At 2:24 PM +1030 1/18/03, wulf@ping.net.au wrote:
>>  Greetings. NetBSD 1.6 ships with /sbin/setkey. setkey only makes
>>  sense if IP forwarding is on. However, the sysctl setting
>>  net.inet.ip.forwarding defaults to 0.

Transport mode IPsec is entirely sensible on a machine without IP
forwarding enabled, and I do it all the time.  Tunnel mode IPsec can
also be done without forwarding (putting only locally-originated
packets in a tunnel), although typical VPN use has SPD entries with IP
address ranges that imply forwarding.

Also, it should be noted that the NetBSD SPD implementation is
deficient; RFC2401 requires the SPD to be nominally per interface in
addition to being outbound vs inbound.