Greetings tech-net,

Here is my setup

home net (192.168.2.0/24)
  |
  |
  |
192.168.2.253 interface ep0
home router--------------------192.168.3.1 interface lo1
a.b.c.d interface ep1
  |
  |
(big bad internet)
  |
  |
e.f.g.h
work router
172.16.1.5
  |
  |
  |
172.16.1.253
another router
10.2.1.253
  |
  |
  |
work net (10.2.0.0/16)

I'm trying to set up tunnel mode IPsec between 192.168.2.0/24
and 10.2.0.0/16.  The home router is a NetBSD-1.5_BETA box,
and the work router is a Cisco (IOS 12.something).

IKE seems to work just fine (I'm using isakmpd-001006 on the
netbsd side).  I negotiate an SA successfully and isakmpd installs
what looks like good SPD and SAD entries (although, all the
SPD entries are direction "out" - I guess this just means that
I initiated them?).

My default route on the home router is my ISP's router.  Since
I don't want to route packets destined to the 10.2 network
through this, I've created an extra loopback interface (lo1) with
address 192.168.3.1 and route add -net 10.2 through that.  This
also helps for logging. 

When I ping a host on the work net from a host on the home net
(after IKE has established SAs), I see the ICMP packets inbound
on lo1 (using ipmon), ESP packets a.b.c.d -> e.f.g.h and ESP
packets coming back e.f.g.h -> a.b.c.d on ep1 (using tcpdump -niep1).

Then, I see the decrypted ICMP replies coming in on ep1 (using
ipmon) 10.2.x.y -> 192.168.2.z.  They get blocked by an ipf rule.
If I pass them instead of blocking them (which seems to be highly
dodgy from a security standpoint), I still don't see them coming
back out to the 192.168.2.0/24 network.  I was surprised at this
behaviour, expecting to see the decrypted packets appear initially
outbound on ep0 instead.

I'm feel that I'm so close to getting this to work but I must
be missing one vital piece of the puzzle and would appreciate
any help.  I have realized that I just don't understand the
interaction between routing and IPsec in the kernel.

Thanks
joe