Just a note: my implementation can do nested SA's, assuming you mean
situation where you have an internal node "Another" that wants IPSEC,
but which happens to be behind a security gateway SG:
SA1
MyNode <---------------> SG
<----------------------------------------> Another
SA2
MyNode has nested SA2's, but both SG and Another would not see nested
SA's.