Thor Lancelot Simon <tls@rek.tjls.com> wrote:

> It looks to me like with the ipsec-tools racoon, we lose AES support,
> because there's a disagreement with the kernel about which algorithm
> to use.  That, at least, is very important to fix.

Using the patch below, I was able to establish a phase 2 SA with
rijndael-cbc between ipsec-tools racoon and KAME racoon (both hosts
running NetBSD). Does that fix the issue for you?  

Index: src/racoon/pfkey.c
===================================================================
RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/racoon/pfkey.c,v
retrieving revision 1.24
diff -r1.24 pfkey.c
491a492,495
> #ifdef SADB_X_EALG_RIJNDAELCBC
>         case IPSECDOI_ESP_AES:
>               return SADB_X_EALG_RIJNDAELCBC;
> #endif

-- 
Emmanuel Dreyfus
Il y a 10 sortes de personnes dans le monde: ceux qui comprennent 
le binaire et ceux qui ne le comprennent pas.
manu@netbsd.org