Daniel Harkins wrote: > > Roy, > > I'm not talking about what policy is, I'm saying why would one want to > do IPSec at such a network aggregation point? One reason is to aggregate the traffic so as to thwart traffic analysis attempts. The packets going into the tunnel might already be encrypted in an end-to-end SA, yet this mechanism still has value.