I believe that there are problems in the SPD lookup code.  Sometimes I
get machines into a state where there is a transport-mode SPD entry
for some TCP ports, and the traffic goes in the clear.   I have not
seen this in tunnel mode, but all my tunnel SPD entries do not look
beyond the IP address.

I wonder if this is a missing m_pullup to ensure that the UDP/TCP
header is actually in the mbuf?  I think I wondered this before and
looked, but this problem comes and goes, so it feels like that sort of
problem.

kgdb will be your friend here.

-- 
        Greg Troxel <gdt@ir.bbn.com>