add a "natt" option that forces negotiation of nat-t (and udpencap).

this is like the -t command line option on iked itself, but you get
to keep the ike listener on port 500 and you can enable this on
specific policies instead of all of them.

this is useful if you're dealing with an org that can't firewall
ESP traffic well and so you need to force the traffic to be udp
encapsulated even if there's no NAT involved.

ok markus@ tobhe@

1 files changed, 6 insertions, 2 deletions

diff --git a/sbin/iked/iked.conf.5 b/sbin/iked/iked.conf.5
index c3c0fa7bb38..624f371ca16 100644
--- a/sbin/iked/iked.conf.5
+++ b/sbin/iked/iked.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: iked.conf.5,v 1.98 2024/07/13 12:58:51 jmc Exp $
+.\" $OpenBSD: iked.conf.5,v 1.99 2024/11/04 02:44:28 dlg Exp $
 .\"
 .\" Copyright (c) 2010 - 2014 Reyk Floeter <reyk@openbsd.org>
 .\" Copyright (c) 2004 Mathieu Sauve-Frankel  All rights reserved.
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 13 2024 $
+.Dd $Mdocdate: November 4 2024 $
 .Dt IKED.CONF 5
 .Os
 .Sh NAME
@@ -348,6 +348,10 @@ and
 the default is
 .Ar tunnel .
 .Pp
+.It Op Ar natt
+.Ar natt
+forces negotiation of NAT-Traversal after the initial handshake.
+.Pp
 .It Op Ar encap
 .Ar encap
 specifies the encapsulation protocol to be used.