Since in tunnel mode, it get a new ip header which has a different destination ip address. Does the packet need to be reroute to a new interface (may be the same) and bypass this interface's ipsec processing? Best regard! Dong Xiaohu