I'm still trying to debug my tunnelling problems, and I've found
something very strange. The setup looks like this:

    A -- B == C -- D

The link between B and C is a GRE tunnel.

When using no IPSec between B and C, A can ping D.

When using only AH between B and C, A can ping D.

When using only ESP, or AH + ESP between B and C, B can still ping C (on
the non-tunnel addresses), but A can no longer ping D, nor can B ping C
on the addresses of the tunnel interfaces themselves.

The encrypted packets arrive on the ethernet interface of C, but never
appear on the gre interface. (I've checked to make sure that there are
no firewall rules dropping the ESP packets, and of course the AH+ESP
packets are subject to the same rules as in the paragraph above.)
According to netstat -p ipsec, as well, the packets are being correctly
decrypted: only the "inbound packets processed successfully" counter
increments in either the successful or unsuccessful ping case.

So it seems that the packets do get correctly decrypted, but all the
GRE packets are disappearing somewhere after that point. It seems very
strange that this is true for ESP, but not AH. Anybody have any thoughts
on what might be going on here?

cjs
-- 
Curt Sampson  <cjs@cynic.net>   +81 90 7737 2974   http://www.netbsd.org
    Don't you know, in this new Dark Age, we're all light.  --XTC