Hi everyone -

Could anyone please tell me why the following line is needed when using
ESP in tunnel mode?

pass in on enc0 proto ipencap from $GATEWAY_B to $GATEWAY_A

I have been working my way through the vpn manpage and I understand
everything with the exception of this line. I have tried to google the
answer along with reading the RFCs with no luck.

If the enc interface allows an admin to see outgoing packets before
they have been processed by ipsec and incoming packets after they have
been processed, shouldn't an incoming packet, using ESP/tunnel, already
have the outside ip header stripped off?

Any help with understanding this issue would be greatly appreciated.
Thanks in advance.