[support] IPSec broken (was RE: MCoA send BUs via multiple interfaces)

[Georgopoulos, Panagiotis]

Hello all,

> The current MCoA implementation is far from matching the current
> specification, and breaks several things (such as the use of IPsec). 

On a "broken IPSec" token, if I am right, IPSec is broken in nested NEMO
scenarios as well (even in the simplest case where an MR connects behind
another MR and sends a BU to its HA), even without the MCoA patch. I
remember Ben's email about that some months ago (for more information see
ps). 

Has anyone solved/experienced this?

Thanks a lot,
Panos


Ps. Forwarding that email for more information : 

Hi all,

Has anyone tried running ipsec in a nested NEMO scenario before? We have a
setup here where two MRs with working ipsec configurations can establish
their MR-HA tunnels fine if they connect to an access network AP, but if one
of those MRs roams behind the other and connects to its Ingress interface,
its subsequent BU is not received by the HA. Analysing the interface on the
HA, we can see that the BU arrives, has the ipsec tunnel header added by the
intermediary MR removed, but then the ipsec transport mode encrypted BU is
not then decrypted as it should be (and as it is if we connect directly via
a normal access network connection) and therefore it isn't passed up to the
HA.

Has this been experienced by anyone before?

Cheers,
Ben