>>>>> "Ken" == Ken Raeburn <raeburn@raeburn.org> writes:
    Ken> I'd like to use IPsec for at least some of the tunnels I'm using at
    Ken> home, but haven't managed to figure out how to get it working yet.

    Ken> All the stuff I've found on NetBSD so far (I'm running 1.5X plus some
    Ken> newer stuff from pkgsrc) seems to always lead to a point saying
    Ken> either, "here's where you store your pre-shared secret key", or
    Ken> "here's where you put your certificate info".  For the most important
    Ken> tunnel I want to protect, what I've got is an ID string, an RSA public
    Ken> key, and a DNS "auth-only host-level IPsec RSA" KEY RR (not actually

  Actually, I haven't figured out how to point at an RSA key yet either...
  (I'm now a FreeSWAN guy as well, so the other part I can help you with...)

    Ken> The next problem is, this tunnel endpoint machine is also my firewall
    Ken> (using ipf) and NAT box (for those "internal" machines using net-10
    Ken> addresses, which is not all of them).  Yes, I've read about the
    Ken> problems with mixing IPF and IPsec.  It looks to me like the security
    Ken> policy stuff is probably flexible enough to do many of the things I do
    Ken> through ipf.conf, though not all (e.g., logging), but I don't see any
    Ken> way to do NAT.  And I'm assuming that packets not going in or out
    Ken> using IPsec will still be processed by the regular ipf/ipnat code.  If
    Ken> not, IPsec is definitely lower priority than firewall/NAT, so I could
    Ken> just give up on it right now.

  I believe, unfortunately, that IPsec processing will occur prior to NAT,
but not I'm not 100% certain of this.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [