Of course there are a few tricks for solving some of the practical problems. First, OE has a hole for IKE packets, so they don't trigger the OE mechanism. Otherwise that would only result in both ends trying to set up tunnels simultaneously.
With KLIPS, packets triggering an OE connection are cached, but with NETKEY, these packets are lost and an obscure (and incorrect) Resource
temporarily
unavailable
message is logged. We do not yet recommend using NETKEY with OE, but hopefully, NETKEY will add this functionality in the near future.
If you are behind NAT, you currently have to manually disable your OE settings.
As is to be expected, there are some problems with DNS. We do really want to protect DNS traffic with OE; such traffic is after all clearly worth protecting as part of your privacy. What if the name server supports OE? What if our resolver is behind OE? Well, we will have to live with some initial DNS problems. In practice, this means that for the first minute or so after...