If this is true, then wow! It will have major implications on IPSEC implementations around the world as many vendors use the openBSD IPSEC stack. It's hard to believe that in ten years the back door hasn't been found though. How many eyes have been on the code? How many people have modified the code or implemented bug fixes? I'm a little doubtful, but I can't help to be curious if it's true or not.