For example, if the IP Header indicates ICMP, then take that NEPacket and send it over the wire to your packet tunnel server. Is there a way to do this in Transport mode IPsec without a full blown VPN solution? We want a client to client solution without a gateway and without a packet tunnel server. I have been able to parse NEPacket and identify if it is an ICMP protocol but at that point it's already being handled by the tunnel interface. Since there's no option to resume the packet as is, I'm lost as to how to "send it over the wire".

The easiest way to allow traffic to continue to it's destination is to allow the system to handle the packet and not even to touch NEPacketTunnelFlow. I can see how to do that with networks/routes. How would you do that based on the packet type? Let's say I always want to allow ICMP packets through unmodified.

We were also looking at the documentation for Packet Tunnel Provider but that seems to be specific to IPSec tunnel mode. Is there support for IPSec transport mode? Our thoughts were that with the filter, we could delay a packet selectively if it matched certain criteria, setup an IPSec connection in transport mode, then allow the packet. We ran into an issue where our delayed packet would pick up right where it left off and traverse without an ESP frame. That's when we came up with the idea to send a copy of that one packet back through the stack.