Itojun, thanks for the tips.  I'll try them and send you the raccoon
diagnostics privately if things still go badly.

> 	there should be no difference between "isakmp on wireless"
> 	and "isakmp on ethernet"...

The difference I see is that the ipsec / setkey examples all talk
about a system like this:

       HostA --- GatwayA ---- GatewayB --- HostB

The host-ip is not equal to the gatway-ip.  In the wireless case the
system is as such:

       HostA -- HostB

The ip's in the first line of the spdadd and in the following lines
are the same.  Its not even clear to me why the code shouldn't apply
the rule recursively until the maximum rule nesting is achieved.  Am I
misunderstanding the matching rules?

spdadd 192.168.197.1/32 192.168.197.8/32 any -P out ipsec
	esp/transport/192.168.197.1-192.168.197.8/use
	ah/transport/192.168.197.1-192.168.197.8/use;

Lets say this rule is applied to a packet.  The output packet still
has the source address 192.168.197.1 and it still has the destination
address 192.168.197.8.  Wouldn't the rule have to be applied again to
the already 1x ah+esp packet?

-wolfgang
-- 
Wolfgang Rupprecht    <wolfgang@wsrcc.com>     http://www.wsrcc.com/wolfgang/
DGPS signals via the Internet  http://www.wsrcc.com/wolfgang/gps/dgps-ip.html