I'd like to use IPsec for at least some of the tunnels I'm using at
home, but haven't managed to figure out how to get it working yet.

All the stuff I've found on NetBSD so far (I'm running 1.5X plus some
newer stuff from pkgsrc) seems to always lead to a point saying
either, "here's where you store your pre-shared secret key", or
"here's where you put your certificate info".  For the most important
tunnel I want to protect, what I've got is an ID string, an RSA public
key, and a DNS "auth-only host-level IPsec RSA" KEY RR (not actually
in DNS, but published via a web page) for the FreeS/WAN server, and
the ability to tell it the corresponding values for my system; no
secret keys, and no certificates, but AFAICT it should be enough for
key negotiation.  But if those fit into the NetBSD configuration
schemes, I haven't figured out how.  (It doesn't help that most of the
docs seem to assume you already understand how IPsec configuration
works and just need to know where to stick the values.)

And even if it does fit, the key format to use escapes me; I'm given a
hex string and the KEY RR, but I haven't yet figured out what the
interpretation of the text strings "hogehogehoge" and "mekmitasdigoat"
is supposed to be, but it's clearly not a hex representation.  Is it
base64?  Can I just take the string out of the KEY RR and put it
somewhere?

My local address is assigned via DHCP by my ISP, so I should avoid
hard-coding it if practical, and use a "road warrior" type
configuration, but for a subnet, not a single node.  In fact, the
driving reason for my wanting to use IPsec has less to do with actual
privacy than with the remote end not needing a fixed address for my
home system if I use IPsec.  (That and wanting to start learning about
IPsec.)


The next problem is, this tunnel endpoint machine is also my firewall
(using ipf) and NAT box (for those "internal" machines using net-10
addresses, which is not all of them).  Yes, I've read about the
problems with mixing IPF and IPsec.  It looks to me like the security
policy stuff is probably flexible enough to do many of the things I do
through ipf.conf, though not all (e.g., logging), but I don't see any
way to do NAT.  And I'm assuming that packets not going in or out
using IPsec will still be processed by the regular ipf/ipnat code.  If
not, IPsec is definitely lower priority than firewall/NAT, so I could
just give up on it right now.


I did mention I was using more than one tunnel.  Another one I'd like
to protect is using NetBSD at the remote end, and tunnelling an IPv6
subnet.  (It's running 1.5 at the moment, I think, but we'll update it
and get stf and perhaps ipsec in.)  Setting up a CA just for this box
would be overkill if we can just exchange public RSA keys like I want
to do with the FreeS/WAN tunnel.  But as with the FreeS/WAN tunnel,
it'd be a big win if the server side didn't need to have an address
hard-coded.

(The last one I'd need to protect would be to my laptop in road
warrior mode, using FreeS/WAN on it and my home system as the upstream
server, configured any way I like.  So I can work that one out later.)

Ken