add ENCAP_UDP_{TUNNEL,TRANSPORT} types according to rfc 3947

ok markus

4 files changed, 16 insertions, 11 deletions

diff --git a/sbin/isakmpd/ipsec.c b/sbin/isakmpd/ipsec.c
index 605caa4d6a7..6073b4ad1ec 100644
--- a/sbin/isakmpd/ipsec.c
+++ b/sbin/isakmpd/ipsec.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsec.c,v 1.119 2005/05/26 06:11:09 hshoexer Exp $	 */
+/* $OpenBSD: ipsec.c,v 1.120 2005/06/14 10:50:47 hshoexer Exp $	 */
 /* $EOM: ipsec.c,v 1.143 2000/12/11 23:57:42 niklas Exp $	 */
 
 /*
@@ -1150,7 +1150,9 @@ ipsec_is_attribute_incompatible(u_int16_t type, u_int8_t *value, u_int16_t len,
 			return dv != IPSEC_ENCAP_TUNNEL &&
 			    dv != IPSEC_ENCAP_TRANSPORT &&
 			    dv != IPSEC_ENCAP_UDP_ENCAP_TUNNEL &&
-			    dv != IPSEC_ENCAP_UDP_ENCAP_TRANSPORT;
+			    dv != IPSEC_ENCAP_UDP_ENCAP_TRANSPORT &&
+			    dv != IPSEC_ENCAP_UDP_ENCAP_TUNNEL_DRAFT &&
+			    dv != IPSEC_ENCAP_UDP_ENCAP_TRANSPORT_DRAFT;
 		case IPSEC_ATTR_AUTHENTICATION_ALGORITHM:
 			return dv < IPSEC_AUTH_HMAC_MD5 ||
 			    dv > IPSEC_AUTH_HMAC_RIPEMD;
diff --git a/sbin/isakmpd/ipsec_num.cst b/sbin/isakmpd/ipsec_num.cst
index b7d838d13a9..bd62b04e9fc 100644
--- a/sbin/isakmpd/ipsec_num.cst
+++ b/sbin/isakmpd/ipsec_num.cst
@@ -1,4 +1,4 @@
-#	$OpenBSD: ipsec_num.cst,v 1.15 2004/04/28 14:40:00 ho Exp $
+#	$OpenBSD: ipsec_num.cst,v 1.16 2005/06/14 10:50:47 hshoexer Exp $
 #	$EOM: ipsec_num.cst,v 1.5 2000/10/13 17:56:52 angelos Exp $
 
 #
@@ -62,10 +62,10 @@ IPSEC_DURATION
 IPSEC_ENCAP
   TUNNEL				1
   TRANSPORT				2
-  FUTURE_UDP_ENCAP_TUNNEL		3	# XXX Not yet assigned
-  FUTURE_UDP_ENCAP_TRANSPORT		4	# XXX Not yet assigned
-  UDP_ENCAP_TUNNEL			61443	# draft-ietf-ipsec-nat-t-ike
-  UDP_ENCAP_TRANSPORT			61443	# draft-ietf-ipsec-nat-t-ike
+  UDP_ENCAP_TUNNEL			3
+  UDP_ENCAP_TRANSPORT			4
+  UDP_ENCAP_TUNNEL_DRAFT		61443	# draft-ietf-ipsec-nat-t-ike
+  UDP_ENCAP_TRANSPORT_DRAFT		61443	# draft-ietf-ipsec-nat-t-ike
 .
 
 # IPSEC authentication algorithm.
diff --git a/sbin/isakmpd/pf_key_v2.c b/sbin/isakmpd/pf_key_v2.c
index 0a60da71ad0..70434b0dd04 100644
--- a/sbin/isakmpd/pf_key_v2.c
+++ b/sbin/isakmpd/pf_key_v2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf_key_v2.c,v 1.166 2005/06/01 23:04:35 cloder Exp $  */
+/* $OpenBSD: pf_key_v2.c,v 1.167 2005/06/14 10:50:47 hshoexer Exp $  */
 /* $EOM: pf_key_v2.c,v 1.79 2000/12/12 00:33:19 niklas Exp $	 */
 
 /*
@@ -1083,7 +1083,8 @@ pf_key_v2_set_spi(struct sa *sa, struct proto *proto, int incoming,
 	ssa.sadb_sa_state = SADB_SASTATE_MATURE;
 	ssa.sadb_sa_flags = 0;
 	if (iproto->encap_mode == IPSEC_ENCAP_TUNNEL ||
-	    iproto->encap_mode == IPSEC_ENCAP_UDP_ENCAP_TUNNEL)
+	    iproto->encap_mode == IPSEC_ENCAP_UDP_ENCAP_TUNNEL ||
+	    iproto->encap_mode == IPSEC_ENCAP_UDP_ENCAP_TUNNEL_DRAFT)
 		ssa.sadb_sa_flags = SADB_X_SAFLAGS_TUNNEL;
 
 	if (isakmp_sa->flags & SA_FLAG_NAT_T_ENABLE) {
diff --git a/sbin/isakmpd/policy.c b/sbin/isakmpd/policy.c
index c1efa7121b6..55458535dc2 100644
--- a/sbin/isakmpd/policy.c
+++ b/sbin/isakmpd/policy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: policy.c,v 1.85 2005/04/08 22:32:10 cloder Exp $	 */
+/* $OpenBSD: policy.c,v 1.86 2005/06/14 10:50:47 hshoexer Exp $	 */
 /* $EOM: policy.c,v 1.49 2000/10/24 13:33:39 niklas Exp $ */
 
 /*
@@ -513,7 +513,9 @@ policy_callback(char *name)
 							break;
 						}
 					else if (decode_16(value) ==
-					    IPSEC_ENCAP_UDP_ENCAP_TUNNEL)
+					    IPSEC_ENCAP_UDP_ENCAP_TUNNEL ||
+					    decode_16(value) ==
+					    IPSEC_ENCAP_UDP_ENCAP_TUNNEL_DRAFT)
 						switch (proto->proto) {
 						case IPSEC_PROTO_IPSEC_AH:
 							ah_encapsulation = "udp-encap-tunnel";