Bill Studenmund <wrstuden@netbsd.org> writes:

> You should look specifically at racoon and isakmpd. I prefer racoon, but
> these are the two programs (in pkgsrc) that handle key negotiation. I
> *think* they can add and remove policies too.

I have; that's where I found all the references to "put your
pre-shared secret key here" type stuff that seems to assume a
different setup than the one I have to talk to.  Maybe they just don't
support this mode, but I am not familiar enough with IPsec yet to
ascertain that with any confidence.

> I've had no problem with NAT and IPSec. But then I've used a different
> form of tunneling. My setup has gif (IP in IP) tunnels on each end, and
> ESP/transport mode policy set up between each end.

That sounds like it'd be different (on the wire) from a direct IPsec
tunnel; if so, I wouldn't be able to use it, since I don't control the
other end of the link. :-(

Ken