Jason Thorpe <thorpej@shagadelic.org> writes:

> Yah, I gotta say, I always thought tunnel mode IPsec was stupid.

I see your point, but note that tunnel mode IPsec lets you use the SPD
to choose the packets to which IPsec is applied, and to validate that
those packets coming out of the tunnel are also valid.
So you need firewall and routing and IP-IP and transport to replace it.