Commit IPv6 support for FAST_IPSEC to the tree.

This commit includes only the kernel files, the rest of the files
will follow in a second commit.

Reviewed by:    bz
Approved by:    re
Supported by:   Secure Computing

24 files changed, 646 insertions, 1347 deletions

diff --git a/sys/netinet6/ah.h b/sys/netinet6/ah.h
deleted file mode 100644
index 6335208..0000000
--- a/sys/netinet6/ah.h
+++ /dev/null
@@ -1,94 +0,0 @@
-/*	$FreeBSD$	*/
-/*	$KAME: ah.h,v 1.20 2003/08/05 12:21:15 itojun Exp $	*/
-
-/*-
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * RFC1826/2402 authentication header.
- */
-
-#ifndef _NETINET6_AH_H_
-#define _NETINET6_AH_H_
-
-#if defined(_KERNEL) && !defined(_LKM)
-#include "opt_inet.h"
-#endif
-
-struct ah {
-	u_int8_t	ah_nxt;		/* Next Header */
-	u_int8_t	ah_len;		/* Length of data, in 32bit */
-	u_int16_t	ah_reserve;	/* Reserved for future use */
-	u_int32_t	ah_spi;		/* Security parameter index */
-	/* variable size, 32bit bound*/	/* Authentication data */
-};
-
-struct newah {
-	u_int8_t	ah_nxt;		/* Next Header */
-	u_int8_t	ah_len;		/* Length of data + 1, in 32bit */
-	u_int16_t	ah_reserve;	/* Reserved for future use */
-	u_int32_t	ah_spi;		/* Security parameter index */
-	u_int32_t	ah_seq;		/* Sequence number field */
-	/* variable size, 32bit bound*/	/* Authentication data */
-};
-
-#ifdef _KERNEL
-struct secasvar;
-
-struct ah_algorithm_state {
-	struct secasvar *sav;
-	void* foo;	/* per algorithm data - maybe */
-};
-
-struct ah_algorithm {
-	int (*sumsiz) __P((struct secasvar *));
-	int (*mature) __P((struct secasvar *));
-	int keymin;	/* in bits */
-	int keymax;	/* in bits */
-	const char *name;
-	int (*init) __P((struct ah_algorithm_state *, struct secasvar *));
-	void (*update) __P((struct ah_algorithm_state *, u_int8_t *, size_t));
-	void (*result) __P((struct ah_algorithm_state *, u_int8_t *, size_t));
-};
-
-#define	AH_MAXSUMSIZE	(512 / 8)
-
-extern const struct ah_algorithm *ah_algorithm_lookup __P((int));
-
-/* cksum routines */
-extern int ah_hdrlen __P((struct secasvar *));
-
-extern size_t ah_hdrsiz __P((struct ipsecrequest *));
-extern void ah4_input __P((struct mbuf *, int));
-extern int ah4_output __P((struct mbuf *, struct ipsecrequest *));
-extern int ah4_calccksum __P((struct mbuf *, u_int8_t *, size_t,
-	const struct ah_algorithm *, struct secasvar *));
-#endif /* _KERNEL */
-
-#endif /* _NETINET6_AH_H_ */
diff --git a/sys/netinet6/ah6.h b/sys/netinet6/ah6.h
deleted file mode 100644
index 0aa98d8..0000000
--- a/sys/netinet6/ah6.h
+++ /dev/null
@@ -1,52 +0,0 @@
-/*	$FreeBSD$	*/
-/*	$KAME: ah.h,v 1.13 2000/10/18 21:28:00 itojun Exp $	*/
-
-/*-
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * RFC1826/2402 authentication header.
- */
-
-#ifndef _NETINET6_AH6_H_
-#define _NETINET6_AH6_H_
-
-#ifdef _KERNEL
-struct secasvar;
-
-extern int ah6_input __P((struct mbuf **, int *, int));
-extern int ah6_output __P((struct mbuf *, u_char *, struct mbuf *,
-	struct ipsecrequest *));
-extern int ah6_calccksum __P((struct mbuf *, u_int8_t *, size_t,
-	const struct ah_algorithm *, struct secasvar *));
-
-extern void ah6_ctlinput __P((int, struct sockaddr *, void *));
-#endif
-
-#endif /*_NETINET6_AH6_H_*/
diff --git a/sys/netinet6/esp.h b/sys/netinet6/esp.h
deleted file mode 100644
index bfeb69f..0000000
--- a/sys/netinet6/esp.h
+++ /dev/null
@@ -1,109 +0,0 @@
-/*	$FreeBSD$	*/
-/*	$KAME: esp.h,v 1.19 2001/09/04 08:43:19 itojun Exp $	*/
-
-/*-
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * RFC1827/2406 Encapsulated Security Payload.
- */
-
-#ifndef _NETINET6_ESP_H_
-#define _NETINET6_ESP_H_
-
-#if defined(_KERNEL) && !defined(_LKM)
-#include "opt_inet.h"
-#endif
-
-struct esp {
-	u_int32_t	esp_spi;	/* ESP */
-	/* variable size, 32bit bound */	/* Initialization Vector */
-	/* variable size */		/* Payload data */
-	/* variable size */		/* padding */
-	/* 8bit */			/* pad size */
-	/* 8bit */			/* next header */
-	/* 8bit */			/* next header */
-	/* variable size, 32bit bound */ /* Authentication data (new IPsec) */
-};
-
-struct newesp {
-	u_int32_t	esp_spi;	/* ESP */
-	u_int32_t	esp_seq;	/* Sequence number */
-	/* variable size */		/* (IV and) Payload data */
-	/* variable size */		/* padding */
-	/* 8bit */			/* pad size */
-	/* 8bit */			/* next header */
-	/* 8bit */			/* next header */
-	/* variable size, 32bit bound *//* Authentication data */
-};
-
-struct esptail {
-	u_int8_t	esp_padlen;	/* pad length */
-	u_int8_t	esp_nxt;	/* Next header */
-	/* variable size, 32bit bound *//* Authentication data (new IPsec)*/
-};
-
-#ifdef _KERNEL
-struct secasvar;
-
-struct esp_algorithm {
-	size_t padbound;	/* pad boundary, in byte */
-	int ivlenval;		/* iv length, in byte */
-	int (*mature) __P((struct secasvar *));
-	int keymin;	/* in bits */
-	int keymax;	/* in bits */
-	size_t (*schedlen) __P((const struct esp_algorithm *));
-	const char *name;
-	int (*ivlen) __P((const struct esp_algorithm *, struct secasvar *));
-	int (*decrypt) __P((struct mbuf *, size_t,
-		struct secasvar *, const struct esp_algorithm *, int));
-	int (*encrypt) __P((struct mbuf *, size_t, size_t,
-		struct secasvar *, const struct esp_algorithm *, int));
-	/* not supposed to be called directly */
-	int (*schedule) __P((const struct esp_algorithm *, struct secasvar *));
-	int (*blockdecrypt) __P((const struct esp_algorithm *,
-		struct secasvar *, u_int8_t *, u_int8_t *));
-	int (*blockencrypt) __P((const struct esp_algorithm *,
-		struct secasvar *, u_int8_t *, u_int8_t *));
-};
-
-extern const struct esp_algorithm *esp_algorithm_lookup __P((int));
-extern int esp_max_ivlen __P((void));
-
-/* crypt routines */
-extern int esp4_output __P((struct mbuf *, struct ipsecrequest *));
-extern void esp4_input __P((struct mbuf *, int));
-extern size_t esp_hdrsiz __P((struct ipsecrequest *));
-
-extern int esp_schedule __P((const struct esp_algorithm *, struct secasvar *));
-extern int esp_auth __P((struct mbuf *, size_t, size_t,
-	struct secasvar *, u_char *));
-#endif /* _KERNEL */
-
-#endif /* _NETINET6_ESP_H_ */
diff --git a/sys/netinet6/esp6.h b/sys/netinet6/esp6.h
deleted file mode 100644
index c995f64..0000000
--- a/sys/netinet6/esp6.h
+++ /dev/null
@@ -1,48 +0,0 @@
-/*	$FreeBSD$	*/
-/*	$KAME: esp.h,v 1.16 2000/10/18 21:28:00 itojun Exp $	*/
-
-/*-
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * RFC1827/2406 Encapsulated Security Payload.
- */
-
-#ifndef _NETINET6_ESP6_H_
-#define _NETINET6_ESP6_H_
-
-#ifdef _KERNEL
-extern int esp6_output __P((struct mbuf *, u_char *, struct mbuf *,
-	struct ipsecrequest *));
-extern int esp6_input __P((struct mbuf **, int *, int));
-
-extern void esp6_ctlinput __P((int, struct sockaddr *, void *));
-#endif /*_KERNEL*/
-
-#endif /*_NETINET6_ESP6_H_*/
diff --git a/sys/netinet6/esp_aesctr.h b/sys/netinet6/esp_aesctr.h
deleted file mode 100644
index f638d62..0000000
--- a/sys/netinet6/esp_aesctr.h
+++ /dev/null
@@ -1,42 +0,0 @@
-/*	$KAME: esp_aesctr.h,v 1.2 2003/07/20 00:29:38 itojun Exp $	*/
-
-/*-
- * Copyright (C) 1995, 1996, 1997, 1998 and 2003 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * $FreeBSD$
- */
-
-extern int esp_aesctr_mature __P((struct secasvar *));
-extern size_t esp_aesctr_schedlen __P((const struct esp_algorithm *));
-extern int esp_aesctr_schedule __P((const struct esp_algorithm *,
-	struct secasvar *));
-extern int esp_aesctr_decrypt __P((struct mbuf *, size_t,
-	struct secasvar *, const struct esp_algorithm *, int));
-extern int esp_aesctr_encrypt __P((struct mbuf *, size_t, size_t,
-	struct secasvar *, const struct esp_algorithm *, int));
-
diff --git a/sys/netinet6/esp_rijndael.h b/sys/netinet6/esp_rijndael.h
deleted file mode 100644
index 680a44a..0000000
--- a/sys/netinet6/esp_rijndael.h
+++ /dev/null
@@ -1,39 +0,0 @@
-/*	$FreeBSD$	*/
-/*	$KAME: esp_rijndael.h,v 1.2 2003/01/20 00:55:27 itojun Exp $	*/
-
-/*-
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-size_t esp_rijndael_schedlen __P((const struct esp_algorithm *));
-int esp_rijndael_schedule __P((const struct esp_algorithm *,
-	struct secasvar *));
-int esp_rijndael_blockdecrypt __P((const struct esp_algorithm *,
-	struct secasvar *, u_int8_t *, u_int8_t *));
-int esp_rijndael_blockencrypt __P((const struct esp_algorithm *,
-	struct secasvar *, u_int8_t *, u_int8_t *));
diff --git a/sys/netinet6/icmp6.c b/sys/netinet6/icmp6.c
index 6c2a0a8..0023c64 100644
--- a/sys/netinet6/icmp6.c
+++ b/sys/netinet6/icmp6.c
@@ -99,11 +99,6 @@
 #include <netinet6/mld6_var.h>
 #include <netinet6/nd6.h>
 
-#ifdef IPSEC
-#include <netinet6/ipsec.h>
-#include <netkey/key.h>
-#endif
-
 #ifdef FAST_IPSEC
 #include <netipsec/ipsec.h>
 #include <netipsec/key.h>
@@ -2232,7 +2227,7 @@ icmp6_redirect_input(m, off)
 	struct mbuf *m;
 	int off;
 {
-	struct ifnet *ifp = m->m_pkthdr.rcvif;
+	struct ifnet *ifp;
 	struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
 	struct nd_redirect *nd_rd;
 	int icmp6len = ntohs(ip6->ip6_plen);
@@ -2249,7 +2244,12 @@ icmp6_redirect_input(m, off)
 	union nd_opts ndopts;
 	char ip6buf[INET6_ADDRSTRLEN];
 
-	if (!m || !ifp)
+	if (!m)
+		return;
+
+	ifp = m->m_pkthdr.rcvif;
+
+	if (!ifp)
 		return;
 
 	/* XXX if we are router, we don't update route by icmp6 redirect */
@@ -2417,9 +2417,9 @@ icmp6_redirect_input(m, off)
 	sdst.sin6_len = sizeof(struct sockaddr_in6);
 	bcopy(&reddst6, &sdst.sin6_addr, sizeof(struct in6_addr));
 	pfctlinput(PRC_REDIRECT_HOST, (struct sockaddr *)&sdst);
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#ifdef FAST_IPSEC
 	key_sa_routechange((struct sockaddr *)&sdst);
-#endif
+#endif /* FAST_IPSEC */
     }
 
  freeit:
diff --git a/sys/netinet6/in6.h b/sys/netinet6/in6.h
index 380b8c3..432938b 100644
--- a/sys/netinet6/in6.h
+++ b/sys/netinet6/in6.h
@@ -409,9 +409,10 @@ struct route_in6 {
 #define IPV6_BINDV6ONLY		IPV6_V6ONLY
 #endif
 
-#if 1 /* IPSEC */
+#ifdef FAST_IPSEC 
 #define IPV6_IPSEC_POLICY	28 /* struct; get/set security policy */
-#endif
+#endif /* FAST_IPSEC */
+
 #define IPV6_FAITH		29 /* bool; accept FAITH'ed connections */
 
 #if 1 /* IPV6FIREWALL */
diff --git a/sys/netinet6/in6_pcb.c b/sys/netinet6/in6_pcb.c
index 863e53f..bae1a07 100644
--- a/sys/netinet6/in6_pcb.c
+++ b/sys/netinet6/in6_pcb.c
@@ -99,18 +99,6 @@
 #include <netinet6/in6_pcb.h>
 #include <netinet6/scope6_var.h>
 
-#ifdef IPSEC
-#include <netinet6/ipsec.h>
-#ifdef INET6
-#include <netinet6/ipsec6.h>
-#endif
-#include <netinet6/ah.h>
-#ifdef INET6
-#include <netinet6/ah6.h>
-#endif
-#include <netkey/key.h>
-#endif /* IPSEC */
-
 #ifdef FAST_IPSEC
 #include <netipsec/ipsec.h>
 #include <netipsec/ipsec6.h>
@@ -402,10 +390,7 @@ in6_pcbconnect(inp, nam, cred)
 		    (htonl(ip6_randomflowlabel()) & IPV6_FLOWLABEL_MASK);
 
 	in_pcbrehash(inp);
-#ifdef IPSEC
-	if (inp->inp_socket->so_type == SOCK_STREAM)
-		ipsec_pcbconn(inp->inp_sp);
-#endif
+
 	return (0);
 }
 
@@ -422,9 +407,6 @@ in6_pcbdisconnect(inp)
 	/* clear flowinfo - draft-itojun-ipv6-flowlabel-api-00 */
 	inp->in6p_flowinfo &= ~IPV6_FLOWLABEL_MASK;
 	in_pcbrehash(inp);
-#ifdef IPSEC
-	ipsec_pcbdisconn(inp->inp_sp);
-#endif
 }
 
 void
@@ -445,10 +427,10 @@ in6_pcbfree(struct inpcb *inp)
 	INP_INFO_WLOCK_ASSERT(inp->inp_pcbinfo);
 	INP_LOCK_ASSERT(inp);
 
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#ifdef FAST_IPSEC
 	if (inp->in6p_sp != NULL)
 		ipsec6_delete_pcbpolicy(inp);
-#endif /* IPSEC */
+#endif /* FAST_IPSEC */
 	inp->inp_gencnt = ++ipi->ipi_gencnt;
 	in_pcbremlists(inp);
  	ip6_freepcbopts(inp->in6p_outputopts);
diff --git a/sys/netinet6/in6_proto.c b/sys/netinet6/in6_proto.c
index e80cdcc..df20857 100644
--- a/sys/netinet6/in6_proto.c
+++ b/sys/netinet6/in6_proto.c
@@ -103,27 +103,6 @@
 #include <netinet6/pim6_var.h>
 #include <netinet6/nd6.h>
 
-#ifdef IPSEC
-#include <netinet6/ipsec.h>
-#ifdef INET6
-#include <netinet6/ipsec6.h>
-#endif
-#include <netinet6/ah.h>
-#ifdef INET6
-#include <netinet6/ah6.h>
-#endif
-#ifdef IPSEC_ESP
-#include <netinet6/esp.h>
-#ifdef INET6
-#include <netinet6/esp6.h>
-#endif
-#endif
-#include <netinet6/ipcomp.h>
-#ifdef INET6
-#include <netinet6/ipcomp6.h>
-#endif
-#endif /* IPSEC */
-
 #ifdef DEV_CARP
 #include <netinet/ip_carp.h>
 #endif
@@ -137,12 +116,8 @@
 #endif /* SCTP */
 
 #ifdef FAST_IPSEC
+#include <netipsec/ipsec.h>
 #include <netipsec/ipsec6.h>
-#define	IPSEC
-#define	IPSEC_ESP
-#define	ah6_input	ipsec6_common_input
-#define	esp6_input	ipsec6_common_input
-#define	ipcomp6_input	ipsec6_common_input
 #endif /* FAST_IPSEC */
 
 #include <netinet6/ip6protosw.h>
@@ -277,35 +252,33 @@ struct ip6protosw inet6sw[] = {
 	.pr_input =		frag6_input,
 	.pr_usrreqs =		&nousrreqs
 },
-#ifdef IPSEC
+#ifdef FAST_IPSEC
 {
 	.pr_type =		SOCK_RAW,
 	.pr_domain =		&inet6domain,
 	.pr_protocol =		IPPROTO_AH,
 	.pr_flags =		PR_ATOMIC|PR_ADDR,
-	.pr_input =		ah6_input,
+	.pr_input =		ipsec6_common_input,
 	.pr_usrreqs =		&nousrreqs,
 },
-#ifdef IPSEC_ESP
 {
 	.pr_type =		SOCK_RAW,
 	.pr_domain =		&inet6domain,
 	.pr_protocol =		IPPROTO_ESP,
 	.pr_flags =		PR_ATOMIC|PR_ADDR,
-	.pr_input =		esp6_input,
+        .pr_input =		ipsec6_common_input,
 	.pr_ctlinput =		esp6_ctlinput,
 	.pr_usrreqs =		&nousrreqs,
 },
-#endif
 {
 	.pr_type =		SOCK_RAW,
 	.pr_domain =		&inet6domain,
 	.pr_protocol =		IPPROTO_IPCOMP,
 	.pr_flags =		PR_ATOMIC|PR_ADDR,
-	.pr_input =		ipcomp6_input,
+        .pr_input =		ipsec6_common_input,
 	.pr_usrreqs =		&nousrreqs,
 },
-#endif /* IPSEC */
+#endif /* FAST_IPSEC */
 #ifdef INET
 {
 	.pr_type =		SOCK_RAW,
@@ -465,9 +438,9 @@ SYSCTL_NODE(_net_inet6,	IPPROTO_TCP,	tcp6,	CTLFLAG_RW, 0,	"TCP6");
 #ifdef SCTP
 SYSCTL_NODE(_net_inet6,	IPPROTO_SCTP,	sctp6,	CTLFLAG_RW, 0,	"SCTP6");
 #endif
-#ifdef IPSEC
+#ifdef FAST_IPSEC
 SYSCTL_NODE(_net_inet6,	IPPROTO_ESP,	ipsec6,	CTLFLAG_RW, 0,	"IPSEC6");
-#endif /* IPSEC */
+#endif /* FAST_IPSEC */
 
 /* net.inet6.ip6 */
 static int
diff --git a/sys/netinet6/ip6_forward.c b/sys/netinet6/ip6_forward.c
index ece39b1..241c275 100644
--- a/sys/netinet6/ip6_forward.c
+++ b/sys/netinet6/ip6_forward.c
@@ -65,19 +65,10 @@
 
 #include <netinet/in_pcb.h>
 
-#ifdef IPSEC
-#include <netinet6/ipsec.h>
-#ifdef INET6
-#include <netinet6/ipsec6.h>
-#endif
-#include <netkey/key.h>
-#endif /* IPSEC */
-
 #ifdef FAST_IPSEC
 #include <netipsec/ipsec.h>
 #include <netipsec/ipsec6.h>
 #include <netipsec/key.h>
-#define	IPSEC
 #endif /* FAST_IPSEC */
 
 #include <netinet6/ip6protosw.h>
@@ -110,7 +101,7 @@ ip6_forward(m, srcrt)
 	struct ifnet *origifp;	/* maybe unnecessary */
 	u_int32_t inzone, outzone;
 	struct in6_addr src_in6, dst_in6;
-#ifdef IPSEC
+#ifdef FAST_IPSEC
 	struct secpolicy *sp = NULL;
 	int ipsecrt = 0;
 #endif
@@ -118,7 +109,7 @@ ip6_forward(m, srcrt)
 
 	GIANT_REQUIRED; /* XXX bz: ip6_forward_rt */
 
-#ifdef IPSEC
+#ifdef FAST_IPSEC
 	/*
 	 * Check AH/ESP integrity.
 	 */
@@ -127,13 +118,11 @@ ip6_forward(m, srcrt)
 	 * before forwarding packet actually.
 	 */
 	if (ipsec6_in_reject(m, NULL)) {
-#if !defined(FAST_IPSEC)
 		ipsec6stat.in_polvio++;
-#endif
 		m_freem(m);
 		return;
 	}
-#endif /* IPSEC */
+#endif /* FAST_IPSEC */
 
 	/*
 	 * Do not forward packets to multicast destination (should be handled
@@ -186,9 +175,9 @@ ip6_forward(m, srcrt)
 	 */
 	mcopy = m_copy(m, 0, imin(m->m_pkthdr.len, ICMPV6_PLD_MAXLEN));
 
-#ifdef IPSEC
+#ifdef FAST_IPSEC
 	/* get a security policy for this packet */
-	sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND,
+	sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND,
 	    IP_FORWARDING, &error);
 	if (sp == NULL) {
 		ipsec6stat.out_inval++;
@@ -214,7 +203,7 @@ ip6_forward(m, srcrt)
 		 */
 		ipsec6stat.out_polvio++;
 		ip6stat.ip6s_cantforward++;
-		key_freesp(sp);
+		KEY_FREESP(&sp);
 		if (mcopy) {
 #if 0
 			/* XXX: what icmp ? */
@@ -228,7 +217,7 @@ ip6_forward(m, srcrt)
 	case IPSEC_POLICY_BYPASS:
 	case IPSEC_POLICY_NONE:
 		/* no need to do IPsec. */
-		key_freesp(sp);
+		KEY_FREESP(&sp);
 		goto skip_ipsec;
 
 	case IPSEC_POLICY_IPSEC:
@@ -236,7 +225,7 @@ ip6_forward(m, srcrt)
 			/* XXX should be panic ? */
 			printf("ip6_forward: No IPsec request specified.\n");
 			ip6stat.ip6s_cantforward++;
-			key_freesp(sp);
+			KEY_FREESP(&sp);
 			if (mcopy) {
 #if 0
 				/* XXX: what icmp ? */
@@ -254,7 +243,7 @@ ip6_forward(m, srcrt)
 	default:
 		/* should be panic ?? */
 		printf("ip6_forward: Invalid policy found. %d\n", sp->policy);
-		key_freesp(sp);
+		KEY_FREESP(&sp);
 		goto skip_ipsec;
 	}
 
@@ -301,7 +290,7 @@ ip6_forward(m, srcrt)
 	error = ipsec6_output_tunnel(&state, sp, 0);
 
 	m = state.m;
-	key_freesp(sp);
+	KEY_FREESP(&sp);
 
 	if (error) {
 		/* mbuf is already reclaimed in ipsec6_output_tunnel. */
@@ -329,9 +318,18 @@ ip6_forward(m, srcrt)
 		}
 		m_freem(m);
 		return;
+	} else {
+		/* 
+		 * In the FAST IPSec case we have already 
+		 * re-injected the packet and it has been freed
+		 * by the ipsec_done() function.  So, just clean 
+		 * up after ourselves.
+		 */
+		m = NULL;
+		goto freecopy;
 	}
 
-	if (ip6 != mtod(m, struct ip6_hdr *)) {
+	if ((m != NULL) && (ip6 != mtod(m, struct ip6_hdr *)) ){
 		/*
 		 * now tunnel mode headers are added.  we are originating
 		 * packet instead of forwarding the packet.
@@ -348,9 +346,9 @@ ip6_forward(m, srcrt)
 		ipsecrt = 1;
     }
     skip_ipsec:
-#endif /* IPSEC */
+#endif /* FAST_IPSEC */
 
-#ifdef IPSEC
+#ifdef FAST_IPSEC
 	if (ipsecrt)
 		goto skip_routing;
 #endif
@@ -403,7 +401,7 @@ ip6_forward(m, srcrt)
 		}
 	}
 	rt = ip6_forward_rt.ro_rt;
-#ifdef IPSEC
+#ifdef FAST_IPSEC
     skip_routing:;
 #endif
 
@@ -431,7 +429,7 @@ ip6_forward(m, srcrt)
 		return;
 	}
 	if (inzone != outzone
-#ifdef IPSEC
+#ifdef FAST_IPSEC
 	    && !ipsecrt
 #endif
 	    ) {
@@ -477,14 +475,14 @@ ip6_forward(m, srcrt)
 		in6_ifstat_inc(rt->rt_ifp, ifs6_in_toobig);
 		if (mcopy) {
 			u_long mtu;
-#ifdef IPSEC
+#ifdef FAST_IPSEC
 			struct secpolicy *sp;
 			int ipsecerror;
 			size_t ipsechdrsiz;
-#endif
+#endif /* FAST_IPSEC */
 
 			mtu = IN6_LINKMTU(rt->rt_ifp);
-#ifdef IPSEC
+#ifdef FAST_IPSEC
 			/*
 			 * When we do IPsec tunnel ingress, we need to play
 			 * with the link value (decrement IPsec header size
@@ -492,7 +490,7 @@ ip6_forward(m, srcrt)
 			 * case, as we have the outgoing interface for
 			 * encapsulated packet as "rt->rt_ifp".
 			 */
-			sp = ipsec6_getpolicybyaddr(mcopy, IPSEC_DIR_OUTBOUND,
+			sp = ipsec_getpolicybyaddr(mcopy, IPSEC_DIR_OUTBOUND,
 				IP_FORWARDING, &ipsecerror);
 			if (sp) {
 				ipsechdrsiz = ipsec6_hdrsiz(mcopy,
@@ -507,7 +505,7 @@ ip6_forward(m, srcrt)
 			 */
 			if (mtu < IPV6_MMTU)
 				mtu = IPV6_MMTU;
-#endif
+#endif /* FAST_IPSEC */
 			icmp6_error(mcopy, ICMP6_PACKET_TOO_BIG, 0, mtu);
 		}
 		m_freem(m);
@@ -527,9 +525,9 @@ ip6_forward(m, srcrt)
 	 * modified by a redirect.
 	 */
 	if (ip6_sendredirects && rt->rt_ifp == m->m_pkthdr.rcvif && !srcrt &&
-#ifdef IPSEC
+#ifdef FAST_IPSEC
 	    !ipsecrt &&
-#endif
+#endif /* FAST_IPSEC */
 	    (rt->rt_flags & (RTF_DYNAMIC|RTF_MODIFIED)) == 0) {
 		if ((rt->rt_ifp->if_flags & IFF_POINTOPOINT) != 0) {
 			/*
diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c
index aa604bd..96e7850 100644
--- a/sys/netinet6/ip6_input.c
+++ b/sys/netinet6/ip6_input.c
@@ -101,17 +101,10 @@
 #include <netinet6/in6_ifattach.h>
 #include <netinet6/nd6.h>
 
-#ifdef IPSEC
-#include <netinet6/ipsec.h>
-#ifdef INET6
-#include <netinet6/ipsec6.h>
-#endif
-#endif
-
 #ifdef FAST_IPSEC
 #include <netipsec/ipsec.h>
+#include <netinet6/ip6_ipsec.h>
 #include <netipsec/ipsec6.h>
-#define	IPSEC
 #endif /* FAST_IPSEC */
 
 #include <netinet6/ip6protosw.h>
@@ -230,16 +223,18 @@ ip6_input(m)
 	int srcrt = 0;
 
 	GIANT_REQUIRED;			/* XXX for now */
-#ifdef IPSEC
+
+#ifdef FAST_IPSEC
 	/*
 	 * should the inner packet be considered authentic?
 	 * see comment in ah4_input().
+	 * NB: m cannot be NULL when passed to the input routine
 	 */
-	if (m) {
-		m->m_flags &= ~M_AUTHIPHDR;
-		m->m_flags &= ~M_AUTHIPDGM;
-	}
-#endif
+
+	m->m_flags &= ~M_AUTHIPHDR;
+	m->m_flags &= ~M_AUTHIPDGM;
+
+#endif /* FAST_IPSEC */
 
 	/*
 	 * make sure we don't have onion peering information into m_tag.
@@ -766,18 +761,15 @@ passin:
 			goto bad;
 		}
 
-#ifdef IPSEC
+#ifdef FAST_IPSEC
 		/*
 		 * enforce IPsec policy checking if we are seeing last header.
 		 * note that we do not visit this with protocols with pcb layer
 		 * code - like udp/tcp/raw ip.
 		 */
-		if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 &&
-		    ipsec6_in_reject(m, NULL)) {
-			ipsec6stat.in_polvio++;
+		if (ip6_ipsec_input(m, nxt))
 			goto bad;
-		}
-#endif
+#endif /* FAST_IPSEC */
 		nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt);
 	}
 	return;
diff --git a/sys/netinet6/ip6_ipsec.c b/sys/netinet6/ip6_ipsec.c
new file mode 100644
index 0000000..f1c529f
--- /dev/null
+++ b/sys/netinet6/ip6_ipsec.c
@@ -0,0 +1,369 @@
+/*-
+ * Copyright (c) 1982, 1986, 1988, 1993
+ *      The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include "opt_ipsec.h"
+
+#include <sys/param.h>
+#include <sys/systm.h>
+#include <sys/kernel.h>
+#include <sys/mac.h>
+#include <sys/malloc.h>
+#include <sys/mbuf.h>
+#include <sys/protosw.h>
+#include <sys/socket.h>
+#include <sys/socketvar.h>
+#include <sys/sysctl.h>
+
+#include <net/if.h>
+#include <net/route.h>
+
+#include <netinet/in.h>
+#include <netinet/in_systm.h>
+#include <netinet/in_var.h>
+#include <netinet/ip.h>
+#include <netinet/in_pcb.h>
+#include <netinet/ip_var.h>
+#include <netinet/ip_options.h>
+
+#include <machine/in_cksum.h>
+
+#ifdef FAST_IPSEC
+#include <netipsec/ipsec.h>
+#include <netipsec/ipsec6.h>
+#include <netipsec/xform.h>
+#include <netipsec/key.h>
+#ifdef IPSEC_DEBUG
+#include <netipsec/key_debug.h>
+#else
+#define	KEYDEBUG(lev,arg)
+#endif
+#endif /*FAST_IPSEC*/
+
+#include <netinet6/ip6_ipsec.h>
+
+extern	struct protosw inet6sw[];
+
+/*
+ * Check if we have to jump over firewall processing for this packet.
+ * Called from ip_input().
+ * 1 = jump over firewall, 0 = packet goes through firewall.
+ */
+int
+ip6_ipsec_filtergif(struct mbuf *m)
+{
+#if defined(FAST_IPSEC) && !defined(IPSEC_FILTERGIF)
+	/*
+	 * Bypass packet filtering for packets from a tunnel (gif).
+	 */
+	if (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL)
+		return 1;
+#endif
+	return 0;
+}
+
+/*
+ * Check if this packet has an active SA and needs to be dropped instead
+ * of forwarded.
+ * Called from ip_input().
+ * 1 = drop packet, 0 = forward packet.
+ */
+int
+ip6_ipsec_fwd(struct mbuf *m)
+{
+#ifdef FAST_IPSEC
+	struct m_tag *mtag;
+	struct tdb_ident *tdbi;
+	struct secpolicy *sp;
+	int s, error;
+	mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
+	s = splnet();
+	if (mtag != NULL) {
+		tdbi = (struct tdb_ident *)(mtag + 1);
+		sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND);
+	} else {
+		sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
+					   IP_FORWARDING, &error);   
+	}
+	if (sp == NULL) {	/* NB: can happen if error */
+		splx(s);
+		/*XXX error stat???*/
+		DPRINTF(("ip_input: no SP for forwarding\n"));	/*XXX*/
+		return 1;
+	}
+
+	/*
+	 * Check security policy against packet attributes.
+	 */
+	error = ipsec_in_reject(sp, m);
+	KEY_FREESP(&sp);
+	splx(s);
+	if (error) {
+		ipstat.ips_cantforward++;
+		return 1;
+	}
+#endif /* FAST_IPSEC */
+	return 0;
+}
+
+/*
+ * Check if protocol type doesn't have a further header and do IPSEC
+ * decryption or reject right now.  Protocols with further headers get
+ * their IPSEC treatment within the protocol specific processing.
+ * Called from ip_input().
+ * 1 = drop packet, 0 = continue processing packet.
+ */
+int
+ip6_ipsec_input(struct mbuf *m, int nxt)
+
+{
+#ifdef FAST_IPSEC
+	struct m_tag *mtag;
+	struct tdb_ident *tdbi;
+	struct secpolicy *sp;
+	int s, error;
+	/*
+	 * enforce IPsec policy checking if we are seeing last header.
+	 * note that we do not visit this with protocols with pcb layer
+	 * code - like udp/tcp/raw ip.
+	 */
+	if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 &&
+	    ipsec6_in_reject(m, NULL)) {
+
+		/*
+		 * Check if the packet has already had IPsec processing
+		 * done.  If so, then just pass it along.  This tag gets
+		 * set during AH, ESP, etc. input handling, before the
+		 * packet is returned to the ip input queue for delivery.
+		 */ 
+		mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
+		s = splnet();
+		if (mtag != NULL) {
+			tdbi = (struct tdb_ident *)(mtag + 1);
+			sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND);
+		} else {
+			sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
+						   IP_FORWARDING, &error);   
+		}
+		if (sp != NULL) {
+			/*
+			 * Check security policy against packet attributes.
+			 */
+			error = ipsec_in_reject(sp, m);
+			KEY_FREESP(&sp);
+		} else {
+			/* XXX error stat??? */
+			error = EINVAL;
+			DPRINTF(("ip_input: no SP, packet discarded\n"));/*XXX*/
+			return 1;
+		}
+		splx(s);
+		if (error)
+			return 1;
+	}
+#endif /* FAST_IPSEC */
+	return 0;
+}
+
+/*
+ * Called from ip6_output().
+ * 1 = drop packet, 0 = continue processing packet,
+ * -1 = packet was reinjected and stop processing packet (FAST_IPSEC only)
+ */ 
+
+int
+ip6_ipsec_output(struct mbuf **m, struct inpcb *inp, int *flags, int *error,
+		 struct ifnet **ifp, struct secpolicy **sp)
+{
+#ifdef FAST_IPSEC
+	struct tdb_ident *tdbi;
+	struct m_tag *mtag;
+	int s;
+	if (sp == NULL)
+		return 1;
+	mtag = m_tag_find(*m, PACKET_TAG_IPSEC_PENDING_TDB, NULL);
+	if (mtag != NULL) {
+		tdbi = (struct tdb_ident *)(mtag + 1);
+		*sp = ipsec_getpolicy(tdbi, IPSEC_DIR_OUTBOUND);
+		if (*sp == NULL)
+			*error = -EINVAL;	/* force silent drop */
+		m_tag_delete(*m, mtag);
+	} else {
+		*sp = ipsec4_checkpolicy(*m, IPSEC_DIR_OUTBOUND, *flags,
+					error, inp);
+	}
+
+	/*
+	 * There are four return cases:
+	 *    sp != NULL	 	    apply IPsec policy
+	 *    sp == NULL, error == 0	    no IPsec handling needed
+	 *    sp == NULL, error == -EINVAL  discard packet w/o error
+	 *    sp == NULL, error != 0	    discard packet, report error
+	 */
+	if (*sp != NULL) {
+		/* Loop detection, check if ipsec processing already done */
+		KASSERT((*sp)->req != NULL, ("ip_output: no ipsec request"));
+		for (mtag = m_tag_first(*m); mtag != NULL;
+		     mtag = m_tag_next(*m, mtag)) {
+			if (mtag->m_tag_cookie != MTAG_ABI_COMPAT)
+				continue;
+			if (mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_DONE &&
+			    mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED)
+				continue;
+			/*
+			 * Check if policy has an SA associated with it.
+			 * This can happen when an SP has yet to acquire
+			 * an SA; e.g. on first reference.  If it occurs,
+			 * then we let ipsec4_process_packet do its thing.
+			 */
+			if ((*sp)->req->sav == NULL)
+				break;
+			tdbi = (struct tdb_ident *)(mtag + 1);
+			if (tdbi->spi == (*sp)->req->sav->spi &&
+			    tdbi->proto == (*sp)->req->sav->sah->saidx.proto &&
+			    bcmp(&tdbi->dst, &(*sp)->req->sav->sah->saidx.dst,
+				 sizeof (union sockaddr_union)) == 0) {
+				/*
+				 * No IPsec processing is needed, free
+				 * reference to SP.
+				 *
+				 * NB: null pointer to avoid free at
+				 *     done: below.
+				 */
+				KEY_FREESP(sp), sp = NULL;
+				splx(s);
+				goto done;
+			}
+		}
+
+		/*
+		 * Do delayed checksums now because we send before
+		 * this is done in the normal processing path.
+		 */
+		if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
+			in_delayed_cksum(*m);
+			(*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
+		}
+
+		/*
+		 * Preserve KAME behaviour: ENOENT can be returned
+		 * when an SA acquire is in progress.  Don't propagate
+		 * this to user-level; it confuses applications.
+		 *
+		 * XXX this will go away when the SADB is redone.
+		 */
+		if (*error == ENOENT)
+			*error = 0;
+		goto do_ipsec;
+	} else {	/* sp == NULL */
+		if (*error != 0) {
+			/*
+			 * Hack: -EINVAL is used to signal that a packet
+			 * should be silently discarded.  This is typically
+			 * because we asked key management for an SA and
+			 * it was delayed (e.g. kicked up to IKE).
+			 */
+			if (*error == -EINVAL)
+				*error = 0;
+			goto bad;
+		} else {
+			/* No IPsec processing for this packet. */
+		}
+	}
+done:
+	if (sp != NULL)
+		if (*sp != NULL)
+			KEY_FREESP(sp);
+	return 0;
+do_ipsec:
+	return -1;
+bad:
+	if (sp != NULL)
+		if (*sp != NULL)
+			KEY_FREESP(sp);
+	return 1;
+#endif /* FAST_IPSEC */
+	return 0;
+}
+
+/*
+ * Compute the MTU for a forwarded packet that gets IPSEC encapsulated.
+ * Called from ip_forward().
+ * Returns MTU suggestion for ICMP needfrag reply.
+ */
+int
+ip6_ipsec_mtu(struct mbuf *m)
+{
+	int mtu = 0;
+	/*
+	 * If the packet is routed over IPsec tunnel, tell the
+	 * originator the tunnel MTU.
+	 *	tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz
+	 * XXX quickhack!!!
+	 */
+	struct secpolicy *sp = NULL;
+	int ipsecerror;
+	int ipsechdr;
+	struct route *ro;
+#ifdef FAST_IPSEC
+	sp = ipsec_getpolicybyaddr(m,
+				   IPSEC_DIR_OUTBOUND,
+				   IP_FORWARDING,
+				   &ipsecerror);
+#endif /* FAST_IPSEC */
+	if (sp != NULL) {
+		/* count IPsec header size */
+		ipsechdr = ipsec4_hdrsiz(m,
+					 IPSEC_DIR_OUTBOUND,
+					 NULL);
+
+		/*
+		 * find the correct route for outer IPv4
+		 * header, compute tunnel MTU.
+		 */
+		if (sp->req != NULL &&
+		    sp->req->sav != NULL &&
+		    sp->req->sav->sah != NULL) {
+			ro = &sp->req->sav->sah->sa_route;
+			if (ro->ro_rt && ro->ro_rt->rt_ifp) {
+				mtu =
+				    ro->ro_rt->rt_rmx.rmx_mtu ?
+				    ro->ro_rt->rt_rmx.rmx_mtu :
+				    ro->ro_rt->rt_ifp->if_mtu;
+				mtu -= ipsechdr;
+			}
+		}
+#ifdef FAST_IPSEC
+		KEY_FREESP(&sp);
+#endif /* FAST_IPSEC */
+	}
+	return mtu;
+}
+
diff --git a/sys/netinet6/ah_aesxcbcmac.h b/sys/netinet6/ip6_ipsec.h
index 8874f24..c3ff8c0 100644
--- a/sys/netinet6/ah_aesxcbcmac.h
+++ b/sys/netinet6/ip6_ipsec.h
@@ -1,8 +1,6 @@
-/*	$KAME: ah_aesxcbcmac.h,v 1.3 2003/07/20 18:01:20 itojun Exp $	*/
-
 /*-
- * Copyright (C) 1995, 1996, 1997, 1998 and 2003 WIDE Project.
- * All rights reserved.
+ * Copyright (c) 1982, 1986, 1988, 1993
+ *      The Regents of the University of California.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -12,14 +10,14 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
+ * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
@@ -31,10 +29,13 @@
  * $FreeBSD$
  */
 
-extern int ah_aes_xcbc_mac_init __P((struct ah_algorithm_state *,
-	struct secasvar *));
-extern void ah_aes_xcbc_mac_loop __P((struct ah_algorithm_state *, u_int8_t *,
-	size_t));
-extern void ah_aes_xcbc_mac_result __P((struct ah_algorithm_state *,
-	u_int8_t *, size_t));
+#ifndef _NETINET_IP6_IPSEC_H_
+#define _NETINET_IP6_IPSEC_H_
 
+int	ip6_ipsec_filtergif(struct mbuf *);
+int	ip6_ipsec_fwd(struct mbuf *);
+int	ip6_ipsec_input(struct mbuf *, int);
+int	ip6_ipsec_mtu(struct mbuf *);
+int	ip6_ipsec_output(struct mbuf **, struct inpcb *, int *, int *,
+			 struct ifnet **, struct secpolicy **sp);
+#endif
diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c
index 9175e10..b08862a 100644
--- a/sys/netinet6/ip6_output.c
+++ b/sys/netinet6/ip6_output.c
@@ -91,18 +91,11 @@
 #include <netinet/tcp_var.h>
 #include <netinet6/nd6.h>
 
-#ifdef IPSEC
-#include <netinet6/ipsec.h>
-#ifdef INET6
-#include <netinet6/ipsec6.h>
-#endif
-#include <netkey/key.h>
-#endif /* IPSEC */
-
 #ifdef FAST_IPSEC
 #include <netipsec/ipsec.h>
 #include <netipsec/ipsec6.h>
 #include <netipsec/key.h>
+#include <netinet6/ip6_ipsec.h>
 #endif /* FAST_IPSEC */
 
 #include <netinet6/ip6protosw.h>
@@ -139,6 +132,42 @@ static int copypktopts __P((struct ip6_pktopts *, struct ip6_pktopts *, int));
 
 
 /*
+ * Make an extension header from option data.  hp is the source, and
+ * mp is the destination.
+ */
+#define MAKE_EXTHDR(hp, mp)						\
+    do {								\
+	if (hp) {							\
+		struct ip6_ext *eh = (struct ip6_ext *)(hp);		\
+		error = ip6_copyexthdr((mp), (caddr_t)(hp),		\
+		    ((eh)->ip6e_len + 1) << 3);				\
+		if (error)						\
+			goto freehdrs;					\
+	}								\
+    } while (/*CONSTCOND*/ 0)
+
+/*
+ * Form a chain of extension headers. 
+ * m is the extension header mbuf
+ * mp is the previous mbuf in the chain
+ * p is the next header
+ * i is the type of option.
+ */
+#define MAKE_CHAIN(m, mp, p, i)\
+    do {\
+	if (m) {\
+		if (!hdrsplit) \
+			panic("assumption failed: hdr not split"); \
+		*mtod((m), u_char *) = *(p);\
+		*(p) = (i);\
+		p = mtod((m), u_char *);\
+		(m)->m_next = (mp)->m_next;\
+		(mp)->m_next = (m);\
+		(mp) = (m);\
+	}\
+    } while (/*CONSTCOND*/ 0)
+
+/*
  * IP6 output. The packet in mbuf chain m contains a skeletal IP6
  * header (with pri, len, nxt, hlim, src, dst).
  * This function may modify ver and hlim only.
@@ -162,6 +191,7 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp)
 	struct ip6_hdr *ip6, *mhip6;
 	struct ifnet *ifp, *origifp;
 	struct mbuf *m = m0;
+	struct mbuf *mprev = NULL;
 	int hlen, tlen, len, off;
 	struct route_in6 ip6route;
 	struct rtentry *rt = NULL;
@@ -178,25 +208,22 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp)
 	struct route_in6 *ro_pmtu = NULL;
 	int hdrsplit = 0;
 	int needipsec = 0;
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#ifdef FAST_IPSEC
+	struct ipsec_output_state state;
+	struct ip6_rthdr *rh = NULL;
 	int needipsectun = 0;
+	int segleft_org = 0;
 	struct secpolicy *sp = NULL;
-#endif /*IPSEC || FAST_IPSEC*/
+#endif /* FAST_IPSEC */
 
 	ip6 = mtod(m, struct ip6_hdr *);
+	if (ip6 == NULL) {
+		printf ("ip6 is NULL");
+		goto bad;
+	}
+		
 	finaldst = ip6->ip6_dst;
 
-#define MAKE_EXTHDR(hp, mp)						\
-    do {								\
-	if (hp) {							\
-		struct ip6_ext *eh = (struct ip6_ext *)(hp);		\
-		error = ip6_copyexthdr((mp), (caddr_t)(hp),		\
-		    ((eh)->ip6e_len + 1) << 3);				\
-		if (error)						\
-			goto freehdrs;					\
-	}								\
-    } while (/*CONSTCOND*/ 0)
-
 	bzero(&exthdrs, sizeof(exthdrs));
 
 	if (opt) {
@@ -206,7 +233,7 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp)
 		if (opt->ip6po_rthdr) {
 			/*
 			 * Destination options header(1st part)
-			 * This only makes sence with a routing header.
+			 * This only makes sense with a routing header.
 			 * See Section 9.2 of RFC 3542.
 			 * Disabling this part just for MIP6 convenience is
 			 * a bad idea.  We need to think carefully about a
@@ -222,90 +249,20 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp)
 		MAKE_EXTHDR(opt->ip6po_dest2, &exthdrs.ip6e_dest2);
 	}
 
-#ifdef IPSEC
-	/* get a security policy for this packet */
-	if (inp == NULL)
-		sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, 0, &error);
-	else
-		sp = ipsec6_getpolicybypcb(m, IPSEC_DIR_OUTBOUND, inp, &error);
-
-	if (sp == NULL) {
-		ipsec6stat.out_inval++;
-		goto freehdrs;
-	}
-
-	error = 0;
-
-	/* check policy */
-	switch (sp->policy) {
-	case IPSEC_POLICY_DISCARD:
-		/*
-		 * This packet is just discarded.
-		 */
-		ipsec6stat.out_polvio++;
-		goto freehdrs;
-
-	case IPSEC_POLICY_BYPASS:
-	case IPSEC_POLICY_NONE:
-		/* no need to do IPsec. */
-		needipsec = 0;
-		break;
-
-	case IPSEC_POLICY_IPSEC:
-		if (sp->req == NULL) {
-			/* acquire a policy */
-			error = key_spdacquire(sp);
-			goto freehdrs;
-		}
-		needipsec = 1;
-		break;
-
-	case IPSEC_POLICY_ENTRUST:
-	default:
-		printf("ip6_output: Invalid policy found. %d\n", sp->policy);
-	}
-#endif /* IPSEC */
+	/* 
+	 * IPSec checking which handles several cases.
+	 * FAST IPSEC: We re-injected the packet.
+	 */
 #ifdef FAST_IPSEC
-	/* get a security policy for this packet */
-	if (inp == NULL)
-		sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, 0, &error);
-	else
-		sp = ipsec_getpolicybysock(m, IPSEC_DIR_OUTBOUND, inp, &error);
-
-	if (sp == NULL) {
-		newipsecstat.ips_out_inval++;
-		goto freehdrs;
-	}
-
-	error = 0;
-
-	/* check policy */
-	switch (sp->policy) {
-	case IPSEC_POLICY_DISCARD:
-		/*
-		 * This packet is just discarded.
-		 */
-		newipsecstat.ips_out_polvio++;
+	switch(ip6_ipsec_output(&m, inp, &flags, &error, &ifp, &sp))
+	{
+	case 1:                 /* Bad packet */
 		goto freehdrs;
-
-	case IPSEC_POLICY_BYPASS:
-	case IPSEC_POLICY_NONE:
-		/* no need to do IPsec. */
-		needipsec = 0;
-		break;
-
-	case IPSEC_POLICY_IPSEC:
-		if (sp->req == NULL) {
-			/* acquire a policy */
-			error = key_spdacquire(sp);
-			goto freehdrs;
-		}
-		needipsec = 1;
-		break;
-
-	case IPSEC_POLICY_ENTRUST:
+	case -1:                /* Do IPSec */
+		needipsec = 1;  
+	case 0:                 /* No IPSec */
 	default:
-		printf("ip6_output: Invalid policy found. %d\n", sp->policy);
+		break;
 	}
 #endif /* FAST_IPSEC */
 
@@ -314,12 +271,17 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp)
 	 * Keep the length of the unfragmentable part for fragmentation.
 	 */
 	optlen = 0;
-	if (exthdrs.ip6e_hbh) optlen += exthdrs.ip6e_hbh->m_len;
-	if (exthdrs.ip6e_dest1) optlen += exthdrs.ip6e_dest1->m_len;
-	if (exthdrs.ip6e_rthdr) optlen += exthdrs.ip6e_rthdr->m_len;
+	if (exthdrs.ip6e_hbh) 
+		optlen += exthdrs.ip6e_hbh->m_len;
+	if (exthdrs.ip6e_dest1) 
+		optlen += exthdrs.ip6e_dest1->m_len;
+	if (exthdrs.ip6e_rthdr) 
+		optlen += exthdrs.ip6e_rthdr->m_len;
 	unfragpartlen = optlen + sizeof(struct ip6_hdr);
+
 	/* NOTE: we don't add AH/ESP length here. do that later. */
-	if (exthdrs.ip6e_dest2) optlen += exthdrs.ip6e_dest2->m_len;
+	if (exthdrs.ip6e_dest2) 
+		optlen += exthdrs.ip6e_dest2->m_len;
 
 	/*
 	 * If we need IPsec, or there is at least one extension header,
@@ -369,106 +331,94 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp)
 	 * during the header composing process, "m" points to IPv6 header.
 	 * "mprev" points to an extension header prior to esp.
 	 */
-	{
-		u_char *nexthdrp = &ip6->ip6_nxt;
-		struct mbuf *mprev = m;
-
-		/*
-		 * we treat dest2 specially.  this makes IPsec processing
-		 * much easier.  the goal here is to make mprev point the
-		 * mbuf prior to dest2.
-		 *
-		 * result: IPv6 dest2 payload
-		 * m and mprev will point to IPv6 header.
-		 */
-		if (exthdrs.ip6e_dest2) {
-			if (!hdrsplit)
-				panic("assumption failed: hdr not split");
-			exthdrs.ip6e_dest2->m_next = m->m_next;
-			m->m_next = exthdrs.ip6e_dest2;
-			*mtod(exthdrs.ip6e_dest2, u_char *) = ip6->ip6_nxt;
-			ip6->ip6_nxt = IPPROTO_DSTOPTS;
-		}
-
-#define MAKE_CHAIN(m, mp, p, i)\
-    do {\
-	if (m) {\
-		if (!hdrsplit) \
-			panic("assumption failed: hdr not split"); \
-		*mtod((m), u_char *) = *(p);\
-		*(p) = (i);\
-		p = mtod((m), u_char *);\
-		(m)->m_next = (mp)->m_next;\
-		(mp)->m_next = (m);\
-		(mp) = (m);\
-	}\
-    } while (/*CONSTCOND*/ 0)
-		/*
-		 * result: IPv6 hbh dest1 rthdr dest2 payload
-		 * m will point to IPv6 header.  mprev will point to the
-		 * extension header prior to dest2 (rthdr in the above case).
-		 */
-		MAKE_CHAIN(exthdrs.ip6e_hbh, mprev, nexthdrp, IPPROTO_HOPOPTS);
-		MAKE_CHAIN(exthdrs.ip6e_dest1, mprev, nexthdrp,
-		    IPPROTO_DSTOPTS);
-		MAKE_CHAIN(exthdrs.ip6e_rthdr, mprev, nexthdrp,
-		    IPPROTO_ROUTING);
-
-#if defined(IPSEC) || defined(FAST_IPSEC)
-		if (!needipsec)
-			goto skip_ipsec2;
-
-		/*
-		 * pointers after IPsec headers are not valid any more.
-		 * other pointers need a great care too.
-		 * (IPsec routines should not mangle mbufs prior to AH/ESP)
-		 */
-		exthdrs.ip6e_dest2 = NULL;
-
-	    {
-		struct ip6_rthdr *rh = NULL;
-		int segleft_org = 0;
-		struct ipsec_output_state state;
-
-		if (exthdrs.ip6e_rthdr) {
-			rh = mtod(exthdrs.ip6e_rthdr, struct ip6_rthdr *);
-			segleft_org = rh->ip6r_segleft;
-			rh->ip6r_segleft = 0;
-		}
-
-		bzero(&state, sizeof(state));
-		state.m = m;
-		error = ipsec6_output_trans(&state, nexthdrp, mprev, sp, flags,
-		    &needipsectun);
-		m = state.m;
-		if (error) {
-			/* mbuf is already reclaimed in ipsec6_output_trans. */
-			m = NULL;
-			switch (error) {
-			case EHOSTUNREACH:
-			case ENETUNREACH:
-			case EMSGSIZE:
-			case ENOBUFS:
-			case ENOMEM:
-				break;
-			default:
-				printf("ip6_output (ipsec): error code %d\n", error);
-				/* FALLTHROUGH */
-			case ENOENT:
-				/* don't show these error codes to the user */
-				error = 0;
-				break;
-			}
-			goto bad;
-		}
-		if (exthdrs.ip6e_rthdr) {
-			/* ah6_output doesn't modify mbuf chain */
-			rh->ip6r_segleft = segleft_org;
+	u_char *nexthdrp = &ip6->ip6_nxt;
+	mprev = m;
+	
+	/*
+	 * we treat dest2 specially.  this makes IPsec processing
+	 * much easier.  the goal here is to make mprev point the
+	 * mbuf prior to dest2.
+	 *
+	 * result: IPv6 dest2 payload
+	 * m and mprev will point to IPv6 header.
+	 */
+	if (exthdrs.ip6e_dest2) {
+		if (!hdrsplit)
+			panic("assumption failed: hdr not split");
+		exthdrs.ip6e_dest2->m_next = m->m_next;
+		m->m_next = exthdrs.ip6e_dest2;
+		*mtod(exthdrs.ip6e_dest2, u_char *) = ip6->ip6_nxt;
+		ip6->ip6_nxt = IPPROTO_DSTOPTS;
+	}
+	
+	/*
+	 * result: IPv6 hbh dest1 rthdr dest2 payload
+	 * m will point to IPv6 header.  mprev will point to the
+	 * extension header prior to dest2 (rthdr in the above case).
+	 */
+	MAKE_CHAIN(exthdrs.ip6e_hbh, mprev, nexthdrp, IPPROTO_HOPOPTS);
+	MAKE_CHAIN(exthdrs.ip6e_dest1, mprev, nexthdrp,
+		   IPPROTO_DSTOPTS);
+	MAKE_CHAIN(exthdrs.ip6e_rthdr, mprev, nexthdrp,
+		   IPPROTO_ROUTING);
+	
+#ifdef FAST_IPSEC
+	if (!needipsec)
+		goto skip_ipsec2;
+	
+	/*
+	 * pointers after IPsec headers are not valid any more.
+	 * other pointers need a great care too.
+	 * (IPsec routines should not mangle mbufs prior to AH/ESP)
+	 */
+	exthdrs.ip6e_dest2 = NULL;
+	
+	if (exthdrs.ip6e_rthdr) {
+		rh = mtod(exthdrs.ip6e_rthdr, struct ip6_rthdr *);
+		segleft_org = rh->ip6r_segleft;
+		rh->ip6r_segleft = 0;
+	}
+	
+	bzero(&state, sizeof(state));
+	state.m = m;
+	error = ipsec6_output_trans(&state, nexthdrp, mprev, sp, flags,
+				    &needipsectun);
+	m = state.m;
+	if (error) {
+		/* mbuf is already reclaimed in ipsec6_output_trans. */
+		m = NULL;
+		switch (error) {
+		case EHOSTUNREACH:
+		case ENETUNREACH:
+		case EMSGSIZE:
+		case ENOBUFS:
+		case ENOMEM:
+			break;
+		default:
+			printf("ip6_output (ipsec): error code %d\n", error);
+			/* FALLTHROUGH */
+		case ENOENT:
+			/* don't show these error codes to the user */
+			error = 0;
+			break;
 		}
-	    }
-skip_ipsec2:;
-#endif
+		goto bad;
+	} else if (!needipsectun) {
+		/* 
+		 * In the FAST IPSec case we have already 
+		 * re-injected the packet and it has been freed
+		 * by the ipsec_done() function.  So, just clean 
+		 * up after ourselves.
+		 */		
+		m = NULL;
+		goto done;
+	}	
+	if (exthdrs.ip6e_rthdr) {
+		/* ah6_output doesn't modify mbuf chain */
+		rh->ip6r_segleft = segleft_org;
 	}
+skip_ipsec2:;
+#endif /* FAST_IPSEC */
 
 	/*
 	 * If there is a routing header, replace the destination address field
@@ -572,7 +522,13 @@ again:
 			ip6->ip6_hlim = ip6_defmcasthlim;
 	}
 
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#ifdef FAST_IPSEC
+	/*
+	 * Same as similar comment above.  
+	 * We only want to do regular IPSEC here and leave this pure
+	 * in the case that we're using FAST_IPSEC which uses
+	 * this code to re-inject packets.
+	 */
 	if (needipsec && needipsectun) {
 		struct ipsec_output_state state;
 
@@ -617,11 +573,20 @@ again:
 				break;
 			}
 			goto bad;
+		} else {
+			/* 
+			 * In the FAST IPSec case we have already 
+			 * re-injected the packet and it has been freed
+			 * by the ipsec_done() function.  So, just clean 
+			 * up after ourselves.
+			 */
+			m = NULL;
+			goto done;
 		}
 
 		exthdrs.ip6e_ip6 = m;
 	}
-#endif /* IPSEC */
+#endif /* FAST_IPSEC */
 
 	/* adjust pointer */
 	ip6 = mtod(m, struct ip6_hdr *);
@@ -965,10 +930,6 @@ passout:
 			ia6->ia_ifa.if_opackets++;
 			ia6->ia_ifa.if_obytes += m->m_pkthdr.len;
 		}
-#ifdef IPSEC
-		/* clean ipsec history once it goes out of the node */
-		ipsec_delaux(m);
-#endif
 		error = nd6_output(ifp, origifp, m, dst, ro->ro_rt);
 		goto done;
 	}
@@ -991,10 +952,7 @@ passout:
 		struct ip6_frag *ip6f;
 		u_int32_t id = htonl(ip6_randomid());
 		u_char nextproto;
-#if 0
-		struct ip6ctlparam ip6cp;
-		u_int32_t mtu32;
-#endif
+
 		int qslots = ifp->if_snd.ifq_maxlen - ifp->if_snd.ifq_len;
 
 		/*
@@ -1006,25 +964,6 @@ passout:
 		if (mtu > IPV6_MAXPACKET)
 			mtu = IPV6_MAXPACKET;
 
-#if 0
-		/*
-		 * It is believed this code is a leftover from the
-		 * development of the IPV6_RECVPATHMTU sockopt and 
-		 * associated work to implement RFC3542.
-		 * It's not entirely clear what the intent of the API
-		 * is at this point, so disable this code for now.
-		 * The IPV6_RECVPATHMTU sockopt and/or IPV6_DONTFRAG
-		 * will send notifications if the application requests.
-		 */
-
-		/* Notify a proper path MTU to applications. */
-		mtu32 = (u_int32_t)mtu;
-		bzero(&ip6cp, sizeof(ip6cp));
-		ip6cp.ip6c_cmdarg = (void *)&mtu32;
-		pfctlinput2(PRC_MSGSIZE, (struct sockaddr *)&ro_pmtu->ro_dst,
-		    (void *)&ip6cp);
-#endif
-
 		len = (mtu - hlen - sizeof(struct ip6_frag)) & ~7;
 		if (len < 8) {
 			error = EMSGSIZE;
@@ -1130,10 +1069,6 @@ sendorfree:
  				ia->ia_ifa.if_opackets++;
  				ia->ia_ifa.if_obytes += m->m_pkthdr.len;
  			}
-#ifdef IPSEC
-			/* clean ipsec history once it goes out of the node */
-			ipsec_delaux(m);
-#endif
 			error = nd6_output(ifp, origifp, m, dst, ro->ro_rt);
 		} else
 			m_freem(m);
@@ -1149,15 +1084,6 @@ done:
 		RTFREE(ro_pmtu->ro_rt);
 	}
 
-#ifdef IPSEC
-	if (sp != NULL)
-		key_freesp(sp);
-#endif /* IPSEC */
-#ifdef FAST_IPSEC
-	if (sp != NULL)
-		KEY_FREESP(&sp);
-#endif /* FAST_IPSEC */
-
 	return (error);
 
 freehdrs:
@@ -1167,7 +1093,8 @@ freehdrs:
 	m_freem(exthdrs.ip6e_dest2);
 	/* FALLTHROUGH */
 bad:
-	m_freem(m);
+	if (m)
+		m_freem(m);
 	goto done;
 }
 
@@ -1847,7 +1774,7 @@ do { \
 				}
 				break;
 
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#ifdef FAST_IPSEC
 			case IPV6_IPSEC_POLICY:
 			    {
 				caddr_t req = NULL;
@@ -1867,7 +1794,7 @@ do { \
 				m_freem(m);
 			    }
 				break;
-#endif /* KAME IPSEC */
+#endif /* FAST_IPSEC */
 
 			default:
 				error = ENOPROTOOPT;
@@ -2064,7 +1991,7 @@ do { \
 			    }
 				break;
 
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#ifdef FAST_IPSEC
 			case IPV6_IPSEC_POLICY:
 			  {
 				caddr_t req = NULL;
@@ -2093,7 +2020,7 @@ do { \
 					m_freem(m);
 				break;
 			  }
-#endif /* KAME IPSEC */
+#endif /* FAST_IPSEC */
 
 			default:
 				error = ENOPROTOOPT;
@@ -2449,7 +2376,7 @@ copypktopts(dst, src, canwait)
 	if (src->ip6po_pktinfo) {
 		dst->ip6po_pktinfo = malloc(sizeof(*dst->ip6po_pktinfo),
 		    M_IP6OPT, canwait);
-		if (dst->ip6po_pktinfo == NULL && canwait == M_NOWAIT)
+		if (dst->ip6po_pktinfo == NULL)
 			goto bad;
 		*dst->ip6po_pktinfo = *src->ip6po_pktinfo;
 	}
@@ -2487,7 +2414,7 @@ ip6_copypktopts(src, canwait)
 	struct ip6_pktopts *dst;
 
 	dst = malloc(sizeof(*dst), M_IP6OPT, canwait);
-	if (dst == NULL && canwait == M_NOWAIT)
+	if (dst == NULL)
 		return (NULL);
 	ip6_initpktopts(dst);
 
diff --git a/sys/netinet6/ipcomp.h b/sys/netinet6/ipcomp.h
deleted file mode 100644
index 943cd36..0000000
--- a/sys/netinet6/ipcomp.h
+++ /dev/null
@@ -1,71 +0,0 @@
-/*	$FreeBSD$	*/
-/*	$KAME: ipcomp.h,v 1.11 2001/09/04 08:43:19 itojun Exp $	*/
-
-/*-
- * Copyright (C) 1999 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * RFC2393 IP payload compression protocol (IPComp).
- */
-
-#ifndef _NETINET6_IPCOMP_H_
-#define _NETINET6_IPCOMP_H_
-
-#if defined(_KERNEL) && !defined(_LKM)
-#include "opt_inet.h"
-#endif
-
-struct ipcomp {
-	u_int8_t comp_nxt;	/* Next Header */
-	u_int8_t comp_flags;	/* reserved, must be zero */
-	u_int16_t comp_cpi;	/* Compression parameter index */
-};
-
-/* well-known algorithm number (in CPI), from RFC2409 */
-#define IPCOMP_OUI	1	/* vendor specific */
-#define IPCOMP_DEFLATE	2	/* RFC2394 */
-#define IPCOMP_LZS	3	/* RFC2395 */
-#define IPCOMP_MAX	4
-
-#define IPCOMP_CPI_NEGOTIATE_MIN	256
-
-#ifdef _KERNEL
-struct ipcomp_algorithm {
-	int (*compress) __P((struct mbuf *, struct mbuf *, size_t *));
-	int (*decompress) __P((struct mbuf *, struct mbuf *, size_t *));
-	size_t minplen;		/* minimum required length for compression */
-};
-
-struct ipsecrequest;
-extern const struct ipcomp_algorithm *ipcomp_algorithm_lookup __P((int));
-extern void ipcomp4_input __P((struct mbuf *, int));
-extern int ipcomp4_output __P((struct mbuf *, struct ipsecrequest *));
-#endif /* KERNEL */
-
-#endif /* _NETINET6_IPCOMP_H_ */
diff --git a/sys/netinet6/ipsec.h b/sys/netinet6/ipsec.h
deleted file mode 100644
index 7b677ae..0000000
--- a/sys/netinet6/ipsec.h
+++ /dev/null
@@ -1,388 +0,0 @@
-/*	$FreeBSD$	*/
-/*	$KAME: ipsec.h,v 1.69 2003/09/10 23:49:11 itojun Exp $	*/
-
-/*-
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * IPsec controller part.
- */
-
-#ifndef _NETINET6_IPSEC_H_
-#define _NETINET6_IPSEC_H_
-
-#if defined(_KERNEL) && !defined(_LKM) && !defined(KLD_MODULE)
-#include "opt_inet.h"
-#include "opt_ipsec.h"
-#endif
-
-#include <net/pfkeyv2.h>
-#include <netkey/keydb.h>
-
-#ifdef _KERNEL
-
-/*
- * Security Policy Index
- * Ensure that both address families in the "src" and "dst" are same.
- * When the value of the ul_proto is ICMPv6, the port field in "src"
- * specifies ICMPv6 type, and the port field in "dst" specifies ICMPv6 code.
- */
-struct secpolicyindex {
-	struct sockaddr_storage src;	/* IP src address for SP */
-	struct sockaddr_storage dst;	/* IP dst address for SP */
-	u_int8_t prefs;			/* prefix length in bits for src */
-	u_int8_t prefd;			/* prefix length in bits for dst */
-	u_int16_t ul_proto;		/* upper layer Protocol */
-#ifdef notyet
-	uid_t uids;
-	uid_t uidd;
-	gid_t gids;
-	gid_t gidd;
-#endif
-};
-
-/* Security Policy Data Base */
-struct secpolicy {
-	TAILQ_ENTRY(secpolicy) tailq;	/* all SPD entries, both pcb/table */
-	LIST_ENTRY(secpolicy) chain;	/* SPD entries on table */
-
-	u_int8_t dir;			/* direction of packet flow */
-	int readonly;			/* write prohibited */
-	int persist;			/* will never be removed */
-	int refcnt;			/* reference count */
-	struct secpolicyindex *spidx;	/* selector - NULL if not valid */
-	u_int32_t id;			/* it identifies a policy in the SPD. */
-#define IPSEC_MANUAL_POLICYID_MAX	0x3fff
-				/*
-				 * 1 - 0x3fff are reserved for user operation.
-				 * 0 are reserved.  Others are for kernel use.
-				 */
-	struct socket *so;		/* backpointer to per-socket policy */
-	u_int state;			/* 0: dead, others: alive */
-#define IPSEC_SPSTATE_DEAD	0
-#define IPSEC_SPSTATE_ALIVE	1
-
-	int policy;		/* DISCARD, NONE or IPSEC, see below */
-	struct ipsecrequest *req;
-				/* pointer to the ipsec request tree, */
-				/* if policy == IPSEC else this value == NULL.*/
-
-	/*
-	 * lifetime handler.
-	 * the policy can be used without limitiation if both lifetime and
-	 * validtime are zero.
-	 * "lifetime" is passed by sadb_lifetime.sadb_lifetime_addtime.
-	 * "validtime" is passed by sadb_lifetime.sadb_lifetime_usetime.
-	 */
-	long created;		/* time created the policy */
-	long lastused;		/* updated every when kernel sends a packet */
-	long lifetime;		/* duration of the lifetime of this policy */
-	long validtime;		/* duration this policy is valid without use */
-};
-
-/* Request for IPsec */
-struct ifnet;
-struct ipsecrequest {
-	struct ipsecrequest *next;
-				/* pointer to next structure */
-				/* If NULL, it means the end of chain. */
-	struct secasindex saidx;/* hint for search proper SA */
-				/* if __ss_len == 0 then no address specified.*/
-	u_int level;		/* IPsec level defined below. */
-
-	struct secasvar *sav;	/* place holder of SA for use */
-	struct secpolicy *sp;	/* back pointer to SP */
-
-	struct ifnet *tunifp;	/* interface for tunnelling */
-};
-
-/* security policy in PCB */
-struct inpcbpolicy {
-	struct secpolicy *sp_in;
-	struct secpolicy *sp_out;
-	int priv;			/* privileged socket ? */
-
-	/* cached policy */
-	/* XXX 3 == IPSEC_DIR_MAX */
-	struct secpolicy *cache[3];
-	struct secpolicyindex cacheidx[3];
-	int cachegen[3]; 	/* cache generation #, the time we filled it */
-	int cacheflags;
-#define IPSEC_PCBSP_CONNECTED	1
-};
-
-/* SP acquiring list table. */
-struct secspacq {
-	LIST_ENTRY(secspacq) chain;
-
-	struct secpolicyindex spidx;
-
-	long created;		/* for lifetime */
-	int count;		/* for lifetime */
-	/* XXX: here is mbuf place holder to be sent ? */
-};
-
-struct ipsecaux {
-	int hdrs;	/* # of ipsec headers */
-};
-#endif /* _KERNEL */
-
-/* according to IANA assignment, port 0x0000 and proto 0xff are reserved. */
-#define IPSEC_PORT_ANY		0
-#define IPSEC_ULPROTO_ANY	255
-#define IPSEC_PROTO_ANY		255
-
-/* mode of security protocol */
-/* NOTE: DON'T use IPSEC_MODE_ANY at SPD.  It's only use in SAD */
-#define	IPSEC_MODE_ANY		0	/* i.e. wildcard. */
-#define	IPSEC_MODE_TRANSPORT	1
-#define	IPSEC_MODE_TUNNEL	2
-#define	IPSEC_MODE_TCPMD5	3	/* TCP MD5 mode */
-
-/*
- * Direction of security policy.
- * NOTE: Since INVALID is used just as flag.
- * The other are used for loop counter too.
- */
-#define IPSEC_DIR_ANY		0
-#define IPSEC_DIR_INBOUND	1
-#define IPSEC_DIR_OUTBOUND	2
-#define IPSEC_DIR_MAX		3
-#define IPSEC_DIR_INVALID	4
-
-/* Policy level */
-/*
- * IPSEC, ENTRUST and BYPASS are allowed for setsockopt() in PCB,
- * DISCARD, IPSEC and NONE are allowed for setkey() in SPD.
- * DISCARD and NONE are allowed for system default.
- */
-#define IPSEC_POLICY_DISCARD	0	/* discard the packet */
-#define IPSEC_POLICY_NONE	1	/* bypass IPsec engine */
-#define IPSEC_POLICY_IPSEC	2	/* pass to IPsec */
-#define IPSEC_POLICY_ENTRUST	3	/* consulting SPD if present. */
-#define IPSEC_POLICY_BYPASS	4	/* only for privileged socket. */
-#define IPSEC_POLICY_TCP	5	/* TCP MD5 policy */
-
-/* Security protocol level */
-#define	IPSEC_LEVEL_DEFAULT	0	/* reference to system default */
-#define	IPSEC_LEVEL_USE		1	/* use SA if present. */
-#define	IPSEC_LEVEL_REQUIRE	2	/* require SA. */
-#define	IPSEC_LEVEL_UNIQUE	3	/* unique SA. */
-
-#define IPSEC_MANUAL_REQID_MAX	0x3fff
-				/*
-				 * if security policy level == unique, this id
-				 * indicate to a relative SA for use, else is
-				 * zero.
-				 * 1 - 0x3fff are reserved for manual keying.
-				 * 0 are reserved for above reason.  Others is
-				 * for kernel use.
-				 * Note that this id doesn't identify SA
-				 * by only itself.
-				 */
-#define IPSEC_REPLAYWSIZE  32
-
-/* statistics for ipsec processing */
-struct ipsecstat {
-	u_quad_t in_success;  /* succeeded inbound process */
-	u_quad_t in_polvio;
-			/* security policy violation for inbound process */
-	u_quad_t in_nosa;     /* inbound SA is unavailable */
-	u_quad_t in_inval;    /* inbound processing failed due to EINVAL */
-	u_quad_t in_nomem;    /* inbound processing failed due to ENOBUFS */
-	u_quad_t in_badspi;   /* failed getting a SPI */
-	u_quad_t in_ahreplay; /* AH replay check failed */
-	u_quad_t in_espreplay; /* ESP replay check failed */
-	u_quad_t in_ahauthsucc; /* AH authentication success */
-	u_quad_t in_ahauthfail; /* AH authentication failure */
-	u_quad_t in_espauthsucc; /* ESP authentication success */
-	u_quad_t in_espauthfail; /* ESP authentication failure */
-	u_quad_t in_esphist[256];
-	u_quad_t in_ahhist[256];
-	u_quad_t in_comphist[256];
-	u_quad_t out_success; /* succeeded outbound process */
-	u_quad_t out_polvio;
-			/* security policy violation for outbound process */
-	u_quad_t out_nosa;    /* outbound SA is unavailable */
-	u_quad_t out_inval;   /* outbound process failed due to EINVAL */
-	u_quad_t out_nomem;    /* inbound processing failed due to ENOBUFS */
-	u_quad_t out_noroute; /* there is no route */
-	u_quad_t out_esphist[256];
-	u_quad_t out_ahhist[256];
-	u_quad_t out_comphist[256];
-
-	u_quad_t spdcachelookup;
-	u_quad_t spdcachemiss;
-};
-
-/*
- * Definitions for IPsec & Key sysctl operations.
- */
-/*
- * Names for IPsec & Key sysctl objects
- */
-#define IPSECCTL_STATS			1	/* stats */
-#define IPSECCTL_DEF_POLICY		2
-#define IPSECCTL_DEF_ESP_TRANSLEV	3	/* int; ESP transport mode */
-#define IPSECCTL_DEF_ESP_NETLEV		4	/* int; ESP tunnel mode */
-#define IPSECCTL_DEF_AH_TRANSLEV	5	/* int; AH transport mode */
-#define IPSECCTL_DEF_AH_NETLEV		6	/* int; AH tunnel mode */
-#if 0	/* obsolete, do not reuse */
-#define IPSECCTL_INBOUND_CALL_IKE	7
-#endif
-#define	IPSECCTL_AH_CLEARTOS		8
-#define	IPSECCTL_AH_OFFSETMASK		9
-#define	IPSECCTL_DFBIT			10
-#define	IPSECCTL_ECN			11
-#define	IPSECCTL_DEBUG			12
-#define	IPSECCTL_ESP_RANDPAD		13
-#define IPSECCTL_MAXID			14
-
-#define IPSECCTL_NAMES { \
-	{ 0, 0 }, \
-	{ 0, 0 }, \
-	{ "def_policy", CTLTYPE_INT }, \
-	{ "esp_trans_deflev", CTLTYPE_INT }, \
-	{ "esp_net_deflev", CTLTYPE_INT }, \
-	{ "ah_trans_deflev", CTLTYPE_INT }, \
-	{ "ah_net_deflev", CTLTYPE_INT }, \
-	{ 0, 0 }, \
-	{ "ah_cleartos", CTLTYPE_INT }, \
-	{ "ah_offsetmask", CTLTYPE_INT }, \
-	{ "dfbit", CTLTYPE_INT }, \
-	{ "ecn", CTLTYPE_INT }, \
-	{ "debug", CTLTYPE_INT }, \
-	{ "esp_randpad", CTLTYPE_INT }, \
-}
-
-#define IPSEC6CTL_NAMES { \
-	{ 0, 0 }, \
-	{ 0, 0 }, \
-	{ "def_policy", CTLTYPE_INT }, \
-	{ "esp_trans_deflev", CTLTYPE_INT }, \
-	{ "esp_net_deflev", CTLTYPE_INT }, \
-	{ "ah_trans_deflev", CTLTYPE_INT }, \
-	{ "ah_net_deflev", CTLTYPE_INT }, \
-	{ 0, 0 }, \
-	{ 0, 0 }, \
-	{ 0, 0 }, \
-	{ 0, 0 }, \
-	{ "ecn", CTLTYPE_INT }, \
-	{ "debug", CTLTYPE_INT }, \
-	{ "esp_randpad", CTLTYPE_INT }, \
-}
-
-#ifdef _KERNEL
-struct ipsec_output_state {
-	struct mbuf *m;
-	struct route *ro;
-	struct sockaddr *dst;
-	int encap;
-};
-
-struct ipsec_history {
-	int ih_proto;
-	u_int32_t ih_spi;
-};
-
-extern int ipsec_debug;
-
-#ifdef INET
-extern struct ipsecstat ipsecstat;
-extern struct secpolicy *ip4_def_policy;
-extern int ip4_esp_trans_deflev;
-extern int ip4_esp_net_deflev;
-extern int ip4_ah_trans_deflev;
-extern int ip4_ah_net_deflev;
-extern int ip4_ah_cleartos;
-extern int ip4_ah_offsetmask;
-extern int ip4_ipsec_dfbit;
-extern int ip4_ipsec_ecn;
-extern int ip4_esp_randpad;
-#endif
-
-#define ipseclog(x)	do { if (ipsec_debug) log x; } while (/*CONSTCOND*/ 0)
-
-extern int ipsec_pcbconn __P((struct inpcbpolicy *));
-extern int ipsec_pcbdisconn __P((struct inpcbpolicy *));
-extern int ipsec_invalpcbcacheall __P((void));
-
-struct inpcb;
-extern struct secpolicy *ipsec4_getpolicybypcb
-	__P((struct mbuf *, u_int, struct inpcb *, int *));
-extern struct secpolicy *ipsec4_getpolicybyaddr
-	__P((struct mbuf *, u_int, int, int *));
-
-extern int ipsec_init_pcbpolicy __P((struct socket *, struct inpcbpolicy **));
-extern int ipsec_copy_pcbpolicy
-	__P((struct inpcbpolicy *, struct inpcbpolicy *));
-extern u_int ipsec_get_reqlevel __P((struct ipsecrequest *, int));
-
-extern int ipsec4_set_policy __P((struct inpcb *, int, caddr_t, size_t, int));
-extern int ipsec4_get_policy __P((struct inpcb *, caddr_t, size_t,
-	struct mbuf **));
-extern int ipsec4_delete_pcbpolicy __P((struct inpcb *));
-extern int ipsec4_in_reject __P((struct mbuf *, struct inpcb *));
-
-struct secas;
-struct tcpcb;
-struct tcp6cb;
-extern int ipsec_chkreplay __P((u_int32_t, struct secasvar *));
-extern int ipsec_updatereplay __P((u_int32_t, struct secasvar *));
-
-extern size_t ipsec4_hdrsiz __P((struct mbuf *, u_int, struct inpcb *));
-extern size_t ipsec_hdrsiz_tcp __P((struct tcpcb *));
-
-struct ip;
-extern const char *ipsec4_logpacketstr __P((struct ip *, u_int32_t));
-extern const char *ipsec_logsastr __P((struct secasvar *));
-
-extern void ipsec_dumpmbuf __P((struct mbuf *));
-
-extern int ipsec4_output __P((struct ipsec_output_state *, struct secpolicy *,
-	int));
-extern int ipsec4_tunnel_validate __P((struct mbuf *, int, u_int,
-	struct secasvar *));
-extern struct mbuf *ipsec_copypkt __P((struct mbuf *));
-extern void ipsec_delaux __P((struct mbuf *));
-extern int ipsec_addhist __P((struct mbuf *, int, u_int32_t));
-extern int ipsec_getnhist __P((struct mbuf *));
-extern void ipsec_clearhist __P((struct mbuf *));
-
-#endif /* _KERNEL */
-
-#ifndef _KERNEL
-extern caddr_t ipsec_set_policy __P((char *, int));
-extern int ipsec_get_policylen __P((caddr_t));
-extern char *ipsec_dump_policy __P((caddr_t, char *));
-
-extern const char *ipsec_strerror __P((void));
-#endif /* !_KERNEL */
-
-#endif /* _NETINET6_IPSEC_H_ */
diff --git a/sys/netinet6/ipsec6.h b/sys/netinet6/ipsec6.h
deleted file mode 100644
index 6a1547f..0000000
--- a/sys/netinet6/ipsec6.h
+++ /dev/null
@@ -1,80 +0,0 @@
-/*	$FreeBSD$	*/
-/*	$KAME: ipsec.h,v 1.44 2001/03/23 08:08:47 itojun Exp $	*/
-
-/*-
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * IPsec controller part.
- */
-
-#ifndef _NETINET6_IPSEC6_H_
-#define _NETINET6_IPSEC6_H_
-
-#include <net/pfkeyv2.h>
-#include <netkey/keydb.h>
-
-#ifdef _KERNEL
-extern struct ipsecstat ipsec6stat;
-extern struct secpolicy *ip6_def_policy;
-extern int ip6_esp_trans_deflev;
-extern int ip6_esp_net_deflev;
-extern int ip6_ah_trans_deflev;
-extern int ip6_ah_net_deflev;
-extern int ip6_ipsec_ecn;
-extern int ip6_esp_randpad;
-
-struct inpcb;
-extern struct secpolicy *ipsec6_getpolicybypcb
-	__P((struct mbuf *, u_int, struct inpcb *, int *));
-extern struct secpolicy *ipsec6_getpolicybyaddr
-	__P((struct mbuf *, u_int, int, int *));
-
-extern int ipsec6_delete_pcbpolicy __P((struct inpcb *));
-extern int ipsec6_set_policy __P((struct inpcb *, int, caddr_t, size_t, int));
-extern int ipsec6_get_policy __P((struct inpcb *, caddr_t, size_t,
-	struct mbuf **));
-extern int ipsec6_in_reject __P((struct mbuf *, struct inpcb *));
-
-struct tcp6cb;
-
-extern size_t ipsec6_hdrsiz __P((struct mbuf *, u_int, struct inpcb *));
-
-struct ip6_hdr;
-extern const char *ipsec6_logpacketstr __P((struct ip6_hdr *, u_int32_t));
-
-extern int ipsec6_output_trans __P((struct ipsec_output_state *, u_char *,
-	struct mbuf *, struct secpolicy *, int, int *));
-extern int ipsec6_output_tunnel __P((struct ipsec_output_state *,
-	struct secpolicy *, int));
-extern int ipsec6_tunnel_validate __P((struct mbuf *, int, u_int,
-	struct secasvar *));
-#endif /*_KERNEL*/
-
-#endif /*_NETINET6_IPSEC6_H_*/
diff --git a/sys/netinet6/nd6.c b/sys/netinet6/nd6.c
index d1a5e83..7d6e788 100644
--- a/sys/netinet6/nd6.c
+++ b/sys/netinet6/nd6.c
@@ -2144,11 +2144,6 @@ again:
 		goto bad;
 	}
 
-#ifdef IPSEC
-	/* clean ipsec history once it goes out of the node */
-	ipsec_delaux(m);
-#endif
-
 #ifdef MAC
 	mac_create_mbuf_linklayer(ifp, m);
 #endif
diff --git a/sys/netinet6/nd6_nbr.c b/sys/netinet6/nd6_nbr.c
index 3e9b31e..ca73727 100644
--- a/sys/netinet6/nd6_nbr.c
+++ b/sys/netinet6/nd6_nbr.c
@@ -823,7 +823,7 @@ nd6_na_input(m, off, icmp6len)
 		 * prevent a ln_hold lookup in nd6_output()
 		 * (wouldn't happen, though...)
 		 */
-		for (m_hold = ln->ln_hold, ln->ln_hold = NULL;
+		for (m_hold = ln->ln_hold;
 		    m_hold; m_hold = m_hold_next) {
 			m_hold_next = m_hold->m_nextpkt;
 			m_hold->m_nextpkt = NULL;
@@ -834,6 +834,7 @@ nd6_na_input(m, off, icmp6len)
 			nd6_output(ifp, ifp, m_hold,
 			    (struct sockaddr_in6 *)rt_key(rt), rt);
 		}
+		ln->ln_hold = NULL;
 	}
 
  freeit:
diff --git a/sys/netinet6/raw_ip6.c b/sys/netinet6/raw_ip6.c
index 006f7d6..3b29375 100644
--- a/sys/netinet6/raw_ip6.c
+++ b/sys/netinet6/raw_ip6.c
@@ -95,11 +95,6 @@
 #include <netinet6/raw_ip6.h>
 #include <netinet6/scope6_var.h>
 
-#ifdef IPSEC
-#include <netinet6/ipsec.h>
-#include <netinet6/ipsec6.h>
-#endif /*IPSEC*/
-
 #ifdef FAST_IPSEC
 #include <netipsec/ipsec.h>
 #include <netipsec/ipsec6.h>
@@ -186,18 +181,16 @@ docontinue:
 		if (last) {
 			struct mbuf *n = m_copy(m, 0, (int)M_COPYALL);
 
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#ifdef FAST_IPSEC
 			/*
 			 * Check AH/ESP integrity.
 			 */
 			if (n && ipsec6_in_reject(n, last)) {
 				m_freem(n);
-#ifdef IPSEC
 				ipsec6stat.in_polvio++;
-#endif /*IPSEC*/
 				/* do not inject data into pcb */
 			} else
-#endif /*IPSEC || FAST_IPSEC*/
+#endif /* FAST_IPSEC */
 			if (n) {
 				if (last->in6p_flags & IN6P_CONTROLOPTS ||
 				    last->in6p_socket->so_options & SO_TIMESTAMP)
@@ -219,20 +212,18 @@ docontinue:
 		}
 		last = in6p;
 	}
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#ifdef FAST_IPSEC
 	/*
 	 * Check AH/ESP integrity.
 	 */
 	if (last && ipsec6_in_reject(m, last)) {
 		m_freem(m);
-#ifdef IPSEC
 		ipsec6stat.in_polvio++;
-#endif /*IPSEC*/
 		ip6stat.ip6s_delivered--;
 		/* do not inject data into pcb */
 		INP_UNLOCK(last);
 	} else
-#endif /*IPSEC || FAST_IPSEC*/
+#endif /* FAST_IPSEC */
 	if (last) {
 		if (last->in6p_flags & IN6P_CONTROLOPTS ||
 		    last->in6p_socket->so_options & SO_TIMESTAMP)
diff --git a/sys/netinet6/sctp6_usrreq.c b/sys/netinet6/sctp6_usrreq.c
index 92c23f7..58833aa 100644
--- a/sys/netinet6/sctp6_usrreq.c
+++ b/sys/netinet6/sctp6_usrreq.c
@@ -52,6 +52,12 @@ __FBSDID("$FreeBSD$");
 #include <netinet/sctp_output.h>
 #include <netinet/sctp_bsd_addr.h>
 
+#ifdef FAST_IPSEC
+#include <netipsec/ipsec.h>
+#if defined(INET6)
+#include <netipsec/ipsec6.h>
+#endif /* INET6 */
+#endif /* FAST_IPSEC */
 
 extern struct protosw inetsw[];
 
@@ -201,7 +207,7 @@ sctp_skip_csum:
 		refcount_up = 1;
 	}
 	in6p_ip = (struct inpcb *)in6p;
-#ifdef IPSEC
+#ifdef FAST_IPSEC
 	/*
 	 * Check AH/ESP integrity.
 	 */
@@ -210,7 +216,7 @@ sctp_skip_csum:
 		ipsec6stat.in_polvio++;
 		goto bad;
 	}
-#endif				/* IPSEC */
+#endif /* FAST_IPSEC */
 
 	/*
 	 * CONTROL chunk processing
diff --git a/sys/netinet6/udp6_output.c b/sys/netinet6/udp6_output.c
index 7643373..1dcade6 100644
--- a/sys/netinet6/udp6_output.c
+++ b/sys/netinet6/udp6_output.c
@@ -98,13 +98,6 @@
 #include <netinet6/ip6protosw.h>
 #include <netinet6/scope6_var.h>
 
-#ifdef IPSEC
-#include <netinet6/ipsec.h>
-#ifdef INET6
-#include <netinet6/ipsec6.h>
-#endif
-#endif /* IPSEC */
-
 /*
  * UDP protocol inplementation.
  * Per RFC 768, August, 1980.
diff --git a/sys/netinet6/udp6_usrreq.c b/sys/netinet6/udp6_usrreq.c
index ba17f39..4cf0e13 100644
--- a/sys/netinet6/udp6_usrreq.c
+++ b/sys/netinet6/udp6_usrreq.c
@@ -102,11 +102,6 @@
 #include <netinet6/udp6_var.h>
 #include <netinet6/scope6_var.h>
 
-#ifdef IPSEC
-#include <netinet6/ipsec.h>
-#include <netinet6/ipsec6.h>
-#endif /* IPSEC */
-
 #ifdef FAST_IPSEC
 #include <netipsec/ipsec.h>
 #include <netipsec/ipsec6.h>
@@ -129,18 +124,16 @@ udp6_append(struct inpcb *in6p, struct mbuf *n, int off,
 
 	/* XXXRW: Not yet: INP_LOCK_ASSERT(in6p); */
 
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#ifdef FAST_IPSEC
 	/*
 	 * Check AH/ESP integrity.
 	 */
 	if (ipsec6_in_reject(n, in6p)) {
 		m_freem(n);
-#ifdef IPSEC
 		ipsec6stat.in_polvio++;
-#endif /* IPSEC */
 		return;
 	}
-#endif /*IPSEC || FAST_IPSEC*/
+#endif /* FAST_IPSEC */
 
 	opts = NULL;
 	if (in6p->in6p_flags & IN6P_CONTROLOPTS ||