deflate -R ;

add chup flam esp XXX -E blowfish-cbc 0xXXX -A hmac-sha1 0xXXX ;
add chup flam ah XXX -A hmac-sha2-512 0xXXX ;
add chup flam ipcomp XXX -C deflate -R ;

spdadd 168.192.0.11 chup any -P out ipsec ipcomp/tunnel//use esp/tunnel//use ah/tunnel//use ;
spdadd chup 168.192.0.11 any -P in ipsec esp/tunnel//require ah/tunnel//require ; 

What should be written in src-dst part of tunnel mode spd specification?