> Also, totally unrelated note, what happens if you're an IPsec gateway? Say
> you're doing ESP tunnel mode for a number of protected boxes. And you have
> nothing running that has an open port covered by the IPsec policy (or you
> have port-specific policy and nothing's open on that port). Do you really
> have a socket sitting around to hang the IPsec info off of, even though
> there's nothing in userland around to hook to it?

	there are two places you can put policies - one is on socket via ioctl,
	another is on packet filter-like (setkey).  IPsec gateway case falls
	into the latter, and there'll be no socket for those policies.

itojun