I just imported a preliminary port of fast-ipsec into sys/netipsec.

I've also been testing a set of patches, mostly to sys/netinet, which
tie /sys/netipsec into IP (v4) as an IPsec engine. So far, ICMP works,
IKE (racoon) works, and upper-level protocols based on UDP works.

I'm currently testing one NetBSD fast-ipsec machine as an NFS client,
repeatedly copying a 190Mbyte random file to a FreeBSD 4.x fast-ipsec
NFS server, then comparing the original and copied files.  The NFS UDP
traffic is running over a transport-mode ESP (3des/sha) IPsec SA;
working fine so far.  For those with hifn77xx boards (e.g., Soekris
1201) or ubsec boards, fast-ipsec will automatically take advantage of
the hardware crypto engine.

TCP doesn't quite work. Outbound SYNs get sent to the FreeBSD peer
just fine, but the NetBSD box seems unable to find the appropriate
IPsec SA. I'm guessing the problem is related to the SYN cache and
passing inpcb pointers into the ip_output code.

The patches to sys/netinet have been reviewed by Itojun and other
reviewers, and several small points have been cleaned up. As best I
can tell they don't break non-IPsec kernels or KAME ipsec kernels.
I'd like to commit those diffs in the near future -- not least so that
others can help with debugging.

I'll make one more pass cleaning up the patches, then put them up for
`last-call' review, hopefully tomorrow.