First, to make it clear: I had RTFM and i still has this doubt. Im connecting two networks (one of them is a branch office) using racoon/ipsectools and i see that racoon generates "fwd" policies without any user intervention nor request.

 Im trying to figure out what are those policies for. I saw someone saying it was something like the FORWARD policy on iptables, but i dont see how it makes sense. My current policy on the branch office is:

spdadd 172.16.10.0/24 172.16.0.0/27 any -P out ipsec esp/tunnel/201.254.100.xxx- 200.51.44.xxx/require;
spdadd 172.16.0.0/27 172.16.10.0/24 any -P in ipsec esp/tunnel/200.51.44.xxx- 201.254.100.xxx/require;

 It's my understanding that, for example, the first policy says "packets from the 172.16.0.0/24 network to the 172.16.0.0/27 network are required to go out encrypted using ESP blah blah, yada yada". This policy would cover a packet from 172.16.10.92 to 192.168.1.1. So, why would i need a fwd policy? The policy should cover both networks, not host->network.

PS: I've read the "RFC vs Linux kernel semantics"... i understand what it says... but then what is the "in" policy for on linux kernels?