| >|  spdadd tagged "ssh" -P in ipsec esp/transport//use;
| >|  spdadd 127.0.0.1 127.0.0.1 -P in ipsec esp/transport//require;
| >
| >  Why does the second line still specify some classification
| >requirements? Wouldn't it be cleaner (and simpler) to _only_
| >use tags here, ie.
| >
| >	spdadd tagged "ssh" -P in ipsec esp/transport//use;
| >	spdadd tagged "from-to-localhost" -P in ipsec esp/transport//require;
| >
| >  with appropriate packet filter lines?
|  
|  	the above is of course possible.

  Good. My point was, specifically, if you decide to using an
external packet classifier, you should probably go all the way
and not have a second minimalistic classification engine inside
ipsec. 

  Otherwise using pf doesn't really buy you anything.

	mjl