Just a note: my implementation can do nested SA's, assuming you mean situation where you have an internal node "Another" that wants IPSEC, but which happens to be behind a security gateway SG: SA1 MyNode <---------------> SG <----------------------------------------> Another SA2 MyNode has nested SA2's, but both SG and Another would not see nested SA's.