Re: Theoretical problem about IPSEC (Can IPSEC have transitive property?)
Yes, why not?
If traffic traverses the first VPN tunnel, it's traffic on site A like any other. Further destinations are found via routing. As long as you supply routes to distant networks (that is, networks behind the next hop firewall) this will work.
Of course, as firewalls are "security aware" routers, you need appropriate policies in addition.
Ede " Kernel panic: Aiee, killing interrupt handler!"