On May 9, 2007, at 2:56 PM, Daniel Carosone wrote:

> Not just that; it also gives you several other benefits of having an
> explicit interface to represent the tunnelling step separately from
> the encryption step.  In particular, you get an explicit inside-tunnel
> MTU and explicit inside-tunnel ipf/pf filtering/NAT rules.

Yah, I gotta say, I always thought tunnel mode IPsec was stupid.

-- thorpej