The Linux ip xfrm policy command creates an IPsec policy, associating particular traffic with an SA. It uses something called a "template" (tmpl), which, as far as I can tell, is just a means of identifying the SA.
Why does it call it a template? How is it different than an SA? And, why does it require repeating the src, dest, etc.; isn't the reqid enough to identify the SA?
Finally: Does the reqid have any significance other than as a local name for the SA? reqid doesn't seem to be part of the IPsec standard, and doesn't seem to go anywhere on the wire. If it is a good means to identify the SA, why does the xfrm policy command use tmpl and other IDs (src, dest, proto, etc.)
