freebsd security - Apr 2004 - IPSec Racoon and Port Forwarding

Hello,

	I have given myself quite the headache trying to make this VPN work correctly.
I am attempting to use racoon to establish keys and construct an encrypted
tunnel between one host(A.A.A.A) with a routable IP address and another that has
a private address(10.0.0.2) with a cable modem(B.B.B.B) forwarding all ports to
the private address(10.0.0.2). Here is a quick topographic dipiction of the
infastructure:

                     
                     192.168.121.0/24	
                    ------------------
                            |
                            |
                       _____|_____ 
                      |           |priv_int 192.168.121.253
       VPN Gateway(1) |           |
                      |___________|pub_int A.A.A.A
                            |
                      ~~~~~~~~~~~~~
                         Internet
                      ~~~~~~~~~~~~~
                       _____|_____
                      |           |
         Cable Modem  |           |pub_int B.B.B.B(forwarded to 10.0.0.2) 
                      |___________|
                       _____|_____  
                      |           |pub/priv_int 10.0.0.2
       VPN Gateway(2) |           |
                      |___________|priv_int 192.168.122.254 
                            |
                            |
                            |
                    ------------------
                     192.168.122.0/24


Here is what I have in ipsec.conf on VPN Gateway (1):
flush;
spdflsuh;
spdadd A.A.A.A/32 B.B.B.B/32 ipencap -P out ipsec
esp/tunnel/A.A.A.A-B.B.B.B/require;
spdadd B.B.B.B/32 A.A.A.A/32 ipencap -P in ipsec
esp/tunnel/B.B.B.B-A.A.A.A/require;

ifconfig output:

dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 192.168.121.253 netmask 0xffffff00 broadcast 192.168.121.255
        ether 00:a0:cc:d1:a2:df
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
dc1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet A.A.A.A netmask 0xfffffff8 broadcast 216.160.154.159
        ether 00:a0:cc:62:f0:6a
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
gif1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
        tunnel inet A.A.A.A --> B.B.B.B 
        inet 192.168.121.253 --> 192.168.122.254 netmask 0xffffffff


VPN Gateway 2(10.0.0.1) ipsec.conf:
spdadd 0.0.0.0/0 A.A.A.A/32 ipencap -P out ipsec
esp/tunnel/10.0.0.2-A.A.A.A/require;
spdadd A.A.A.A/32 0.0.0.0/0 ipencap -P in ipsec
esp/tunnel/A.A.A.A-10.0.0.2/require;

ifconfig output:
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=3<RXCSUM,TXCSUM>
        inet 10.0.0.2 netmask 0xffffff00 broadcast 10.0.0.255
        ether 00:0e:7f:ff:0e:0c
        media: Ethernet autoselect (10baseT/UTP <half-duplex>)
        status: active
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=3<RXCSUM,TXCSUM>
        inet 192.168.122.254 netmask 0xffffff00 broadcast 192.168.122.255
        ether 00:04:75:8b:80:ce
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
        tunnel inet 10.0.0.2 --> A.A.A.A 
        inet 192.168.122.254 --> 192.168.121.253 netmask 0xffffffff

Until I instate a SP for these two hosts I can pass traffic back and forth to
both private subnets (192.168.X.X) just fine. Once I read in these ipsec
policies I can not get any traffic back and forth.. Any suggestions? I looked
numerous places and found no one else documenting problems or success.


Thanks