First, to make it clear: I had RTFM and i still has this doubt. Im connecting two networks (one of them is a branch office) using racoon/ipsectools and i see that racoon generates "fwd" policies without any user intervention nor request.

 Im trying to figure out what are those policies for. I saw someone saying it was something like the FORWARD policy on iptables, but i dont see how it makes sense. My current policy on the branch office is:

spdadd any -P out ipsec esp/tunnel/;
spdadd any -P in ipsec esp/tunnel/;

 It's my understanding that, for example, the first policy says "packets from the network to the network are required to go out encrypted using ESP blah blah, yada yada". This policy would cover a packet from to So, why would i need a fwd policy? The policy should cover both networks, not host->network.

PS: I've read the "RFC vs Linux kernel semantics"... i understand what it says... but then what is the "in" policy for on linux kernels?