In message <20030814055816.GB16985@kyyhky.embedtronics.fi>, Jukka Marin writes:
>On Wed, Aug 13, 2003 at 09:57:56PM -0400, Dan McMahill wrote:
>> I have what I think is probably a simple IPsec question.
>> When linksys and other similar vendors say their little hardware
>> firewalls support"IPsec passthru" what exactly do they mean and how
>> do I get the same thing out of a netbsd+ipf based firewall?
>
>I think you need to pass ESP protocol in both directions as well as
>UDP protocol to and from port 500 (for IKE).

Right.  The issue is how you match incoming packets with outgoing ones, 
since the SPIs in the two directions bear no relationship to each 
other.  What some home-grade NATs do is assume that only one inside 
machine is speaking IPsec to a given outside machine at any time, and 
match the inbound source address to previous outbound destination 
addresses on IPsec packets.

		--Steve Bellovin, http://www.research.att.com/~smb