diff --git a/src/include.new/netipsec/ah.h b/src/include.new/netipsec/ah.h
new file mode 100644
index 0000000..4f52153
--- /dev/null
+++ b/src/include.new/netipsec/ah.h
@@ -0,0 +1,56 @@
+/*	$FreeBSD: src/sys/netipsec/ah.h,v 1.2 2005/01/07 01:45:46 imp Exp $	*/
+/*	$KAME: ah.h,v 1.13 2000/10/18 21:28:00 itojun Exp $	*/
+
+/*-
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * RFC1826/2402 authentication header.
+ */
+
+#ifndef _NETIPSEC_AH_H_
+#define _NETIPSEC_AH_H_
+
+struct ah {
+	u_int8_t	ah_nxt;		/* Next Header */
+	u_int8_t	ah_len;		/* Length of data, in 32bit */
+	u_int16_t	ah_reserve;	/* Reserved for future use */
+	u_int32_t	ah_spi;		/* Security parameter index */
+	/* variable size, 32bit bound*/	/* Authentication data */
+};
+
+struct newah {
+	u_int8_t	ah_nxt;		/* Next Header */
+	u_int8_t	ah_len;		/* Length of data + 1, in 32bit */
+	u_int16_t	ah_reserve;	/* Reserved for future use */
+	u_int32_t	ah_spi;		/* Security parameter index */
+	u_int32_t	ah_seq;		/* Sequence number field */
+	/* variable size, 32bit bound*/	/* Authentication data */
+};
+#endif /*_NETIPSEC_AH_H_*/
diff --git a/src/include.new/netipsec/ah_var.h b/src/include.new/netipsec/ah_var.h
new file mode 100644
index 0000000..9e02378
--- /dev/null
+++ b/src/include.new/netipsec/ah_var.h
@@ -0,0 +1,78 @@
+/*	$FreeBSD: src/sys/netipsec/ah_var.h,v 1.2 2005/01/07 01:45:46 imp Exp $	*/
+/*	$OpenBSD: ip_ah.h,v 1.29 2002/06/09 16:26:10 itojun Exp $	*/
+/*-
+ * The authors of this code are John Ioannidis (ji@tla.org),
+ * Angelos D. Keromytis (kermit@csd.uch.gr) and
+ * Niels Provos (provos@physnet.uni-hamburg.de).
+ *
+ * The original version of this code was written by John Ioannidis
+ * for BSD/OS in Athens, Greece, in November 1995.
+ *
+ * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
+ * by Angelos D. Keromytis.
+ *
+ * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
+ * and Niels Provos.
+ *
+ * Additional features in 1999 by Angelos D. Keromytis.
+ *
+ * Copyright (C) 1995, 1996, 1997, 1998, 1999 John Ioannidis,
+ * Angelos D. Keromytis and Niels Provos.
+ * Copyright (c) 2001 Angelos D. Keromytis.
+ *
+ * Permission to use, copy, and modify this software with or without fee
+ * is hereby granted, provided that this entire notice is included in
+ * all copies of any software which is or includes a copy or
+ * modification of this software.
+ * You may use this code under the GNU public license if you so wish. Please
+ * contribute changes back to the authors under this freer than GPL license
+ * so that we may further the use of strong encryption without limitations to
+ * all.
+ *
+ * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
+ * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
+ * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
+ * PURPOSE.
+ */
+
+#ifndef _NETIPSEC_AH_VAR_H_
+#define _NETIPSEC_AH_VAR_H_
+
+/*
+ * These define the algorithm indices into the histogram.  They're
+ * presently based on the PF_KEY v2 protocol values which is bogus;
+ * they should be decoupled from the protocol at which time we can
+ * pack them and reduce the size of the array to a minimum.
+ */
+#define	AH_ALG_MAX	16
+
+struct ahstat {
+	u_int32_t	ahs_hdrops;	/* Packet shorter than header shows */
+	u_int32_t	ahs_nopf;	/* Protocol family not supported */
+	u_int32_t	ahs_notdb;
+	u_int32_t	ahs_badkcr;
+	u_int32_t	ahs_badauth;
+	u_int32_t	ahs_noxform;
+	u_int32_t	ahs_qfull;
+	u_int32_t	ahs_wrap;
+	u_int32_t	ahs_replay;
+	u_int32_t	ahs_badauthl;	/* Bad authenticator length */
+	u_int32_t	ahs_input;	/* Input AH packets */
+	u_int32_t	ahs_output;	/* Output AH packets */
+	u_int32_t	ahs_invalid;	/* Trying to use an invalid TDB */
+	u_int64_t	ahs_ibytes;	/* Input bytes */
+	u_int64_t	ahs_obytes;	/* Output bytes */
+	u_int32_t	ahs_toobig;	/* Packet got larger than IP_MAXPACKET */
+	u_int32_t	ahs_pdrops;	/* Packet blocked due to policy */
+	u_int32_t	ahs_crypto;	/* Crypto processing failure */
+	u_int32_t	ahs_tunnel;	/* Tunnel sanity check failure */
+	u_int32_t	ahs_hist[AH_ALG_MAX];	/* Per-algorithm op count */
+};
+
+#ifdef _KERNEL
+extern	int ah_enable;
+extern	int ah_cleartos;
+extern	struct ahstat ahstat;
+#endif /* _KERNEL */
+#endif /*_NETIPSEC_AH_VAR_H_*/
diff --git a/src/include.new/netipsec/esp.h b/src/include.new/netipsec/esp.h
new file mode 100644
index 0000000..b3adabe
--- /dev/null
+++ b/src/include.new/netipsec/esp.h
@@ -0,0 +1,69 @@
+/*	$FreeBSD: src/sys/netipsec/esp.h,v 1.2 2005/01/07 01:45:46 imp Exp $	*/
+/*	$KAME: esp.h,v 1.16 2000/10/18 21:28:00 itojun Exp $	*/
+
+/*-
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * RFC1827/2406 Encapsulated Security Payload.
+ */
+
+#ifndef _NETIPSEC_ESP_H_
+#define _NETIPSEC_ESP_H_
+
+struct esp {
+	u_int32_t	esp_spi;	/* ESP */
+	/*variable size, 32bit bound*/	/* Initialization Vector */
+	/*variable size*/		/* Payload data */
+	/*variable size*/		/* padding */
+	/*8bit*/			/* pad size */
+	/*8bit*/			/* next header */
+	/*8bit*/			/* next header */
+	/*variable size, 32bit bound*/	/* Authentication data (new IPsec) */
+};
+
+struct newesp {
+	u_int32_t	esp_spi;	/* ESP */
+	u_int32_t	esp_seq;	/* Sequence number */
+	/*variable size*/		/* (IV and) Payload data */
+	/*variable size*/		/* padding */
+	/*8bit*/			/* pad size */
+	/*8bit*/			/* next header */
+	/*8bit*/			/* next header */
+	/*variable size, 32bit bound*/	/* Authentication data */
+};
+
+struct esptail {
+	u_int8_t	esp_padlen;	/* pad length */
+	u_int8_t	esp_nxt;	/* Next header */
+	/*variable size, 32bit bound*/	/* Authentication data (new IPsec)*/
+};
+	
+#define ESP_ALEN	12	/* 96-bit authenticator */
+#endif /*_NETIPSEC_ESP_H_*/
diff --git a/src/include.new/netipsec/esp_var.h b/src/include.new/netipsec/esp_var.h
new file mode 100644
index 0000000..d25ce0f
--- /dev/null
+++ b/src/include.new/netipsec/esp_var.h
@@ -0,0 +1,78 @@
+/*	$FreeBSD: src/sys/netipsec/esp_var.h,v 1.2 2005/01/07 01:45:46 imp Exp $	*/
+/*	$OpenBSD: ip_esp.h,v 1.37 2002/06/09 16:26:10 itojun Exp $	*/
+/*-
+ * The authors of this code are John Ioannidis (ji@tla.org),
+ * Angelos D. Keromytis (kermit@csd.uch.gr) and
+ * Niels Provos (provos@physnet.uni-hamburg.de).
+ *
+ * The original version of this code was written by John Ioannidis
+ * for BSD/OS in Athens, Greece, in November 1995.
+ *
+ * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
+ * by Angelos D. Keromytis.
+ *
+ * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
+ * and Niels Provos.
+ *
+ * Additional features in 1999 by Angelos D. Keromytis.
+ *
+ * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
+ * Angelos D. Keromytis and Niels Provos.
+ * Copyright (c) 2001 Angelos D. Keromytis.
+ *
+ * Permission to use, copy, and modify this software with or without fee
+ * is hereby granted, provided that this entire notice is included in
+ * all copies of any software which is or includes a copy or
+ * modification of this software.
+ * You may use this code under the GNU public license if you so wish. Please
+ * contribute changes back to the authors under this freer than GPL license
+ * so that we may further the use of strong encryption without limitations to
+ * all.
+ *
+ * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
+ * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
+ * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
+ * PURPOSE.
+ */
+
+#ifndef _NETIPSEC_ESP_VAR_H_
+#define _NETIPSEC_ESP_VAR_H_
+
+/*
+ * These define the algorithm indices into the histogram.  They're
+ * presently based on the PF_KEY v2 protocol values which is bogus;
+ * they should be decoupled from the protocol at which time we can
+ * pack them and reduce the size of the array to a reasonable value.
+ */
+#define	ESP_ALG_MAX	256		/* NB: could be < but skipjack is 249 */
+
+struct espstat {
+	u_int32_t	esps_hdrops;	/* Packet shorter than header shows */
+	u_int32_t	esps_nopf;	/* Protocol family not supported */
+	u_int32_t	esps_notdb;
+	u_int32_t	esps_badkcr;
+	u_int32_t	esps_qfull;
+	u_int32_t	esps_noxform;
+	u_int32_t	esps_badilen;
+	u_int32_t	esps_wrap;	/* Replay counter wrapped around */
+	u_int32_t	esps_badenc;	/* Bad encryption detected */
+	u_int32_t	esps_badauth;	/* Only valid for transforms with auth */
+	u_int32_t	esps_replay;	/* Possible packet replay detected */
+	u_int32_t	esps_input;	/* Input ESP packets */
+	u_int32_t	esps_output;	/* Output ESP packets */
+	u_int32_t	esps_invalid;	/* Trying to use an invalid TDB */
+	u_int64_t	esps_ibytes;	/* Input bytes */
+	u_int64_t	esps_obytes;	/* Output bytes */
+	u_int32_t	esps_toobig;	/* Packet got larger than IP_MAXPACKET */
+	u_int32_t	esps_pdrops;	/* Packet blocked due to policy */
+	u_int32_t	esps_crypto;	/* Crypto processing failure */
+	u_int32_t	esps_tunnel;	/* Tunnel sanity check failure */
+	u_int32_t	esps_hist[ESP_ALG_MAX];	/* Per-algorithm op count */
+};
+
+#ifdef _KERNEL
+extern	int esp_enable;
+extern	struct espstat espstat;
+#endif /* _KERNEL */
+#endif /*_NETIPSEC_ESP_VAR_H_*/
diff --git a/src/include.new/netipsec/ipcomp.h b/src/include.new/netipsec/ipcomp.h
new file mode 100644
index 0000000..c74e3ef
--- /dev/null
+++ b/src/include.new/netipsec/ipcomp.h
@@ -0,0 +1,55 @@
+/*	$FreeBSD: src/sys/netipsec/ipcomp.h,v 1.2 2005/01/07 01:45:46 imp Exp $	*/
+/*	$KAME: ipcomp.h,v 1.8 2000/09/26 07:55:14 itojun Exp $	*/
+
+/*-
+ * Copyright (C) 1999 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * RFC2393 IP payload compression protocol (IPComp).
+ */
+
+#ifndef _NETIPSEC_IPCOMP_H_
+#define _NETIPSEC_IPCOMP_H_
+
+struct ipcomp {
+	u_int8_t comp_nxt;	/* Next Header */
+	u_int8_t comp_flags;	/* reserved, must be zero */
+	u_int16_t comp_cpi;	/* Compression parameter index */
+};
+
+#define	IPCOMP_HLENGTH	4	/* Length of IPCOMP header */
+
+/* well-known algorithm number (in CPI), from RFC2409 */
+#define IPCOMP_OUI	1	/* vendor specific */
+#define IPCOMP_DEFLATE	2	/* RFC2394 */
+#define IPCOMP_LZS	3	/* RFC2395 */
+#define IPCOMP_MAX	4
+
+#define IPCOMP_CPI_NEGOTIATE_MIN	256
+#endif /*_NETIPSEC_IPCOMP_H_*/
diff --git a/src/include.new/netipsec/ipcomp_var.h b/src/include.new/netipsec/ipcomp_var.h
new file mode 100644
index 0000000..25d98c9
--- /dev/null
+++ b/src/include.new/netipsec/ipcomp_var.h
@@ -0,0 +1,67 @@
+/*	$FreeBSD: src/sys/netipsec/ipcomp_var.h,v 1.2 2005/01/07 01:45:46 imp Exp $	*/
+/*	$KAME: ipcomp.h,v 1.8 2000/09/26 07:55:14 itojun Exp $	*/
+
+/*-
+ * Copyright (C) 1999 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef _NETIPSEC_IPCOMP_VAR_H_
+#define _NETIPSEC_IPCOMP_VAR_H_
+
+/*
+ * These define the algorithm indices into the histogram.  They're
+ * presently based on the PF_KEY v2 protocol values which is bogus;
+ * they should be decoupled from the protocol at which time we can
+ * pack them and reduce the size of the array to a minimum.
+ */
+#define	IPCOMP_ALG_MAX	8
+
+struct ipcompstat {
+	u_int32_t	ipcomps_hdrops;	/* Packet shorter than header shows */
+	u_int32_t	ipcomps_nopf;	/* Protocol family not supported */
+	u_int32_t	ipcomps_notdb;
+	u_int32_t	ipcomps_badkcr;
+	u_int32_t	ipcomps_qfull;
+	u_int32_t	ipcomps_noxform;
+	u_int32_t	ipcomps_wrap;
+	u_int32_t	ipcomps_input;	/* Input IPcomp packets */
+	u_int32_t	ipcomps_output;	/* Output IPcomp packets */
+	u_int32_t	ipcomps_invalid;/* Trying to use an invalid TDB */
+	u_int64_t	ipcomps_ibytes;	/* Input bytes */
+	u_int64_t	ipcomps_obytes;	/* Output bytes */
+	u_int32_t	ipcomps_toobig;	/* Packet got > IP_MAXPACKET */
+	u_int32_t	ipcomps_pdrops;	/* Packet blocked due to policy */
+	u_int32_t	ipcomps_crypto;	/* "Crypto" processing failure */
+	u_int32_t	ipcomps_hist[IPCOMP_ALG_MAX];/* Per-algorithm op count */
+};
+
+#ifdef _KERNEL
+extern	int ipcomp_enable;
+extern	struct ipcompstat ipcompstat;
+#endif /* _KERNEL */
+#endif /*_NETIPSEC_IPCOMP_VAR_H_*/
diff --git a/src/include.new/netipsec/ipip_var.h b/src/include.new/netipsec/ipip_var.h
new file mode 100644
index 0000000..0a9761e
--- /dev/null
+++ b/src/include.new/netipsec/ipip_var.h
@@ -0,0 +1,65 @@
+/*	$FreeBSD: src/sys/netipsec/ipip_var.h,v 1.2 2005/01/07 01:45:46 imp Exp $	*/
+/*	$OpenBSD: ip_ipip.h,v 1.5 2002/06/09 16:26:10 itojun Exp $ */
+/*-
+ * The authors of this code are John Ioannidis (ji@tla.org),
+ * Angelos D. Keromytis (kermit@csd.uch.gr) and
+ * Niels Provos (provos@physnet.uni-hamburg.de).
+ *
+ * The original version of this code was written by John Ioannidis
+ * for BSD/OS in Athens, Greece, in November 1995.
+ *
+ * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
+ * by Angelos D. Keromytis.
+ *
+ * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
+ * and Niels Provos.
+ *
+ * Additional features in 1999 by Angelos D. Keromytis.
+ *
+ * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
+ * Angelos D. Keromytis and Niels Provos.
+ * Copyright (c) 2001, Angelos D. Keromytis.
+ *
+ * Permission to use, copy, and modify this software with or without fee
+ * is hereby granted, provided that this entire notice is included in
+ * all copies of any software which is or includes a copy or
+ * modification of this software.
+ * You may use this code under the GNU public license if you so wish. Please
+ * contribute changes back to the authors under this freer than GPL license
+ * so that we may further the use of strong encryption without limitations to
+ * all.
+ *
+ * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
+ * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
+ * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
+ * PURPOSE.
+ */
+
+#ifndef _NETINET_IPIP_H_
+#define _NETINET_IPIP_H_
+
+/*
+ * IP-inside-IP processing.
+ * Not quite all the functionality of RFC-1853, but the main idea is there.
+ */
+
+struct ipipstat
+{
+    u_int32_t	ipips_ipackets;		/* total input packets */
+    u_int32_t	ipips_opackets;		/* total output packets */
+    u_int32_t	ipips_hdrops;		/* packet shorter than header shows */
+    u_int32_t	ipips_qfull;
+    u_int64_t   ipips_ibytes;
+    u_int64_t   ipips_obytes;
+    u_int32_t	ipips_pdrops;		/* packet dropped due to policy */
+    u_int32_t	ipips_spoof;		/* IP spoofing attempts */
+    u_int32_t   ipips_family;		/* Protocol family mismatch */
+    u_int32_t   ipips_unspec;            /* Missing tunnel endpoint address */
+};
+
+#ifdef _KERNEL
+extern	int ipip_allow;
+extern	struct ipipstat ipipstat;
+#endif /* _KERNEL */
+#endif /* _NETINET_IPIP_H_ */
diff --git a/src/include.new/netipsec/ipsec.h b/src/include.new/netipsec/ipsec.h
new file mode 100644
index 0000000..c78a63a
--- /dev/null
+++ b/src/include.new/netipsec/ipsec.h
@@ -0,0 +1,428 @@
+/*	$FreeBSD: src/sys/netipsec/ipsec.h,v 1.8.2.2 2006/07/24 23:20:59 thompsa Exp $	*/
+/*	$KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $	*/
+
+/*-
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * IPsec controller part.
+ */
+
+#ifndef _NETIPSEC_IPSEC_H_
+#define _NETIPSEC_IPSEC_H_
+
+#if defined(_KERNEL) && !defined(_LKM) && !defined(KLD_MODULE)
+#include "opt_inet.h"
+#include "opt_ipsec.h"
+#endif
+
+#include <net/pfkeyv2.h>
+#include <netipsec/keydb.h>
+#include <netipsec/ipsec_osdep.h>
+
+#ifdef _KERNEL
+
+/*
+ * Security Policy Index
+ * Ensure that both address families in the "src" and "dst" are same.
+ * When the value of the ul_proto is ICMPv6, the port field in "src"
+ * specifies ICMPv6 type, and the port field in "dst" specifies ICMPv6 code.
+ */
+struct secpolicyindex {
+	u_int8_t dir;			/* direction of packet flow, see blow */
+	union sockaddr_union src;	/* IP src address for SP */
+	union sockaddr_union dst;	/* IP dst address for SP */
+	u_int8_t prefs;			/* prefix length in bits for src */
+	u_int8_t prefd;			/* prefix length in bits for dst */
+	u_int16_t ul_proto;		/* upper layer Protocol */
+#ifdef notyet
+	uid_t uids;
+	uid_t uidd;
+	gid_t gids;
+	gid_t gidd;
+#endif
+};
+
+/* Security Policy Data Base */
+struct secpolicy {
+	LIST_ENTRY(secpolicy) chain;
+	struct mtx lock;
+
+	u_int refcnt;			/* reference count */
+	struct secpolicyindex spidx;	/* selector */
+	u_int32_t id;			/* It's unique number on the system. */
+	u_int state;			/* 0: dead, others: alive */
+#define IPSEC_SPSTATE_DEAD	0
+#define IPSEC_SPSTATE_ALIVE	1
+	u_int16_t policy;		/* policy_type per pfkeyv2.h */
+	u_int16_t scangen;		/* scan generation # */
+	struct ipsecrequest *req;
+				/* pointer to the ipsec request tree, */
+				/* if policy == IPSEC else this value == NULL.*/
+
+	/*
+	 * lifetime handler.
+	 * the policy can be used without limitiation if both lifetime and
+	 * validtime are zero.
+	 * "lifetime" is passed by sadb_lifetime.sadb_lifetime_addtime.
+	 * "validtime" is passed by sadb_lifetime.sadb_lifetime_usetime.
+	 */
+	time_t created;		/* time created the policy */
+	time_t lastused;	/* updated every when kernel sends a packet */
+	long lifetime;		/* duration of the lifetime of this policy */
+	long validtime;		/* duration this policy is valid without use */
+};
+
+#define	SECPOLICY_LOCK_INIT(_sp) \
+	mtx_init(&(_sp)->lock, "ipsec policy", NULL, MTX_DEF)
+#define	SECPOLICY_LOCK(_sp)		mtx_lock(&(_sp)->lock)
+#define	SECPOLICY_UNLOCK(_sp)		mtx_unlock(&(_sp)->lock)
+#define	SECPOLICY_LOCK_DESTROY(_sp)	mtx_destroy(&(_sp)->lock)
+#define	SECPOLICY_LOCK_ASSERT(_sp)	mtx_assert(&(_sp)->lock, MA_OWNED)
+
+/* Request for IPsec */
+struct ipsecrequest {
+	struct ipsecrequest *next;
+				/* pointer to next structure */
+				/* If NULL, it means the end of chain. */
+	struct secasindex saidx;/* hint for search proper SA */
+				/* if __ss_len == 0 then no address specified.*/
+	u_int level;		/* IPsec level defined below. */
+
+	struct secasvar *sav;	/* place holder of SA for use */
+	struct secpolicy *sp;	/* back pointer to SP */
+	struct mtx lock;	/* to interlock updates */
+};
+
+/*
+ * Need recursion for when crypto callbacks happen directly,
+ * as in the case of software crypto.  Need to look at how
+ * hard it is to remove this...
+ */
+#define	IPSECREQUEST_LOCK_INIT(_isr) \
+	mtx_init(&(_isr)->lock, "ipsec request", NULL, MTX_DEF | MTX_RECURSE)
+#define	IPSECREQUEST_LOCK(_isr)		mtx_lock(&(_isr)->lock)
+#define	IPSECREQUEST_UNLOCK(_isr)	mtx_unlock(&(_isr)->lock)
+#define	IPSECREQUEST_LOCK_DESTROY(_isr)	mtx_destroy(&(_isr)->lock)
+#define	IPSECREQUEST_LOCK_ASSERT(_isr)	mtx_assert(&(_isr)->lock, MA_OWNED)
+
+/* security policy in PCB */
+struct inpcbpolicy {
+	struct secpolicy *sp_in;
+	struct secpolicy *sp_out;
+	int priv;			/* privileged socket ? */
+};
+
+/* SP acquiring list table. */
+struct secspacq {
+	LIST_ENTRY(secspacq) chain;
+
+	struct secpolicyindex spidx;
+
+	time_t created;		/* for lifetime */
+	int count;		/* for lifetime */
+	/* XXX: here is mbuf place holder to be sent ? */
+};
+#endif /* _KERNEL */
+
+/* according to IANA assignment, port 0x0000 and proto 0xff are reserved. */
+#define IPSEC_PORT_ANY		0
+#define IPSEC_ULPROTO_ANY	255
+#define IPSEC_PROTO_ANY		255
+
+/* mode of security protocol */
+/* NOTE: DON'T use IPSEC_MODE_ANY at SPD.  It's only use in SAD */
+#define	IPSEC_MODE_ANY		0	/* i.e. wildcard. */
+#define	IPSEC_MODE_TRANSPORT	1
+#define	IPSEC_MODE_TUNNEL	2
+#define	IPSEC_MODE_TCPMD5	3	/* TCP MD5 mode */
+
+/*
+ * Direction of security policy.
+ * NOTE: Since INVALID is used just as flag.
+ * The other are used for loop counter too.
+ */
+#define IPSEC_DIR_ANY		0
+#define IPSEC_DIR_INBOUND	1
+#define IPSEC_DIR_OUTBOUND	2
+#define IPSEC_DIR_MAX		3
+#define IPSEC_DIR_INVALID	4
+
+/* Policy level */
+/*
+ * IPSEC, ENTRUST and BYPASS are allowed for setsockopt() in PCB,
+ * DISCARD, IPSEC and NONE are allowed for setkey() in SPD.
+ * DISCARD and NONE are allowed for system default.
+ */
+#define IPSEC_POLICY_DISCARD	0	/* discarding packet */
+#define IPSEC_POLICY_NONE	1	/* through IPsec engine */
+#define IPSEC_POLICY_IPSEC	2	/* do IPsec */
+#define IPSEC_POLICY_ENTRUST	3	/* consulting SPD if present. */
+#define IPSEC_POLICY_BYPASS	4	/* only for privileged socket. */
+
+/* Security protocol level */
+#define	IPSEC_LEVEL_DEFAULT	0	/* reference to system default */
+#define	IPSEC_LEVEL_USE		1	/* use SA if present. */
+#define	IPSEC_LEVEL_REQUIRE	2	/* require SA. */
+#define	IPSEC_LEVEL_UNIQUE	3	/* unique SA. */
+
+#define IPSEC_MANUAL_REQID_MAX	0x3fff
+				/*
+				 * if security policy level == unique, this id
+				 * indicate to a relative SA for use, else is
+				 * zero.
+				 * 1 - 0x3fff are reserved for manual keying.
+				 * 0 are reserved for above reason.  Others is
+				 * for kernel use.
+				 * Note that this id doesn't identify SA
+				 * by only itself.
+				 */
+#define IPSEC_REPLAYWSIZE  32
+
+/* old statistics for ipsec processing */
+struct ipsecstat {
+	u_quad_t in_success;  /* succeeded inbound process */
+	u_quad_t in_polvio;
+			/* security policy violation for inbound process */
+	u_quad_t in_nosa;     /* inbound SA is unavailable */
+	u_quad_t in_inval;    /* inbound processing failed due to EINVAL */
+	u_quad_t in_nomem;    /* inbound processing failed due to ENOBUFS */
+	u_quad_t in_badspi;   /* failed getting a SPI */
+	u_quad_t in_ahreplay; /* AH replay check failed */
+	u_quad_t in_espreplay; /* ESP replay check failed */
+	u_quad_t in_ahauthsucc; /* AH authentication success */
+	u_quad_t in_ahauthfail; /* AH authentication failure */
+	u_quad_t in_espauthsucc; /* ESP authentication success */
+	u_quad_t in_espauthfail; /* ESP authentication failure */
+	u_quad_t in_esphist[256];
+	u_quad_t in_ahhist[256];
+	u_quad_t in_comphist[256];
+	u_quad_t out_success; /* succeeded outbound process */
+	u_quad_t out_polvio;
+			/* security policy violation for outbound process */
+	u_quad_t out_nosa;    /* outbound SA is unavailable */
+	u_quad_t out_inval;   /* outbound process failed due to EINVAL */
+	u_quad_t out_nomem;    /* inbound processing failed due to ENOBUFS */
+	u_quad_t out_noroute; /* there is no route */
+	u_quad_t out_esphist[256];
+	u_quad_t out_ahhist[256];
+	u_quad_t out_comphist[256];
+
+	u_quad_t spdcachelookup;
+	u_quad_t spdcachemiss;
+};
+
+/* statistics for ipsec processing */
+struct newipsecstat {
+	u_int32_t ips_in_polvio;	/* input: sec policy violation */
+	u_int32_t ips_out_polvio;	/* output: sec policy violation */
+	u_int32_t ips_out_nosa;		/* output: SA unavailable  */
+	u_int32_t ips_out_nomem;	/* output: no memory available */
+	u_int32_t ips_out_noroute;	/* output: no route available */
+	u_int32_t ips_out_inval;	/* output: generic error */
+	u_int32_t ips_out_bundlesa;	/* output: bundled SA processed */
+	u_int32_t ips_mbcoalesced;	/* mbufs coalesced during clone */
+	u_int32_t ips_clcoalesced;	/* clusters coalesced during clone */
+	u_int32_t ips_clcopied;		/* clusters copied during clone */
+	u_int32_t ips_mbinserted;	/* mbufs inserted during makespace */
+	/* 
+	 * Temporary statistics for performance analysis.
+	 */
+	/* See where ESP/AH/IPCOMP header land in mbuf on input */
+	u_int32_t ips_input_front;
+	u_int32_t ips_input_middle;
+	u_int32_t ips_input_end;
+};
+
+/*
+ * Definitions for IPsec & Key sysctl operations.
+ */
+/*
+ * Names for IPsec & Key sysctl objects
+ */
+#define IPSECCTL_STATS			1	/* stats */
+#define IPSECCTL_DEF_POLICY		2
+#define IPSECCTL_DEF_ESP_TRANSLEV	3	/* int; ESP transport mode */
+#define IPSECCTL_DEF_ESP_NETLEV		4	/* int; ESP tunnel mode */
+#define IPSECCTL_DEF_AH_TRANSLEV	5	/* int; AH transport mode */
+#define IPSECCTL_DEF_AH_NETLEV		6	/* int; AH tunnel mode */
+#if 0	/* obsolete, do not reuse */
+#define IPSECCTL_INBOUND_CALL_IKE	7
+#endif
+#define	IPSECCTL_AH_CLEARTOS		8
+#define	IPSECCTL_AH_OFFSETMASK		9
+#define	IPSECCTL_DFBIT			10
+#define	IPSECCTL_ECN			11
+#define	IPSECCTL_DEBUG			12
+#define	IPSECCTL_ESP_RANDPAD		13
+#define IPSECCTL_MAXID			14
+
+#define IPSECCTL_NAMES { \
+	{ 0, 0 }, \
+	{ 0, 0 }, \
+	{ "def_policy", CTLTYPE_INT }, \
+	{ "esp_trans_deflev", CTLTYPE_INT }, \
+	{ "esp_net_deflev", CTLTYPE_INT }, \
+	{ "ah_trans_deflev", CTLTYPE_INT }, \
+	{ "ah_net_deflev", CTLTYPE_INT }, \
+	{ 0, 0 }, \
+	{ "ah_cleartos", CTLTYPE_INT }, \
+	{ "ah_offsetmask", CTLTYPE_INT }, \
+	{ "dfbit", CTLTYPE_INT }, \
+	{ "ecn", CTLTYPE_INT }, \
+	{ "debug", CTLTYPE_INT }, \
+	{ "esp_randpad", CTLTYPE_INT }, \
+}
+
+#define IPSEC6CTL_NAMES { \
+	{ 0, 0 }, \
+	{ 0, 0 }, \
+	{ "def_policy", CTLTYPE_INT }, \
+	{ "esp_trans_deflev", CTLTYPE_INT }, \
+	{ "esp_net_deflev", CTLTYPE_INT }, \
+	{ "ah_trans_deflev", CTLTYPE_INT }, \
+	{ "ah_net_deflev", CTLTYPE_INT }, \
+	{ 0, 0 }, \
+	{ 0, 0 }, \
+	{ 0, 0 }, \
+	{ 0, 0 }, \
+	{ "ecn", CTLTYPE_INT }, \
+	{ "debug", CTLTYPE_INT }, \
+	{ "esp_randpad", CTLTYPE_INT }, \
+}
+
+#ifdef _KERNEL
+struct ipsec_output_state {
+	struct mbuf *m;
+	struct route *ro;
+	struct sockaddr *dst;
+};
+
+struct ipsec_history {
+	int ih_proto;
+	u_int32_t ih_spi;
+};
+
+extern int ipsec_debug;
+
+extern struct newipsecstat newipsecstat;
+extern struct secpolicy ip4_def_policy;
+extern int ip4_esp_trans_deflev;
+extern int ip4_esp_net_deflev;
+extern int ip4_ah_trans_deflev;
+extern int ip4_ah_net_deflev;
+extern int ip4_ah_cleartos;
+extern int ip4_ah_offsetmask;
+extern int ip4_ipsec_dfbit;
+extern int ip4_ipsec_ecn;
+extern int ip4_esp_randpad;
+extern int crypto_support;
+
+#define ipseclog(x)	do { if (ipsec_debug) log x; } while (0)
+/* for openbsd compatibility */
+#define	DPRINTF(x)	do { if (ipsec_debug) printf x; } while (0)
+
+/* XXX for KAME code compatibility */
+#define ipsec_pcbconn(_x)
+#define	ipsec_pcbdisconn(_x)
+
+extern	struct ipsecrequest *ipsec_newisr(void);
+extern	void ipsec_delisr(struct ipsecrequest *);
+
+struct tdb_ident;
+extern struct secpolicy *ipsec_getpolicy __P((struct tdb_ident*, u_int));
+struct inpcb;
+extern struct secpolicy *ipsec4_checkpolicy __P((struct mbuf *, u_int, u_int,
+	int *, struct inpcb *));
+extern struct secpolicy *ipsec_getpolicybysock(struct mbuf *, u_int,
+	struct inpcb *, int *);
+extern struct secpolicy * ipsec_getpolicybyaddr(struct mbuf *, u_int,
+	int, int *);
+
+struct inpcb;
+extern int ipsec_init_policy __P((struct socket *so, struct inpcbpolicy **));
+extern int ipsec_copy_policy
+	__P((struct inpcbpolicy *, struct inpcbpolicy *));
+extern u_int ipsec_get_reqlevel __P((struct ipsecrequest *));
+extern int ipsec_in_reject __P((struct secpolicy *, struct mbuf *));
+
+extern int ipsec4_set_policy __P((struct inpcb *inp, int optname,
+	caddr_t request, size_t len, int priv));
+extern int ipsec4_get_policy __P((struct inpcb *inpcb, caddr_t request,
+	size_t len, struct mbuf **mp));
+extern int ipsec4_delete_pcbpolicy __P((struct inpcb *));
+extern int ipsec4_in_reject __P((struct mbuf *, struct inpcb *));
+
+struct secas;
+struct tcpcb;
+extern int ipsec_chkreplay __P((u_int32_t, struct secasvar *));
+extern int ipsec_updatereplay __P((u_int32_t, struct secasvar *));
+
+extern size_t ipsec4_hdrsiz __P((struct mbuf *, u_int, struct inpcb *));
+extern size_t ipsec_hdrsiz_tcp __P((struct tcpcb *));
+
+union sockaddr_union;
+extern char * ipsec_address(union sockaddr_union* sa);
+extern const char *ipsec_logsastr __P((struct secasvar *));
+
+extern void ipsec_dumpmbuf __P((struct mbuf *));
+
+struct m_tag;
+extern void ah4_input(struct mbuf *m, int off);
+extern void ah4_ctlinput(int cmd, struct sockaddr *sa, void *);
+extern void esp4_input(struct mbuf *m, int off);
+extern void esp4_ctlinput(int cmd, struct sockaddr *sa, void *);
+extern void ipcomp4_input(struct mbuf *m, int off);
+extern int ipsec4_common_input(struct mbuf *m, ...);
+extern int ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
+			int skip, int protoff, struct m_tag *mt);
+extern int ipsec4_process_packet __P((struct mbuf *, struct ipsecrequest *,
+			int, int));
+extern int ipsec_process_done __P((struct mbuf *, struct ipsecrequest *));
+
+extern struct mbuf *ipsec_copypkt __P((struct mbuf *));
+
+extern	void m_checkalignment(const char* where, struct mbuf *m0,
+		int off, int len);
+extern	struct mbuf *m_makespace(struct mbuf *m0, int skip, int hlen, int *off);
+extern	caddr_t m_pad(struct mbuf *m, int n);
+extern	int m_striphdr(struct mbuf *m, int skip, int hlen);
+extern	int ipsec_filter(struct mbuf **, int);
+extern	void ipsec_bpf(struct mbuf *, struct secasvar *, int);
+#endif /* _KERNEL */
+
+#ifndef _KERNEL
+extern caddr_t ipsec_set_policy __P((char *, int));
+extern int ipsec_get_policylen __P((caddr_t));
+extern char *ipsec_dump_policy __P((caddr_t, char *));
+
+extern const char *ipsec_strerror __P((void));
+#endif /* !_KERNEL */
+
+#endif /* _NETIPSEC_IPSEC_H_ */
diff --git a/src/include.new/netipsec/ipsec6.h b/src/include.new/netipsec/ipsec6.h
new file mode 100644
index 0000000..64755e5
--- /dev/null
+++ b/src/include.new/netipsec/ipsec6.h
@@ -0,0 +1,89 @@
+/*	$FreeBSD: src/sys/netipsec/ipsec6.h,v 1.2 2005/01/07 01:45:46 imp Exp $	*/
+/*	$KAME: ipsec.h,v 1.44 2001/03/23 08:08:47 itojun Exp $	*/
+
+/*-
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * IPsec controller part.
+ */
+
+#ifndef _NETIPSEC_IPSEC6_H_
+#define _NETIPSEC_IPSEC6_H_
+
+#include <net/pfkeyv2.h>
+#include <netipsec/keydb.h>
+
+#ifdef _KERNEL
+extern int ip6_esp_trans_deflev;
+extern int ip6_esp_net_deflev;
+extern int ip6_ah_trans_deflev;
+extern int ip6_ah_net_deflev;
+extern int ip6_ipsec_ecn;
+extern int ip6_esp_randpad;
+
+struct inpcb;
+
+/* KAME compatibility shims */
+#define	ipsec6_getpolicybyaddr	ipsec_getpolicybyaddr
+#define	ipsec6_getpolicybysock	ipsec_getpolicybysock
+#define	ipsec6stat		newipsecstat
+#define	out_inval		ips_out_inval
+#define	in_polvio		ips_in_polvio
+#define	out_polvio		ips_out_polvio
+#define	key_freesp(_x)		KEY_FREESP(&_x)
+
+extern int ipsec6_delete_pcbpolicy __P((struct inpcb *));
+extern int ipsec6_set_policy __P((struct inpcb *inp, int optname,
+	caddr_t request, size_t len, int priv));
+extern int ipsec6_get_policy
+	__P((struct inpcb *inp, caddr_t request, size_t len, struct mbuf **mp));
+extern int ipsec6_in_reject __P((struct mbuf *, struct inpcb *));
+
+struct tcp6cb;
+
+extern size_t ipsec6_hdrsiz __P((struct mbuf *, u_int, struct inpcb *));
+
+struct ip6_hdr;
+extern const char *ipsec6_logpacketstr __P((struct ip6_hdr *, u_int32_t));
+
+struct m_tag;
+extern int ipsec6_common_input(struct mbuf **mp, int *offp, int proto);
+extern int ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav,
+			int skip, int protoff, struct m_tag *mt);
+extern void esp6_ctlinput(int, struct sockaddr *, void *);
+
+struct ipsec_output_state;
+extern int ipsec6_output_trans __P((struct ipsec_output_state *, u_char *,
+	struct mbuf *, struct secpolicy *, int, int *));
+extern int ipsec6_output_tunnel __P((struct ipsec_output_state *,
+	struct secpolicy *, int));
+#endif /*_KERNEL*/
+
+#endif /*_NETIPSEC_IPSEC6_H_*/
diff --git a/src/include.new/netipsec/ipsec_osdep.h b/src/include.new/netipsec/ipsec_osdep.h
new file mode 100644
index 0000000..12ee9c3
--- /dev/null
+++ b/src/include.new/netipsec/ipsec_osdep.h
@@ -0,0 +1,308 @@
+/*	$FreeBSD: src/sys/netipsec/ipsec_osdep.h,v 1.2.2.1 2006/09/04 10:36:47 pjd Exp $	*/
+/*	$NetBSD: ipsec_osdep.h,v 1.1 2003/08/13 20:06:51 jonathan Exp $	*/
+
+/*-
+ * Copyright (c) 2003 Jonathan Stone (jonathan@cs.stanford.edu)
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef NETIPSEC_OSDEP_H
+#define NETIPSEC_OSDEP_H
+
+/* 
+ *  Hide porting differences across different 4.4BSD-derived platforms.
+ * 
+ * 1.  KASSERT() differences: 
+ * 2.  Kernel  Random-number API differences.
+ * 3.  Is packet data in an mbuf object writeable?
+ * 4.  Packet-header semantics.
+ * 5.  Fast mbuf-cluster allocation.
+ * 6.  Network packet-output macros.
+ * 7.  Elased time, in seconds.
+ * 8.  Test if a  socket object opened by  a privileged (super) user.
+ * 9.  Global SLIST of all open raw sockets.
+ * 10. Global SLIST of known interface addresses.
+ */
+
+/*
+ *  1. KASSERT and spl differences 
+ *
+ * FreeBSD takes an expression and  parenthesized printf() argument-list.
+ * NetBSD takes one arg: the expression being asserted.
+ * FreeBSD's SPLASSERT() takes an SPL level as 1st arg and a
+ * parenthesized printf-format argument list as the second argument.
+ *
+ * This difference is hidden by two 2-argument macros and one 1-arg macro:
+ *    IPSEC_ASSERT(expr, msg)
+ *    IPSEC_SPLASSERT(spl, msg)
+ * One further difference is the spl names:
+ *    NetBSD splsoftnet equates to FreeBSD splnet;
+ *    NetBSD splnet equates to FreeBSD splimp.
+ * which is hidden by the macro IPSEC_SPLASSERT_SOFTNET(msg).
+ */
+#ifdef __FreeBSD__
+#if __FreeBSD_version < 500000
+#define IPSEC_SPLASSERT(_x,_y) SPLASSERT(_x, _y)
+#else
+#define IPSEC_SPLASSERT(_x,_y)
+#endif
+#define IPSEC_SPLASSERT_SOFTNET(_m) IPSEC_SPLASSERT(net,_m)
+#define IPSEC_ASSERT(_c,_m) KASSERT(_c, _m)
+#endif	/* __FreeBSD__ */
+
+#ifdef	__NetBSD__
+#define IPSEC_SPLASSERT(x,y) (void)0
+#define IPSEC_ASSERT(c,m) KASSERT(c)
+#define IPSEC_SPLASSERT_SOFTNET(m) IPSEC_SPLASSERT(softnet, m)
+#endif	/* __NetBSD__ */
+
+/*
+ * 2. Kernel Randomness API.
+ * FreeBSD uses:
+ *    u_int read_random(void *outbuf, int nbytes).
+ */
+#ifdef __FreeBSD__
+#include <sys/random.h>
+/* do nothing, use native random code. */
+#endif /* __FreeBSD__ */
+
+#ifdef	__NetBSD__
+#include <sys/rnd.h>
+static __inline u_int read_random(void *p, u_int len);
+
+static __inline u_int
+read_random(void *bufp, u_int len) 
+{ 
+	return rnd_extract_data(bufp, len, RND_EXTRACT_ANY /*XXX FIXME */);
+}
+#endif	/* __NetBSD__ */
+
+/*
+ * 3. Test for mbuf mutability
+ * FreeBSD 4.x uses: M_EXT_WRITABLE
+ * NetBSD has M_READONLY(). Use !M_READONLY().
+ * Not an exact match to FreeBSD semantics, but adequate for IPsec purposes.
+ * 
+ */
+#ifdef __NetBSD__
+/* XXX wrong, but close enough for restricted ipsec usage. */
+#define M_EXT_WRITABLE(m) (!M_READONLY(m))
+#endif	/* __NetBSD__ */
+
+/*
+ * 4. mbuf packet-header/packet-tag semantics.
+ * Sam Leffler explains, in private email, some problems with
+ * M_COPY_PKTHDR(), and why FreeBSD deprecated it and replaced it
+ * with new, explicit macros M_MOVE_PKTHDR()/M_DUP_PKTHDR().
+ * he original fast-ipsec source uses M_MOVE_PKTHDR.
+ * NetBSD currently still uses M_COPY_PKTHDR(), so we define
+ * M_MOVE_PKTHDR in terms of M_COPY_PKTHDR().  Fast-IPsec
+ * will delete the source mbuf shortly after copying packet tags,
+ * so we are safe for fast-ipsec but not in general..
+ */
+#ifdef __NetBSD__
+#define M_MOVE_PKTHDR(_f, _t) M_COPY_PKTHDR(_f, _t)
+#endif /* __NetBSD__ */
+
+
+/*
+ * 5. Fast mbuf-cluster allocation.
+ * FreeBSD 4.6 introduce m_getcl(), which performs `fast' allocation
+ * mbuf clusters from a cache of recently-freed clusters. (If the  cache
+ * is empty, new clusters are allocated en-masse).
+ *   On NetBSD, for now, implement the `cache' as an inline  function
+ *using normal NetBSD mbuf/cluster allocation macros. Replace this
+ * with fast-cache code, if and when netBSD  implements one.
+ */
+#ifdef __NetBSD__
+static __inline struct mbuf *
+m_getcl(int how, short type, int flags)
+{
+	struct mbuf *mp;
+	if (flags & M_PKTHDR) 
+		MGETHDR(mp, how, type);
+	else
+		MGET(mp, how,  type);
+	if (mp == NULL)
+		return NULL;
+
+	MCLGET(mp, how);
+	return mp;
+}
+#endif /* __NetBSD__ */
+
+/*
+ * 6. Network output macros
+ * FreeBSD uses the  IF_HANDOFF(), which raises SPL, enqueues
+ * a packet, and updates interface counters. NetBSD has IFQ_ENQUE(),
+ * which leaves SPL changes up to the caller. 
+ * For now, we provide an emulation of IF_HANOOFF() which works
+ * for protocol input queues.
+ */
+#ifdef __FreeBSD__ 
+/* nothing to do */
+#endif /* __FreeBSD__ */
+#ifdef __NetBSD__
+#define IF_HANDOFF(ifq, m, f) if_handoff(ifq, m, f, 0)
+  
+#include <net/if.h>
+
+static __inline int
+if_handoff(struct ifqueue *ifq, struct mbuf *m, struct ifnet *ifp, int adjust)
+{
+	int need_if_start = 0;
+	int s = splnet();
+
+	if (IF_QFULL(ifq)) {
+		IF_DROP(ifq);
+		splx(s);
+		m_freem(m);
+		return (0);
+	}
+	if (ifp != NULL) {
+		ifp->if_obytes += m->m_pkthdr.len + adjust;
+		if (m->m_flags & M_MCAST)
+			ifp->if_omcasts++;
+		need_if_start = !(ifp->if_flags & IFF_OACTIVE);
+	}
+	IF_ENQUEUE(ifq, m);
+	if (need_if_start)
+		(*ifp->if_start)(ifp);
+	splx(s);
+	return (1);
+}
+#endif /* __NetBSD__ */
+
+/*
+ * 7. Elapsed Time: time_second as time in seconds.
+ * Original FreeBSD fast-ipsec code references a FreeBSD kernel global,
+ * time_second().  NetBSD: kludge #define to use time_mono_time.tv_sec.
+ */
+#ifdef __NetBSD__
+#include <sys/kernel.h>
+#define time_second mono_time.tv_sec
+#endif	/* __NetBSD__ */
+
+/* protosw glue */
+#ifdef __NetBSD__
+#include <sys/protosw.h>
+#define ipprotosw protosw
+#endif	/* __NetBSD__ */
+
+/*
+ * 8. Test for "privileged" socket opened by superuser.
+ * FreeBSD tests  ((so)->so_cred != NULL && suser_cred((so)->so_cred, SUSER_ALLOWJAIL == 0))
+ * NetBSD (1.6N) tests (so)->so_uid == 0).
+ * This difference is wrapped inside  the IPSEC_PRIVILEGED_SO() macro.
+ *
+ */
+#ifdef __FreeBSD__ 
+#define IPSEC_IS_PRIVILEGED_SO(_so) \
+	((_so)->so_cred != NULL && \
+	 suser_cred((_so)->so_cred, SUSER_ALLOWJAIL) == 0)
+#endif	/* __FreeBSD__ */
+
+#ifdef __NetBSD__
+/* superuser opened socket? */
+#define IPSEC_IS_PRIVILEGED_SO(so) ((so)->so_uid == 0)
+#endif	/* __NetBSD__ */
+
+/*
+ * 9. Raw socket list
+ * FreeBSD uses: listhead = rawcb_list, SLIST()-next field "list".
+ * NetBSD  uses: listhead = rawcb, SLIST()-next field "list"
+ *
+ * This version of fast-ipsec source code  uses rawcb_list as the head,
+ *  and (to avoid namespace collisions) uses rcb_list as the "next" field.
+ */
+#ifdef __FreeBSD__
+#define rcb_list list
+#endif /* __FreeBSD__ */
+#ifdef __NetBSD__
+#define rawcb_list rawcb
+#endif	/* __NetBSD__ */
+
+
+/*
+ * 10. List of all known network interfaces.
+ * FreeBSD has listhead in_ifaddread, with ia_link as link.
+ * NetBSD has listhead in_ifaddr, with ia_list as link.
+ * No name-clahses, so just #define the appropriate names on NetBSD.
+ * NB: Is it worth introducing iterator (find-first-list/find-next-list)
+ * functions or macros to encapsulate these?
+ */
+#ifdef __FreeBSD__
+/* nothing to do for raw interface list */
+#endif	/* FreeBSD */
+#ifdef __NetBSD__
+/* For now, use FreeBSD-compatible names for raw interface list. */
+#define in_ifaddrhead in_ifaddr
+#define ia_link ia_list
+#endif	/* __NetBSD__ */
+
+
+
+
+/*
+ * Differences that we don't attempt to hide:
+ *
+ * A. Initialization code.  This  is the largest difference of all.
+ *
+ *   FreeBSD uses compile/link-time perl hackery to generate special 
+ * .o files  with linker sections  that give the moral equivalent of
+ * C++ file-level-object constructors. NetBSD has no such facility.
+ *
+ * Either we implement it (ideally, in a way that can emulate
+ * FreeBSD's SYSINIT() macros), or we must take other means
+ * to have the per-file init functions called at some appropriate time.
+ *
+ * In the absence of SYSINIT(), all the file-level init functions
+ * now have "extern" linkage. There is a new fast-ipsec init()
+ * function which calls each of the per-file in an appropriate order. 
+ * init_main will arrange to call the fast-ipsec init function
+ * after the crypto framework has registered its transforms (including
+ * any autoconfigured hardware crypto  accelerators) but before
+ * initializing the network stack to send or receive  packet.
+ *
+ * B. Protosw() differences. 
+ * CSRG-style BSD TCP/IP uses a generic protocol-dispatch-function
+ * where the specific request is identified by an enum argument.
+ * FreeBSD replaced that with an array of request-specific
+ * function pointers.
+ *
+ * These differences affect the handlers for key-protocol user requests
+ * so pervasively that I gave up on the fast-ipsec code, and re-worked the
+ * NetBSD KAME code to match the (relative few) API differences
+ * between NetBSD and FreeBSD's KAME netkey, and Fast-IPsec netkey.
+ *
+ * C. Timeout() versus callout(9):
+ * The FreeBSD 4.x netipsec/ code still uses timeout().
+ * FreeBSD 4.7 has callout(9), so I just replaced 
+ * timeout_*() with the nearest callout_*() equivalents,
+ * and added a callout handle to the ipsec context.
+ *
+ * D. SPL name differences.
+ * FreeBSD splnet() equates directly to NetBSD's splsoftnet();
+ * FreeBSD uses splimp() where (for networking) NetBSD would use splnet().
+ */
+#endif /* NETIPSEC_OSDEP_H */
diff --git a/src/include.new/netipsec/key.h b/src/include.new/netipsec/key.h
new file mode 100644
index 0000000..9113b2b
--- /dev/null
+++ b/src/include.new/netipsec/key.h
@@ -0,0 +1,115 @@
+/*	$FreeBSD: src/sys/netipsec/key.h,v 1.4 2005/01/07 01:45:46 imp Exp $	*/
+/*	$KAME: key.h,v 1.21 2001/07/27 03:51:30 itojun Exp $	*/
+
+/*-
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef _NETIPSEC_KEY_H_
+#define _NETIPSEC_KEY_H_
+
+#ifdef _KERNEL
+
+struct secpolicy;
+struct secpolicyindex;
+struct ipsecrequest;
+struct secasvar;
+struct sockaddr;
+struct socket;
+struct sadb_msg;
+struct sadb_x_policy;
+struct secasindex;
+union sockaddr_union;
+
+extern void key_addref(struct secpolicy *sp);
+extern	int key_havesp(u_int dir);
+extern struct secpolicy *key_allocsp(struct secpolicyindex *, u_int,
+	const char*, int);
+extern struct secpolicy *key_allocsp2(u_int32_t spi, union sockaddr_union *dst,
+	u_int8_t proto, u_int dir, const char*, int);
+extern struct secpolicy *key_newsp(const char*, int);
+extern struct secpolicy *key_gettunnel(const struct sockaddr *,
+	const struct sockaddr *, const struct sockaddr *,
+	const struct sockaddr *, const char*, int);
+/* NB: prepend with _ for KAME IPv6 compatbility */
+extern void _key_freesp(struct secpolicy **, const char*, int);
+
+#define	KEY_ALLOCSP(spidx, dir)					\
+	key_allocsp(spidx, dir, __FILE__, __LINE__)
+#define	KEY_ALLOCSP2(spi, dst, proto, dir)			\
+	key_allocsp2(spi, dst, proto, dir, __FILE__, __LINE__)
+#define	KEY_NEWSP()						\
+	key_newsp(__FILE__, __LINE__)
+#define	KEY_GETTUNNEL(osrc, odst, isrc, idst)			\
+	key_gettunnel(osrc, odst, isrc, idst, __FILE__, __LINE__)
+#define	KEY_FREESP(spp)						\
+	_key_freesp(spp, __FILE__, __LINE__)
+
+extern struct secasvar *key_allocsa(union sockaddr_union *, u_int, u_int32_t,
+	const char*, int);
+extern void key_freesav(struct secasvar **, const char*, int);
+
+#define	KEY_ALLOCSA(dst, proto, spi)				\
+	key_allocsa(dst, proto, spi, __FILE__, __LINE__)
+#define	KEY_FREESAV(psav)					\
+	key_freesav(psav, __FILE__, __LINE__)
+
+extern void key_freeso __P((struct socket *));
+extern int key_checktunnelsanity __P((struct secasvar *, u_int,
+					caddr_t, caddr_t));
+extern int key_checkrequest
+	__P((struct ipsecrequest *isr, const struct secasindex *));
+
+extern struct secpolicy *key_msg2sp __P((struct sadb_x_policy *,
+	size_t, int *));
+extern struct mbuf *key_sp2msg __P((struct secpolicy *));
+extern int key_ismyaddr __P((struct sockaddr *));
+extern int key_spdacquire __P((struct secpolicy *));
+extern void key_timehandler __P((void));
+extern u_long key_random __P((void));
+extern void key_randomfill __P((void *, size_t));
+extern void key_freereg __P((struct socket *));
+extern int key_parse __P((struct mbuf *, struct socket *));
+extern void key_init __P((void));
+extern void key_sa_recordxfer __P((struct secasvar *, struct mbuf *));
+extern void key_sa_routechange __P((struct sockaddr *));
+extern void key_sa_stir_iv __P((struct secasvar *));
+
+#ifdef MALLOC_DECLARE
+MALLOC_DECLARE(M_IPSEC_SA);
+MALLOC_DECLARE(M_IPSEC_SAH);
+MALLOC_DECLARE(M_IPSEC_SP);
+MALLOC_DECLARE(M_IPSEC_SR);
+MALLOC_DECLARE(M_IPSEC_MISC);
+MALLOC_DECLARE(M_IPSEC_SAQ);
+MALLOC_DECLARE(M_IPSEC_SAR);
+MALLOC_DECLARE(M_IPSEC_INPCB);
+#endif /* MALLOC_DECLARE */
+
+#endif /* defined(_KERNEL) */
+#endif /* _NETIPSEC_KEY_H_ */
diff --git a/src/include.new/netipsec/key_debug.h b/src/include.new/netipsec/key_debug.h
new file mode 100644
index 0000000..a8ca140
--- /dev/null
+++ b/src/include.new/netipsec/key_debug.h
@@ -0,0 +1,88 @@
+/*	$FreeBSD: src/sys/netipsec/key_debug.h,v 1.2 2005/01/07 01:45:46 imp Exp $	*/
+/*	$KAME: key_debug.h,v 1.10 2001/08/05 08:37:52 itojun Exp $	*/
+
+/*-
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef _NETIPSEC_KEY_DEBUG_H_
+#define _NETIPSEC_KEY_DEBUG_H_
+
+#ifdef _KERNEL
+/* debug flags */
+#define KEYDEBUG_STAMP		0x00000001 /* path */
+#define KEYDEBUG_DATA		0x00000002 /* data */
+#define KEYDEBUG_DUMP		0x00000004 /* dump */
+
+#define KEYDEBUG_KEY		0x00000010 /* key processing */
+#define KEYDEBUG_ALG		0x00000020 /* ciph & auth algorithm */
+#define KEYDEBUG_IPSEC		0x00000040 /* ipsec processing */
+
+#define KEYDEBUG_KEY_STAMP	(KEYDEBUG_KEY | KEYDEBUG_STAMP)
+#define KEYDEBUG_KEY_DATA	(KEYDEBUG_KEY | KEYDEBUG_DATA)
+#define KEYDEBUG_KEY_DUMP	(KEYDEBUG_KEY | KEYDEBUG_DUMP)
+#define KEYDEBUG_ALG_STAMP	(KEYDEBUG_ALG | KEYDEBUG_STAMP)
+#define KEYDEBUG_ALG_DATA	(KEYDEBUG_ALG | KEYDEBUG_DATA)
+#define KEYDEBUG_ALG_DUMP	(KEYDEBUG_ALG | KEYDEBUG_DUMP)
+#define KEYDEBUG_IPSEC_STAMP	(KEYDEBUG_IPSEC | KEYDEBUG_STAMP)
+#define KEYDEBUG_IPSEC_DATA	(KEYDEBUG_IPSEC | KEYDEBUG_DATA)
+#define KEYDEBUG_IPSEC_DUMP	(KEYDEBUG_IPSEC | KEYDEBUG_DUMP)
+
+#define KEYDEBUG(lev,arg) \
+	do { if ((key_debug_level & (lev)) == (lev)) { arg; } } while (0)
+
+extern u_int32_t key_debug_level;
+#endif /*_KERNEL*/
+
+struct sadb_msg;
+struct sadb_ext;
+extern void kdebug_sadb __P((struct sadb_msg *));
+extern void kdebug_sadb_x_policy __P((struct sadb_ext *));
+
+#ifdef _KERNEL
+struct secpolicy;
+struct secpolicyindex;
+struct secasindex;
+struct secasvar;
+struct secreplay;
+struct mbuf;
+extern void kdebug_secpolicy __P((struct secpolicy *));
+extern void kdebug_secpolicyindex __P((struct secpolicyindex *));
+extern void kdebug_secasindex __P((struct secasindex *));
+extern void kdebug_secasv __P((struct secasvar *));
+extern void kdebug_mbufhdr __P((struct mbuf *));
+extern void kdebug_mbuf __P((struct mbuf *));
+#endif /*_KERNEL*/
+
+struct sockaddr;
+extern void kdebug_sockaddr __P((struct sockaddr *));
+
+extern void ipsec_hexdump __P((caddr_t, int));
+extern void ipsec_bindump __P((caddr_t, int));
+
+#endif /* _NETIPSEC_KEY_DEBUG_H_ */
diff --git a/src/include.new/netipsec/key_var.h b/src/include.new/netipsec/key_var.h
new file mode 100644
index 0000000..d0fd5d9
--- /dev/null
+++ b/src/include.new/netipsec/key_var.h
@@ -0,0 +1,74 @@
+/*	$FreeBSD: src/sys/netipsec/key_var.h,v 1.2 2005/01/07 01:45:46 imp Exp $	*/
+/*	$KAME: key_var.h,v 1.11 2001/09/12 23:05:07 sakane Exp $	*/
+
+/*-
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef _NETIPSEC_KEY_VAR_H_
+#define _NETIPSEC_KEY_VAR_H_
+
+/* sysctl */
+#define KEYCTL_DEBUG_LEVEL		1
+#define KEYCTL_SPI_TRY			2
+#define KEYCTL_SPI_MIN_VALUE		3
+#define KEYCTL_SPI_MAX_VALUE		4
+#define KEYCTL_RANDOM_INT		5
+#define KEYCTL_LARVAL_LIFETIME		6
+#define KEYCTL_BLOCKACQ_COUNT		7
+#define KEYCTL_BLOCKACQ_LIFETIME	8
+#define KEYCTL_ESP_KEYMIN		9
+#define KEYCTL_ESP_AUTH			10
+#define KEYCTL_AH_KEYMIN		11
+#define KEYCTL_PREFERED_OLDSA		12
+#define KEYCTL_MAXID			13
+
+#define KEYCTL_NAMES { \
+	{ 0, 0 }, \
+	{ "debug", CTLTYPE_INT }, \
+	{ "spi_try", CTLTYPE_INT }, \
+	{ "spi_min_value", CTLTYPE_INT }, \
+	{ "spi_max_value", CTLTYPE_INT }, \
+	{ "random_int", CTLTYPE_INT }, \
+	{ "larval_lifetime", CTLTYPE_INT }, \
+	{ "blockacq_count", CTLTYPE_INT }, \
+	{ "blockacq_lifetime", CTLTYPE_INT }, \
+	{ "esp_keymin", CTLTYPE_INT }, \
+	{ "esp_auth", CTLTYPE_INT }, \
+	{ "ah_keymin", CTLTYPE_INT }, \
+	{ "prefered_oldsa", CTLTYPE_INT }, \
+}
+
+#ifdef _KERNEL
+#define _ARRAYLEN(p) (sizeof(p)/sizeof(p[0]))
+#define _KEYLEN(key) ((u_int)((key)->sadb_key_bits >> 3))
+#define _KEYBITS(key) ((u_int)((key)->sadb_key_bits))
+#define _KEYBUF(key) ((caddr_t)((caddr_t)(key) + sizeof(struct sadb_key)))
+#endif /*_KERNEL*/
+
+#endif /* _NETIPSEC_KEY_VAR_H_ */
diff --git a/src/include.new/netipsec/keydb.h b/src/include.new/netipsec/keydb.h
new file mode 100644
index 0000000..b8cbe41
--- /dev/null
+++ b/src/include.new/netipsec/keydb.h
@@ -0,0 +1,190 @@
+/*	$FreeBSD: src/sys/netipsec/keydb.h,v 1.5 2005/01/07 01:45:46 imp Exp $	*/
+/*	$KAME: keydb.h,v 1.14 2000/08/02 17:58:26 sakane Exp $	*/
+
+/*-
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef _NETIPSEC_KEYDB_H_
+#define _NETIPSEC_KEYDB_H_
+
+#ifdef _KERNEL
+
+#include <netipsec/key_var.h>
+
+#ifndef _SOCKADDR_UNION_DEFINED
+#define	_SOCKADDR_UNION_DEFINED
+/*
+ * The union of all possible address formats we handle.
+ */
+union sockaddr_union {
+	struct sockaddr		sa;
+	struct sockaddr_in	sin;
+	struct sockaddr_in6	sin6;
+};
+#endif /* _SOCKADDR_UNION_DEFINED */
+
+/* Security Assocciation Index */
+/* NOTE: Ensure to be same address family */
+struct secasindex {
+	union sockaddr_union src;	/* srouce address for SA */
+	union sockaddr_union dst;	/* destination address for SA */
+	u_int16_t proto;		/* IPPROTO_ESP or IPPROTO_AH */
+	u_int8_t mode;			/* mode of protocol, see ipsec.h */
+	u_int32_t reqid;		/* reqid id who owned this SA */
+					/* see IPSEC_MANUAL_REQID_MAX. */
+};
+
+/* Security Association Data Base */
+struct secashead {
+	LIST_ENTRY(secashead) chain;
+
+	struct secasindex saidx;
+
+	struct sadb_ident *idents;	/* source identity */
+	struct sadb_ident *identd;	/* destination identity */
+					/* XXX I don't know how to use them. */
+
+	u_int8_t state;			/* MATURE or DEAD. */
+	LIST_HEAD(_satree, secasvar) savtree[SADB_SASTATE_MAX+1];
+					/* SA chain */
+					/* The first of this list is newer SA */
+
+	struct route sa_route;		/* route cache */
+};
+
+struct xformsw;
+struct enc_xform;
+struct auth_hash;
+struct comp_algo;
+
+/* Security Association */
+struct secasvar {
+	LIST_ENTRY(secasvar) chain;
+	struct mtx lock;		/* update/access lock */
+
+	u_int refcnt;			/* reference count */
+	u_int8_t state;			/* Status of this Association */
+
+	u_int8_t alg_auth;		/* Authentication Algorithm Identifier*/
+	u_int8_t alg_enc;		/* Cipher Algorithm Identifier */
+	u_int8_t alg_comp;		/* Compression Algorithm Identifier */
+	u_int32_t spi;			/* SPI Value, network byte order */
+	u_int32_t flags;		/* holder for SADB_KEY_FLAGS */
+
+	struct sadb_key *key_auth;	/* Key for Authentication */
+	struct sadb_key *key_enc;	/* Key for Encryption */
+	caddr_t iv;			/* Initilization Vector */
+	u_int ivlen;			/* length of IV */
+	void *sched;			/* intermediate encryption key */
+	size_t schedlen;
+
+	struct secreplay *replay;	/* replay prevention */
+	time_t created;			/* for lifetime */
+
+	struct sadb_lifetime *lft_c;	/* CURRENT lifetime, it's constant. */
+	struct sadb_lifetime *lft_h;	/* HARD lifetime */
+	struct sadb_lifetime *lft_s;	/* SOFT lifetime */
+
+	u_int32_t seq;			/* sequence number */
+	pid_t pid;			/* message's pid */
+
+	struct secashead *sah;		/* back pointer to the secashead */
+
+	/*
+	 * NB: Fields with a tdb_ prefix are part of the "glue" used
+	 *     to interface to the OpenBSD crypto support.  This was done
+	 *     to distinguish this code from the mainline KAME code.
+	 */
+	struct xformsw *tdb_xform;	/* transform */
+	struct enc_xform *tdb_encalgxform;	/* encoding algorithm */
+	struct auth_hash *tdb_authalgxform;	/* authentication algorithm */
+	struct comp_algo *tdb_compalgxform;	/* compression algorithm */
+	u_int64_t tdb_cryptoid;		/* crypto session id */
+};
+
+#define	SECASVAR_LOCK_INIT(_sav) \
+	mtx_init(&(_sav)->lock, "ipsec association", NULL, MTX_DEF)
+#define	SECASVAR_LOCK(_sav)		mtx_lock(&(_sav)->lock)
+#define	SECASVAR_UNLOCK(_sav)		mtx_unlock(&(_sav)->lock)
+#define	SECASVAR_LOCK_DESTROY(_sav)	mtx_destroy(&(_sav)->lock)
+#define	SECASVAR_LOCK_ASSERT(_sav)	mtx_assert(&(_sav)->lock, MA_OWNED)
+
+/* replay prevention */
+struct secreplay {
+	u_int32_t count;
+	u_int wsize;		/* window size, i.g. 4 bytes */
+	u_int32_t seq;		/* used by sender */
+	u_int32_t lastseq;	/* used by receiver */
+	caddr_t bitmap;		/* used by receiver */
+	int overflow;		/* overflow flag */
+};
+
+/* socket table due to send PF_KEY messages. */
+struct secreg {
+	LIST_ENTRY(secreg) chain;
+
+	struct socket *so;
+};
+
+/* acquiring list table. */
+struct secacq {
+	LIST_ENTRY(secacq) chain;
+
+	struct secasindex saidx;
+
+	u_int32_t seq;		/* sequence number */
+	time_t created;		/* for lifetime */
+	int count;		/* for lifetime */
+};
+
+/* Sensitivity Level Specification */
+/* nothing */
+
+#define SADB_KILL_INTERVAL	600	/* six seconds */
+
+/* secpolicy */
+extern struct secpolicy *keydb_newsecpolicy __P((void));
+extern void keydb_delsecpolicy __P((struct secpolicy *));
+/* secashead */
+extern struct secashead *keydb_newsecashead __P((void));
+extern void keydb_delsecashead __P((struct secashead *));
+/* secasvar */
+extern struct secasvar *keydb_newsecasvar __P((void));
+extern void keydb_refsecasvar __P((struct secasvar *));
+extern void keydb_freesecasvar __P((struct secasvar *));
+/* secreplay */
+extern struct secreplay *keydb_newsecreplay __P((size_t));
+extern void keydb_delsecreplay __P((struct secreplay *));
+/* secreg */
+extern struct secreg *keydb_newsecreg __P((void));
+extern void keydb_delsecreg __P((struct secreg *));
+
+#endif /* _KERNEL */
+
+#endif /* _NETIPSEC_KEYDB_H_ */
diff --git a/src/include.new/netipsec/keysock.h b/src/include.new/netipsec/keysock.h
new file mode 100644
index 0000000..f9a1365
--- /dev/null
+++ b/src/include.new/netipsec/keysock.h
@@ -0,0 +1,82 @@
+/*	$FreeBSD: src/sys/netipsec/keysock.h,v 1.2.2.1 2006/01/27 21:50:11 bz Exp $	*/
+/*	$KAME: keysock.h,v 1.8 2000/03/27 05:11:06 sumikawa Exp $	*/
+
+/*-
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef _NETIPSEC_KEYSOCK_H_
+#define _NETIPSEC_KEYSOCK_H_
+
+/* statistics for pfkey socket */
+struct pfkeystat {
+	/* kernel -> userland */
+	u_quad_t out_total;		/* # of total calls */
+	u_quad_t out_bytes;		/* total bytecount */
+	u_quad_t out_msgtype[256];	/* message type histogram */
+	u_quad_t out_invlen;		/* invalid length field */
+	u_quad_t out_invver;		/* invalid version field */
+	u_quad_t out_invmsgtype;	/* invalid message type field */
+	u_quad_t out_tooshort;		/* msg too short */
+	u_quad_t out_nomem;		/* memory allocation failure */
+	u_quad_t out_dupext;		/* duplicate extension */
+	u_quad_t out_invexttype;	/* invalid extension type */
+	u_quad_t out_invsatype;		/* invalid sa type */
+	u_quad_t out_invaddr;		/* invalid address extension */
+	/* userland -> kernel */
+	u_quad_t in_total;		/* # of total calls */
+	u_quad_t in_bytes;		/* total bytecount */
+	u_quad_t in_msgtype[256];	/* message type histogram */
+	u_quad_t in_msgtarget[3];	/* one/all/registered */
+	u_quad_t in_nomem;		/* memory allocation failure */
+	/* others */
+	u_quad_t sockerr;		/* # of socket related errors */
+};
+
+#define KEY_SENDUP_ONE		0
+#define KEY_SENDUP_ALL		1
+#define KEY_SENDUP_REGISTERED	2
+
+#ifdef _KERNEL
+struct keycb {
+	struct rawcb kp_raw;	/* rawcb */
+	int kp_promisc;		/* promiscuous mode */
+	int kp_registered;	/* registered socket */
+};
+
+extern struct pfkeystat pfkeystat;
+
+extern int key_output(struct mbuf *m, struct socket *so);
+extern int key_usrreq __P((struct socket *,
+	int, struct mbuf *, struct mbuf *, struct mbuf *));
+
+extern int key_sendup __P((struct socket *, struct sadb_msg *, u_int, int));
+extern int key_sendup_mbuf __P((struct socket *, struct mbuf *, int));
+#endif /* _KERNEL */
+
+#endif /*_NETIPSEC_KEYSOCK_H_*/
diff --git a/src/include.new/netipsec/xform.h b/src/include.new/netipsec/xform.h
new file mode 100644
index 0000000..6ea5771
--- /dev/null
+++ b/src/include.new/netipsec/xform.h
@@ -0,0 +1,126 @@
+/*	$FreeBSD: src/sys/netipsec/xform.h,v 1.2.2.1 2006/04/01 15:22:44 bz Exp $	*/
+/*	$OpenBSD: ip_ipsp.h,v 1.119 2002/03/14 01:27:11 millert Exp $	*/
+/*-
+ * The authors of this code are John Ioannidis (ji@tla.org),
+ * Angelos D. Keromytis (kermit@csd.uch.gr),
+ * Niels Provos (provos@physnet.uni-hamburg.de) and
+ * Niklas Hallqvist (niklas@appli.se).
+ *
+ * The original version of this code was written by John Ioannidis
+ * for BSD/OS in Athens, Greece, in November 1995.
+ *
+ * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
+ * by Angelos D. Keromytis.
+ *
+ * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
+ * and Niels Provos.
+ *
+ * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist.
+ *
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
+ * Angelos D. Keromytis and Niels Provos.
+ * Copyright (c) 1999 Niklas Hallqvist.
+ * Copyright (c) 2001, Angelos D. Keromytis.
+ *
+ * Permission to use, copy, and modify this software with or without fee
+ * is hereby granted, provided that this entire notice is included in
+ * all copies of any software which is or includes a copy or
+ * modification of this software.
+ * You may use this code under the GNU public license if you so wish. Please
+ * contribute changes back to the authors under this freer than GPL license
+ * so that we may further the use of strong encryption without limitations to
+ * all.
+ *
+ * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
+ * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
+ * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
+ * PURPOSE.
+ */
+
+#ifndef _NETIPSEC_XFORM_H_
+#define _NETIPSEC_XFORM_H_
+
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <opencrypto/xform.h>
+
+#define	AH_HMAC_HASHLEN		12	/* 96 bits of authenticator */
+#define	AH_HMAC_INITIAL_RPL	1	/* replay counter initial value */
+
+/*
+ * Packet tag assigned on completion of IPsec processing; used
+ * to speedup processing when/if the packet comes back for more
+ * processing.
+ */
+struct tdb_ident {
+	u_int32_t spi;
+	union sockaddr_union dst;
+	u_int8_t proto;
+};
+
+/*
+ * Opaque data structure hung off a crypto operation descriptor.
+ */
+struct tdb_crypto {
+	struct ipsecrequest	*tc_isr;	/* ipsec request state */
+	u_int32_t		tc_spi;		/* associated SPI */
+	union sockaddr_union	tc_dst;		/* dst addr of packet */
+	u_int8_t		tc_proto;	/* current protocol, e.g. AH */
+	u_int8_t		tc_nxt;		/* next protocol, e.g. IPV4 */
+	int			tc_protoff;	/* current protocol offset */
+	int			tc_skip;	/* data offset */
+	caddr_t			tc_ptr;		/* associated crypto data */
+};
+
+struct secasvar;
+struct ipescrequest;
+
+struct xformsw {
+	u_short	xf_type;		/* xform ID */
+#define	XF_IP4		1	/* IP inside IP */
+#define	XF_AH		2	/* AH */
+#define	XF_ESP		3	/* ESP */
+#define	XF_TCPSIGNATURE	5	/* TCP MD5 Signature option, RFC 2358 */
+#define	XF_IPCOMP	6	/* IPCOMP */
+	u_short	xf_flags;
+#define	XFT_AUTH	0x0001
+#define	XFT_CONF	0x0100
+#define	XFT_COMP	0x1000
+	char	*xf_name;			/* human-readable name */
+	int	(*xf_init)(struct secasvar*, struct xformsw*);	/* setup */
+	int	(*xf_zeroize)(struct secasvar*);		/* cleanup */
+	int	(*xf_input)(struct mbuf*, struct secasvar*,	/* input */
+			int, int);
+	int	(*xf_output)(struct mbuf*,	       		/* output */
+			struct ipsecrequest *, struct mbuf **, int, int);
+	struct xformsw *xf_next;		/* list of registered xforms */
+};
+
+#ifdef _KERNEL
+extern void xform_register(struct xformsw*);
+extern int xform_init(struct secasvar *sav, int xftype);
+
+struct cryptoini;
+
+/* XF_IP4 */
+extern	int ip4_input6(struct mbuf **m, int *offp, int proto);
+extern	void ip4_input(struct mbuf *m, int);
+extern	int ipip_output(struct mbuf *, struct ipsecrequest *,
+			struct mbuf **, int, int);
+
+/* XF_AH */
+extern int ah_init0(struct secasvar *, struct xformsw *, struct cryptoini *);
+extern int ah_zeroize(struct secasvar *sav);
+extern struct auth_hash *ah_algorithm_lookup(int alg);
+extern size_t ah_hdrsiz(struct secasvar *);
+
+/* XF_ESP */
+extern struct enc_xform *esp_algorithm_lookup(int alg);
+extern size_t esp_hdrsiz(struct secasvar *sav);
+
+/* XF_COMP */
+extern struct comp_algo *ipcomp_algorithm_lookup(int alg);
+
+#endif /* _KERNEL */
+#endif /* _NETIPSEC_XFORM_H_ */