>>>>> Jun-ichiro itojun Hagino writes:

>> You mean "before" on outbound packets, right? And after on
>> inbound. So that would be the way NetBSD used to behave, but no
>> longer does...

Jun-ichiro> 	no, netbsd did not behave like that in the past.

Hmmm OK, I believe you! I'm sorry for the misinformation.

Jun-ichiro> 	i believe the current packet processing order (as
Jun-ichiro> presented on IPsec FAQ) is more correct.

Yes of course, I didn't mean in any way to imply that the change was
wrong. I'm really sorry if my message made it sound that way. Thanks a
lot for your explanation of the current situation.

Jun-ichiro> the rule of thumb is that we shouldn't play with
Jun-ichiro> additional interfaces, or you will be doomed.

OK, I was just about to suggest that maybe I could make use of some of
the tunnel interfaces that we have in NetBSD, to make NAT happen
earlier, but I guess I won't suggest that then... ;-)

Just for reference I include a picture of my VMware situation below,
in case someone else has any clever ideas (read hacks).

Thanks again,

        -- Urban

WaveLAN (IPsec only)
   |
   |
   | wi0: 172.16.8.238
-------------                                         -------------------
|           |                                         |                 |
|  NetBSD   |                                         | Win98 in VMware |
|           |-----------------------------------------|                 |
|___________| vmnet1: 172.16.212.1        172.16.212.2|_________________|

wi0 is configured by isakmpd for IPsec ESP/tunnel mode.