First, to make it clear: I had RTFM and i still has this doubt. Im connecting two networks (one of them is a branch office) using racoon/ipsectools and i see that racoon generates "fwd" policies without any user intervention nor request.
Im trying to figure out what are those policies for. I saw someone saying it was something like the FORWARD policy on iptables, but i dont see how it makes sense. My current policy on the branch office is:
spdadd 172.16.10.0/24 172.16.0.0/27 any -P out ipsec esp/tunnel/201.254.100.xxx-
spdadd 172.16.0.0/27 172.16.10.0/24 any -P in ipsec esp/tunnel/200.51.44.xxx-
It's my understanding that, for example, the first policy says "packets from the
172.16.0.0/24 network to the 172.16.0.0/27 network are required to go out encrypted using ESP blah blah, yada yada". This policy would cover a packet from
172.16.10.92 to 192.168.1.1. So, why would i need a fwd policy? The policy should cover both networks, not host->network.
PS: I've read the "RFC vs Linux kernel semantics"... i understand what it says... but then what is the "in" policy for on linux kernels?