IPsec question

<div><div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US">Hello all,<p></p></span></p>
<p class="MsoNormal"><span lang="EN-US"><p>&nbsp;</p></span></p>
<p class="MsoNormal"><span lang="EN-US">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; I &lsquo;ve got a somewhat weird question regarding IPsec. Let&rsquo;s suppose that I want a MR to send a BU ipsec&rsquo;ed when it has a direct connection to the Internet, and send it unencrypted (without IPsec) when it is behind another MR. <p></p></span></p>
<p class="MsoNormal"><span lang="EN-US"><p>&nbsp;</p></span></p>
<p class="MsoNormal"><span lang="EN-US">How can I achieve to receive successfully these two BU instances at its HA, given the way xfrm works on linux? If I am right, if I install the security associations on the HA and prepare it for a BU in transport mode and it receives an unencrypted, the kernel will swallow the packet and don&rsquo;t even pass it along to the umip code in user space. <p></p></span></p>
<p class="MsoNormal"><span lang="EN-US"><p>&nbsp;</p></span></p>
<p class="MsoNormal"><span lang="EN-US">In the MR case I could at least handle the SAD and SPD before the BU is sent, but in the HA case I cannot do that. How could the HA be able to accept both an unencrypted and encrypted BU from a specific MR ? Any ideas?<p></p></span></p>
<p class="MsoNormal"><span lang="EN-US"><p>&nbsp;</p></span></p>
<p class="MsoNormal"><span lang="EN-US">Thanks,<p></p></span></p>
<p class="MsoNormal"><span lang="EN-US">Panos<p></p></span></p>
</div></div>