Hi

I finnally fixed my problems with ESP handling in NAT-T: called from usp_input,
I was sending the mbuf to esp_input, but both udp_input and esp_input free
the mbuf after processing, thus resulting in a double free. Using m_dup
on the mbuf fixed the problem.

Using the patch at the address below and latest racoon from ipsec-tools 
(I submitted the patches, it now builds nicely on NetBSD), I have been able to 
use the Cisco VPN client from behind a NAT with NetBSD as the VPN server
using hybrid authentication. I was able to reach a machine outside the VPN.

http://ftp.espci.fr/shadow/manu/natt.patch

I did not tried ill-setups such as boths VPN end behind a NAT or the VPN 
server behind a NAT.

There is one bit missing, with a message from racoon sent through the PF_KEY
socket I never encountered yet: SADB_X_NAT_T_NEW_MAPPING. I still have
to understand in what situation this happens.

Please comment on the patch. I plan to add an ifdef IPSEC_NAT_T and make it
a kernel config option, disabled by default in GENERIC. I think about 
committing the missing bit once I'll encounter the problem it should fix.

-- 
Emmanuel Dreyfus
manu@netbsd.org