As per today's LSPP call, regular ipsec works ok over loopback. However, I could not get labeled ipsec to work over loopback. I will investigate to see why. Also, you must set to false /proc/sys/net/ipv4/conf/lo/disable_xfrm and /proc/sys/net/ipv4/conf/lo/disable_policy. By default they are set to true. Regards, Joy