> I'm going to continue attempting to get racoon working instead of isakmpd
> as it may be a better fit with netbsd.

So I got racoon working. To establish the security policy I did:
#! /bin/sh
route -n add -net 10.2.0.0 10.3.3.3
setkey -c << EOF
spdadd 10.3.3.0/24 10.2.0.0/16 any -P out ipsec
esp/tunnel/24.5.71.86-63.93.241.3/require;
spdadd 10.2.0.0/16 10.3.3.0/24 any -P in ipsec
esp/tunnel/63.93.241.3-24.5.71.86/require;
EOF

The racoon config was:
# $KAME: racoon.conf.sample,v 1.20 2000/11/03 15:08:03 sakane Exp $

path pre_shared_key "/etc/racoon/psk.txt" ;

remote anonymous
{
        exchange_mode aggressive;

        proposal {
                encryption_algorithm des;
                hash_algorithm md5;
                authentication_method pre_shared_key ;
                dh_group 1;
        }
}

sainfo anonymous
{
        pfs_group 1;
        encryption_algorithm 3des, blowfish, des, rijndael ;
        authentication_algorithm hmac_sha1, hmac_md5 ;
        compression_algorithm deflate;
}

The psk.txt file is my little secret :-)

This appears to work in both directions correctly for telnet, X11. I'll
let you know in the next couple of weeks how is works for other stuff like
H.323, MGCP and SIP which are my day job.

As I had already said the other end of this is a Cisco 2600 running
IOS 12.0.7 single DES

This also appears to be reproducable. I can clear the routes and SPD
entries and restart them a number of times.

I'd like to thank the kame folks for a great job.

A.