[Openswan Users] Can you circumvent IPsec?

[Shaheen Ali]

If I configure an IPsec security association using pluto.  I can then send
packets in the clear (IP proto type is TCP, ICMP or UDP) and the packets
are accepted and passed up to the listening application.  The application
replies and ipsec encrypts the replies before sending them out on the
wire.  You end up with an assymetric behavior, clear packet comes in,
reply is encrypted.  All due to a misbehaving client.

Is this wrong behavior?  I understand that openswan only looks at incoming
packets on UDP/500 and IP type ESP or AH.

How does a linux 2.6 kernel with native IPsec work?

Thanks,

Shaheen