>>	as following note shows, we cannot use racoon to protect
>>	NFS-over-IPsec mounted /usr.  it is unfortunate, but footprint is
>>	rather big for static linkage (it has to link libcrypto as well as
>>	kerberos libraries).  please use manual keys during bootstrap.
>Hmm.  That's unfortunate -- it seems to me that in a shop with a large
>number of hosts, especially one otherwise using the new Kerberos IKE
>code, this could be a big management hassle.

	anyway you'll need to populate lots of preshared keys, or
	lots of certificates, to all the clients.  (if you would like to
	use kerberos for phase 1 authentication, you need /usr anyways).

>On the other hand, I understand the difficulty in placing such a large
>binary on / by default.  I wonder if it would be possible to set a
>mk.conf variable to have usr.sbin/racoon built statically into /sbin?
>It seems that even if not a good default, this should be available as an
>option...

	i see, will do.

itojun