>So I want to do something that isn't that weird if you think about it,
>but which isn't that obvious to do. I have a wireless host, and I'd
>like to shove all cleartext traffic into an IPSEC tunnel to the NetBSD
>based gateway to the wired network, but not bother to double-encrypt
>stuff that is already in IPSec.
>I can't figure out for the life of me if it is possible to set this
>up, or how I'd try to do it. Yes, I've read our manual pages. They
>aren't very informative. Could someone with clue perhaps drop me a
>note?

	i didn't test it myself, but will something like this help?
	note that SPD entries are ordered, so first one that matches will be
	used. [you'll need a very recent kernel due to policy lookup bugfix]

itojun


spdadd ::1 ::1 50 -P out none;
spdadd ::1 ::1[22] tcp -P out none;
spdadd ::1[22] ::1 tcp -P out none;
spdadd ::1 ::1 any -P out ipsec esp/tunnel/::1-::1/use;