Apply patch (requested by manu/spz in #378): netbsd-5
authorsnj <snj@NetBSD.org>
Sun, 08 Feb 2009 18:42:14 +0000
branchnetbsd-5
changeset 258324 4ee9ce91758d
parent 258323 9d1bf2ca4ad1
child 258325 a0e7d19885c7
Apply patch (requested by manu/spz in #378): Downgrade ipsec-tools to 0.7.1nb1.
crypto/dist/ipsec-tools/ChangeLog
crypto/dist/ipsec-tools/NEWS
crypto/dist/ipsec-tools/configure.ac
crypto/dist/ipsec-tools/netbsd-import.sh
crypto/dist/ipsec-tools/src/libipsec/ipsec_dump_policy.c
crypto/dist/ipsec-tools/src/libipsec/ipsec_get_policylen.c
crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.c
crypto/dist/ipsec-tools/src/libipsec/key_debug.c
crypto/dist/ipsec-tools/src/libipsec/libpfkey.h
crypto/dist/ipsec-tools/src/libipsec/pfkey.c
crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c
crypto/dist/ipsec-tools/src/libipsec/policy_parse.y
crypto/dist/ipsec-tools/src/libipsec/policy_token.l
crypto/dist/ipsec-tools/src/libipsec/test-policy-priority.c
crypto/dist/ipsec-tools/src/racoon/Makefile.am
crypto/dist/ipsec-tools/src/racoon/admin.c
crypto/dist/ipsec-tools/src/racoon/admin.h
crypto/dist/ipsec-tools/src/racoon/backupsa.c
crypto/dist/ipsec-tools/src/racoon/cfparse.y
crypto/dist/ipsec-tools/src/racoon/cftoken.l
crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
crypto/dist/ipsec-tools/src/racoon/doc/README.privsep
crypto/dist/ipsec-tools/src/racoon/eaytest.c
crypto/dist/ipsec-tools/src/racoon/evt.c
crypto/dist/ipsec-tools/src/racoon/evt.h
crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
crypto/dist/ipsec-tools/src/racoon/handler.c
crypto/dist/ipsec-tools/src/racoon/handler.h
crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c
crypto/dist/ipsec-tools/src/racoon/ipsec_doi.h
crypto/dist/ipsec-tools/src/racoon/isakmp.c
crypto/dist/ipsec-tools/src/racoon/isakmp_agg.c
crypto/dist/ipsec-tools/src/racoon/isakmp_base.c
crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c
crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
crypto/dist/ipsec-tools/src/racoon/isakmp_inf.h
crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c
crypto/dist/ipsec-tools/src/racoon/isakmp_unity.c
crypto/dist/ipsec-tools/src/racoon/isakmp_unity.h
crypto/dist/ipsec-tools/src/racoon/isakmp_var.h
crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h
crypto/dist/ipsec-tools/src/racoon/kmpstat.c
crypto/dist/ipsec-tools/src/racoon/main.c
crypto/dist/ipsec-tools/src/racoon/misc.c
crypto/dist/ipsec-tools/src/racoon/misc.h
crypto/dist/ipsec-tools/src/racoon/nattraversal.c
crypto/dist/ipsec-tools/src/racoon/oakley.c
crypto/dist/ipsec-tools/src/racoon/pfkey.c
crypto/dist/ipsec-tools/src/racoon/pfkey.h
crypto/dist/ipsec-tools/src/racoon/plog.c
crypto/dist/ipsec-tools/src/racoon/plog.h
crypto/dist/ipsec-tools/src/racoon/policy.c
crypto/dist/ipsec-tools/src/racoon/policy.h
crypto/dist/ipsec-tools/src/racoon/privsep.c
crypto/dist/ipsec-tools/src/racoon/privsep.h
crypto/dist/ipsec-tools/src/racoon/proposal.c
crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
crypto/dist/ipsec-tools/src/racoon/racoonctl.8
crypto/dist/ipsec-tools/src/racoon/racoonctl.c
crypto/dist/ipsec-tools/src/racoon/remoteconf.c
crypto/dist/ipsec-tools/src/racoon/remoteconf.h
crypto/dist/ipsec-tools/src/racoon/sainfo.c
crypto/dist/ipsec-tools/src/racoon/sainfo.h
crypto/dist/ipsec-tools/src/racoon/schedule.c
crypto/dist/ipsec-tools/src/racoon/schedule.h
crypto/dist/ipsec-tools/src/racoon/session.c
crypto/dist/ipsec-tools/src/racoon/session.h
crypto/dist/ipsec-tools/src/racoon/sockmisc.c
crypto/dist/ipsec-tools/src/racoon/sockmisc.h
crypto/dist/ipsec-tools/src/racoon/strnames.c
crypto/dist/ipsec-tools/src/racoon/var.h
crypto/dist/ipsec-tools/src/racoon/vendorid.c
crypto/dist/ipsec-tools/src/racoon/vendorid.h
crypto/dist/ipsec-tools/src/setkey/parse.y
crypto/dist/ipsec-tools/src/setkey/setkey.c
crypto/dist/ipsec-tools/src/setkey/token.l
lib/libipsec/package_version.h
--- a/crypto/dist/ipsec-tools/ChangeLog	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/ChangeLog	Sun Feb 08 18:42:14 2009 +0000
@@ -1,73 +1,7 @@
-2008-10-27  Timo Teras  <timo.teras@iki.fi>
-	From Arnaud Ebalard <arno@natisbad.org>:
-	* src/racoon/isakmp_var.h: remove duplicate declaration
-	* src/racoon/session.c: initfds() needs to be called only if
-	  monitored file descriptor numbers have changed
-	* src/racoon/grabmyaddr.c: fix indentation issues for readability
-	* src/racoon/pfkey.c: add missing return to error path
-	From Francis Dupont (sent by Arnaud Ebalard):
-	* src/racoon/grabmyaddr.c: recognize RTM_IFANNOUNCE
-
-2008-10-23  Timo Teras  <timo.teras@iki.fi>
-	From Krzysztof Piotr Oledzki <olel@ans.pl>:
-	* src/racoon/{privsep.c|session.c|session.h}: revert parts of
-	  2008-08-06 commit; the problem those changes address are already
-	  handled in a sensible way by Cyrus Rahman's patch from 2008-03-06
-
-2008-10-09  Timo Teras  <timo.teras@iki.fi>
-	From Arnaud Ebalard <arno@natisbad.org>:
-	* src/racoon/isakmp_quick.c: remove unbindph12() call that is
-	  now done also in remph2()
-
-2008-09-25  Yvan Vanhullebus  <vanhu@netasq.com>
-	* src/racoon/isakmp.c: Fixed resending mechanism to have non-ESP
-	  marker for retransmitted packets.
-
-2008-09-19  Timo Teras  <timo.teras@iki.fi>
-	* src/racoon/{schedule.c|schedule.h|session.c|isakmp.c|
-	  isakmp_var.h|handler.c|handler.h|isakmp_quick.c|pfkey.c|pfkey.h|
-	  isakmp_inf.c|isakmp_xauth.c|isakmp_xauth.h|nattraversal.c}:
-	  Change struct sched to be allocated be the caller and optimize
-	  scheduler to be faster.
-	* src/racoon/{isakmp.c|isakmp_quick.c|handler.c|handler.h|proposal.c|
-	  admin.c|isakmp_cfg.c|isakmp_inf.c|isakmp_var.h|pfkey.c|
-	  isakmp_xauth.c|cfparse.y|cfparse.l|racoon.conf.5|remoteconf.c|
-	  remoteconf.h}: Implement ISAKMP SA rekeying configurable with
-	  rekey {on|off|force} option in remote conf.
-
-2008-09-17  Yvan Vanhullebus  <vanhu@netasq.com>
-	* src/racoon/isakmp_inf.c: Fixed port match in purge_ipsec_spi()
-	  when NAT-T enabled and trying to purge non NAT-T SAs.
-
-2008-09-09  Yvan Vanhullebus  <vanhu@netasq.com>
-	* src/racoon/pfkey.c: Some calls to set_port() were not correctly
-	updated in the previous commit.
-
-2008-09-03  Yvan Vanhullebus  <vanhu@netasq.com>
-	From Tomas Mraz <tmraz@redhat.com>:
-	* src/racoon/pfkey.c: Duplicate addresses in pk_sendxxx functions, as
-	  they may be altered for NAT-T stuff.
-
-2008-09-03  Timo Teras  <timo.teras@iki.fi>
-	* src/libipsec/pfkey.c: no satype check for Linux spdflush messages
-	* src/racoon/pfkey.c: handle SPD dump responses in pfkey_reload()
-	  to make configuration reloading work better
-	* src/racoon/sockmisc.c: it is not an error to call extract_port()
-	  with AF_UNSPEC address (happens with anonymous config blocks)
-
-2008-08-12  Yvan Vanhullebus  <vanhu@netasq.com>
-	From Krzysztof Oledzki <olel@ans.pl>:
-	* src/racoon/isakmp.c: Remove ph1handler if we received an invalid
-	  first exchange from initiator.
-
-2008-08-06  Timo Teras  <timo.teras@iki.fi>
-	From Krzysztof Piotr Oledzki <olel@ans.pl>:
-	* src/racoon/{privsep.c|session.c|session.h}: make privileged
-	  process exit if unprivileged process is terminated, spelling fixes
-
-2008-07-23  Matthew Grooms
-	* src/racoon/cfparse.y
-	  src/racoon/session.c : add missing ifdefs for non-radius builds
+---------------------------------------------
+
+	0.7.1 released
+
 
 2008-07-23  Timo Teras  <timo.teras@iki.fi>
 	* src/libipsec/Makefile.am
@@ -75,33 +9,15 @@
 	  src/setkey/Makefile.am : do not remove flex/bison generated files
 	  in distclean, also add the generated header file as BUILT_SOURCES
 	  and use the standard autotools rule for generating them
-	* src/racoon/Makefile.am : do not use GNU make specific extension
+	* src/racoon/Makefile.am : do not use GNU make specific extension 
 
 2008-07-22  Yvan Vanhullebus  <vanhu@netasq.com>
 	From Kohki Ohhira <ohhira@src.ricoh.co.jp>:
 	* src/racoon/proposal.c: fixed some memory leaks, when malloc
 	  fails or when peer sends invalid proposals.
 
-2008-07-21  Matthew Grooms
-	* src/racoon/cfparse.y
-	  src/racoon/cftoken.l
-	  src/racoon/isakmp_cfg.c
-	  src/racoon/isakmp_xauth.c
-	  src/racoon/isakmp_xauth.h
-	  src/racoon/main.c
-	  src/racoon/racoon.conf.5
-	  src/racoon/session.c : add radius config options for racoon.conf
-
-src/racoon/isakmp_cfg.c : fix hybrid enabled builds
-
 2008-07-21  Timo Teras  <timo.teras@iki.fi>
 	* src/racoon/cfparse.y : do not set default gss id if xauth is used
-	* src/racoon/isakmp_agg.c
-	  src/racoon/isakmp_base.c
-	  src/racoon/isakmp_ident.c
-	  src/racoon/vendorid.c
-	  src/racoon/vendorid.h : separate generic vendor id handling to
-	  a new function and use it
 
 2008-07-14  Matthew Grooms
 	* src/racoon/isakmp_cfg.c : fix hybrid enabled builds
@@ -113,24 +29,6 @@
 	  src/racoon/misc.h
 	  src/racoon/racoonctl.c : fix conflict with freebsd8 hexdump()
 
-2008-07-14  Timo Teras  <timo.teras@iki.fi>
-	* src/racoon/handler.h
-	  src/racoon/isakmp.c
-	  src/racoon/isakmp_agg.c
-	  src/racoon/isakmp_ident.c
-	  src/racoon/isakmp_inf.c
-	  src/racoon/isakmp_inf.h
-	  src/racoon/isakmp_quick.c
-	  src/racoon/strnames.c : clean ups to notification payload handling,
-          and handle INITIAL-CONTACT notification in last main mode exchange
-	  (delayed) and during quick mode exchanges (Track:264)
-	* src/racoon/handler.h
-	  src/racoon/ipsec_doi.c
-	  src/racoon/ipsec_doi.h
-	  src/racoon/isakmp_quick.c
-	  src/racoon/pfkey.c : handle RESPONDER-LIFETIME notification
-	  according to proposal check level (Track:265)
-
 2008-07-11  Timo Teras  <timo.teras@iki.fi>
 	Track:259, original patch from Atis Elsts <the.kfx@gmail.com>:
 	* src/racoon/isakmp.c, src/racoon/isakmp_inf.c: fix double memfree
@@ -148,111 +46,32 @@
 
 2008-06-18  Matthew Grooms
 	From Timo Teras <timo.teras@iki.fi>:
-	* src/racoon/admin.h
-	  src/racoon/admin.c
-	  src/racoon/racoonctl.c
-	  src/racoon/racoonctl.8 : acquire peer certificate via admin port
-
-2008-06-18  Matthew Grooms
-	From Timo Teras <timo.teras@iki.fi>:
-	* src/racoon/misc.c
-	  src/racoon/misc.h
-	  src/racoon/admin.c
-	  src/racoon/grabmyaddr.c
-	  src/racoon/isakmp.c : avoid inherited file descriptor issues
-
-2008-06-18  Matthew Grooms
-	From Timo Teras <timo.teras@iki.fi>:
 	* src/racoon/grabmyaddr.c
 	  src/racoon/ipsec_doi.c
 	  src/racoon/isakmp.c
 	  src/racoon/isakmp_cfg.c
 	  src/racoon/isakmp_inf.c
-	  src/racoon/privsep.c
 	  src/racoon/remoteconf.c
 	  src/racoon/admin.c : network port value manipulation cleanup
 
-2008-06-18  Matthew Grooms
-	From Timo Teras <timo.teras@iki.fi>:
-	* src/racoon/admin.c
-	  src/racoon/racoonctl.c : admin port code cleanup
-
-2008-06-18  Matthew Grooms
-	From Timo Teras <timo.teras@iki.fi>:
-	* src/racoon/pfkey.c : correct a phase2 status event
-
-2008-05-08  Emmanuel Dreyfus  <manu@netbsd.org>
-        From Christian Hohnstaedt <christian@hohnstaedt.de>:
-	* configure.ac: allow out of tree building
-
 2008-04-25  Yvan Vanhullebus  <vanhu@netasq.com>
-	Track:4, from Timo Teras <timo.teras@iki.fi>:
+	Track:4, from Timo Teras:
 	* src/racoon/isakmp_inf.c: extract ports information from
 	SADB_X_EXT_NAT_T_[SD]PORT if present in purge_ipsec_spi()
 
-2008-04-02  Emmanuel Dreyfus  <manu@netbsd.org>
-	From Timo Teräs <timo.teras@iki.fi>
-	* src/racoon/{sockmisc.h|sockmisc.c|Makefile.am}: fix Linux build
-	  after 2008-03-28's change
-
-2008-03-28  Emmanuel Dreyfus  <manu@netbsd.org>
-	From Cyrus Rahman <crahman@gmail.com>
-	* src/racoon/{sockmisc.c|isakmp.c|isakmp_inf.c|privsep.c|privsep.h}
-	  src/racoon/Makefile.am: allow interface reconfiguration when
-	  running in privilege séparation mode
-	  src/racoon/doc/README.privsep: new file on privilege separation
-
 2008-03-06  Yvan Vanhullebus  <vanhu@netasq.com>
 	* src/racoon/oakley.c: Generates a log if cert validation has been
 	  disabled by configuration.
 
-2008-03-06  Emmanuel Dreyfus  <manu@netbsd.org>
-	From Cyrus Rahman <crahman@gmail.com>
-	* src/racoon/{privsep.c|session.c}: privilegied instance exit when
-	  unprivilegied one terminates. Save PID in real root, not in chroot
-
-2008-03-05  Matthew Grooms
-	From Timo Teras <timo.teras@iki.fi>:
-	* src/racoon/admin.c
-	  src/racoon/isakmp.c
-	  src/racoon/isakmp_var.h
-	  src/racoon/pfkey.c
-	  src/racoon/racoonctl.c
-	  src/racoon/racoonctl.8: establish IPsec SAs using the admin socket
-
-2008-03-05  Matthew Grooms
-	From Timo Teras <timo.teras@iki.fi>:
-	* src/racoon/admin.c
-	  src/racoon/admin.h
-	  src/racoon/evt.c
-	  src/racoon/evt.h
-	  src/racoon/handler.c
-	  src/racoon/handler.h
-	  src/racoon/isakmp.c
-	  src/racoon/isakmp_agg.c
-	  src/racoon/isakmp_base.c
-	  src/racoon/isakmp_cfg.c
-	  src/racoon/isakmp_ident.c
-	  src/racoon/isakmp_inf.c
-	  src/racoon/isakmp_var.h
-	  src/racoon/isakmp_xauth.c
-	  src/racoon/racoonctl.8
-	  src/racoon/racoonctl.c
-	  src/racoon/session.c: refactor admin socket event protocol to be
-          less error prone.
-
 2008-03-05  Matthew Grooms
 	* src/racoon/cfparse.y: properly initialize the unity network struct
 
 2008-03-05  Matthew Grooms
 	From Timo Teras <timo.teras@iki.fi>:
-	* src/racoon/pfkey.c
-	  src/racoon/pfkey.h
-	  src/racoon/session.c: reload SPD on SIGHUP or adminport reload
 	* src/racoon/pfkey.c: better handling for pfkey socket read errors
 
 2008-02-25  Emmanuel Dreyfus <manu@netbsd.org>
-	From Brian Haley <brian.haley@hp.com>
+        From Brian Haley <brian.haley@hp.com>
 	* src/racoon/ipsec_doi.c: Do check SPI size (it was not due to a typo)
 
 2008-02-22  Emmanuel Dreyfus <manu@netbsd.org>
@@ -267,7 +86,7 @@
 	From Krzysztof Oledzki <olel@ans.pl>:
 	* src/racoon/isakmp.c: Only search for established ph1 handles in
 	  DPD (also reported new getph1byaddr() arg)
-	* src/racoon/isakmp_inf.c: added some details to some logs  (also
+	* src/racoon/isakmp_inf.c: added some details to some logs (also
 	  reported new getph1byaddr() arg) 
 	* src/racoon/crypto_openssl.c: fixed compilation with idea and
 	  recent gcc
@@ -275,95 +94,39 @@
 	* src/racoon/isakmp_inf.c: reset iph1->dpd_r_u in the scheduler's
 	  callback, to avoid some access to freed memory
 
-2007-12-30  Matthew Grooms
-	From Timo Teras <timo.teras@iki.fi>:
-	* src/racoon/racoonctl.8
-	  src/racoon/racoonctl.c: add GRE protocol number to racoonctl
-	* src/racoon/policy.c: correct id wildcard matching for transport mode
-	* src/racoon/isakmp_inf.c: reset iph1->dpd_r_u in the scheduler's
-	  callback, to avoid some access to freed memory
-
-2007-12-11  Matthew Grooms
-	From Timo Teras <timo.teras@iki.fi>:
-	* src/racoon/handler.c
-	  src/racoon/handler.h
-	  src/racoon/isakmp_quick.c
-	  src/racoon/pfkey.c: add support for nat-t oa payload handling.
-
-2007-12-04  Matthew Grooms
-	From Timo Teras <timo.teras@iki.fi>:
-	* src/racoon/ipsec_doi.c
-	  src/racoon/ipsec_doi.h
-	  src/racoon/isakmp_quick.c: modify ipsecdoi_sockaddr2id to obtain host
-	  address without specific prefix legth.
-	  src/racoon/isakmp_quick.c: correct a memory leak in phase2.
-
 2007-11-29  Yvan Vanhullebus  <vanhu@netasq.com>
 	From Natanael Copa <natanael.copa@gmail.com>:
 	* src/racoon/Makefile.am: fixed a race condition when building
 	  yacc stuff.
-
-2007-11-09  Yvan Vanhullebus  <vanhu@netasq.com>
-	From Arnaud Ebalard <arno@natisbad.org>:
-	* src/racoon/pfkey.c: Some sanity check in pk_recv()
-	* src/racoon/policy.c: better matching of SPD entries in
-	  getsp_r().
-	* src/racoon/isakmp_quick.c: added some debug in get_proposal_r().
-
-2007-10-18  Emmanuel Dreyfus  <manu@netbsd.org>
-	* src/racoon/{isakmp_unity.[ch]|isakmp_cfg.c|racoon.conf.5}:
-	  Add SPLITNET_{INCLUDR_LOCAL}_CIDR to hook scripts
-
-2007-10-15  Yvan Vanhullebus  <vanhu@netasq.com>
-	* src/libipsec/pfkey.c: Try to increase the buffer size of the
-	  pfkey socket, this may help things when we have a huge SPD.
-
-2007-10-02  Yvan Vanhullebus  <vanhu@netasq.com>
+	
+2007-11-06  Yvan Vanhullebus  <vanhu@netasq.com>
 	From Scott Lamb <slamb@slamb.org>
 	* src/racoon/plog.[ch]: new plog macro
 	* src/racoon/kmpstat.c: plog changed to _plog to work with new plog macro
 	* src/racoon/crypto_openssl.c: includes plog.h to work with the
 	  new plog macro
 
-2007-09-19  Matthew Grooms <mgrooms@shrew.net>
-	From Gabriel Somlo <somlo@cmu.edu>
-	* src/racoon/isakmp.c: Set REUSE option on sockets to prevent failures
-	associated with closing and immediately re-opening.
+2007-10-15  Yvan Vanhullebus  <vanhu@netasq.com>
+	* src/libipsec/pfkey.c: Try to increase the buffer size of the
+	  pfkey socket, this may help things when we have a huge SPD.
 
 2007-09-19  Matthew Grooms <mgrooms@shrew.net>
-	From Gabriel Somlo <somlo@cmu.edu>
-	* src/racoon/isakmp_unity.c: Prevent duplicate entries in splitnet list.
-
-2007-09-12  Matthew Grooms <mgrooms@shrew.net>
 	From Joy Latten <latten@austin.ibm.com>
 	* configure.ac: Fix autoconf check for selinux support.
 
-2007-09-12  Matthew Grooms <mgrooms@shrew.net>
-	* src/racoon/cfparse.y
-	src/racoon/cftoken.l
-	src/racoon/handler.c
-	src/racoon/isakmp_quick.c
-	src/racoon/pfkey.c
-	src/racoon/sainfo.c
-	src/racoon/sainfo.h
-	src/racoon/racoon.conf.5 : Implement clientaddr sainfo remote id option
-	and cleanup sainfo syntax in the man page.
-
-2007-09-05  Matthew Grooms <mgrooms@shrew.net>
-	* src/racoon/sainfo.c: Sort sainfos on insert and improve matching logic.
-
 2007-09-03  Matthew Grooms <mgrooms@shrew.net>
 	* src/racoon/racoon.conf.5: Correct wins4 and nbns4 modecfg option syntax.
 	* src/racoon/cftoken.l: Add nbns4 as an alias for wins4.
 
+---------------------------------------------
+
+	0.7 released
+
 2007-08-07  Emmanuel Dreyfus  <manu@netbsd.org>
 	* src/racoon/isakmp_xauth.c: Don't mix up RADIUS authentication and
 	  authorization ports. Allow interoperability with freeradius
 
-2007-07-18  Matthew Grooms  <mgrooms@shrew.net>
-	* src/racoon/racoon.conf.5: various man page updates
-
-2007-07-18  Yvan Vanhullebus  <vanhu@netasq.com>
+2007-08-01  Yvan Vanhullebus  <vanhu@netasq.com>
 	* configure.ac	
 	src/libipsec/ipsec_dump_policy.c
 	src/libipsec/ipsec_get_policylen.c
@@ -396,10 +159,16 @@
 	src/setkey/token.l:
 	use a single PATH_IPSEC_H to fix some path_to_ipsec.h issues.
 
+2007-07-18  Matthew Grooms  <mgrooms@shrew.net>
+	* src/racoon/racoon.conf.5: various man page updates
+
 2007-07-16  Yvan Vanhullebus  <vanhu@netasq.com>
-	* src/racoon/proposal.c: indentation
 	* src/racoon/grabmyaddr.c: fixed a socket leak.
-	
+
+---------------------------------------------
+
+	0.7.rc1 released
+
 2007-06-07  Emmanuel Dreyfus <manu@netbsd.org>
 	From Paul Winder <Paul.Winder@tadpole.com>:
 	* src/racoon/isakmp_cfg.c: Fix ignored INTERNAL_DNS4_LIST
@@ -439,6 +208,10 @@
 	  subject /subjectaltname if they don't match.
 	* src/racoon/ipsec_doi.c: checks proto_id in ipsecdoi_chkcmpids().
 
+---------------------------------------------
+
+	0.7.beta3 released
+
 2007-03-26  Yvan Vanhullebus  <vanhu@netasq.com>
 	* src/racoon/isakmp_inf.c: Store the DPD main scheduler in ph1
 	  handler, to be able to cancel it when removing the handler, and
@@ -463,17 +236,21 @@
 	* src/racoon/schedule.h: checks if arg is NULL in SCHED_KILL.
 	* src/racoon/{handler.c|isakmp.c|isakmp_inf.c|pfkey.c}: NULL sched
 	  check is now done in SCHED_KILL.
-
+	
 2007-03-15  Yvan Vanhullebus  <vanhu@netasq.com>
 	* src/racoon/isakmp.c: Consider a negociation timeout when
 	  retry_counter is <=0 instead of < 0.
 	* src/racoon/grabmyaddr.c: enable monitoring of ipv6 addresse
 	  changes on linux. Patch by Yves-Alexis Perez.
 
+---------------------------------------------
+
+	0.7.beta2 released
+
 2007-02-27  Matthew Grooms  <mgrooms@shrew.net>
 	* src/racoon/ipsec_doi.c: add logic to match ip address ids to
 	  ip subnet ids when appropriate. reported by Yvan.
-	
+
 2007-02-21  Yvan Vanhullebus  <vanhu@netasq.com>
 	* src/racoon/ipsec_doi.c: block variable declaration before code
 	  in ipsecdoi_id2str().
@@ -494,6 +271,10 @@
 2007-02-16  Yvan Vanhullebus  <vanhu@netasq.com>
 	* src/racoon/ipsec_doi.c: Fixed a %zu in a printf. Reported by
 	  Olivier Warin.
+	
+---------------------------------------------
+
+	0.7.beta1 released
 
 2007-02-15  Emmanuel Dreyfus  <manu@netbsd.org>
 	* configure.ac: fix typo in SELinux option
@@ -518,7 +299,7 @@
 2006-12-18  Yvan Vanhullebus  <vanhu@netasq.com>
 	From Joy Latten <latten@austin.ibm.com>
 	* src/racoon/crypto_openssl.c: fixed a memory leak
-	
+
 ---------------------------------------------
 
 	Branch for 0.7 created (ipsec-tools-0_7-branch)
@@ -542,8 +323,7 @@
 	* configure.ac src/libipsec/{libpfkey.h|pfkey.c}
 	  src/racoon/{Makefile.am|backupsa.c|backupsa.h|cftoken.l|ipsec_doi.c}
 	  src/racoon/{ipsec_doi.h|isakmp_inf.c|isakmp_quick.c|pfkey.c|policy.c}
-	  src/racoon/{policy.h|proposal.c|proposal.h|remoteconf.c}: Add
- 		  support for SELinux security contexts. Also cleanup the libipsec
+	  src/racoon/{policy.h|proposal.c|proposal.h|remoteconf.c}: Add 		  support for SELinux security contexts. Also cleanup the libipsec
 	  interface for adding and updating security associations.
 
 	From Simon Chang <simonychang@gmail.com>
--- a/crypto/dist/ipsec-tools/NEWS	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/NEWS	Sun Feb 08 18:42:14 2009 +0000
@@ -1,6 +1,23 @@
 Version history:
 ----------------
-0.7???  - ??
+
+0.7.1 - 23 July 2008
+	o Fixes a memory leak when invalid proposal received
+	o Some fixes in DPD
+	o do not set default gss id if xauth is used
+	o fixed hybrid enabled builds
+	o fixed compilation on FreeBSD8
+	o cleanup in network port value manipulation
+	o gets ports from SADB_X_EXT_NAT_T_[SD]PORT if present in purge_ipsec_spi()
+	o Generates a log if cert validation has been disabled by configuration
+	o better handling for pfkey socket read errors
+	o Fixes in yacc / bison stuff
+	o new plog() macro (reduced CPU usage when logging is disabled)
+	o Try to works better with huge SPD/SAD
+	o Corrected modecfg option syntax
+	o Many other various fixes...
+
+0.7	- 09 August 2007
 	o Xauth with pre-shared key PSK
 	o Xauth with certificates
 	o SHA2 support
@@ -20,7 +37,6 @@
 	o Modecfg SplitDNS attribute support ( server side )
 	o Modecfg Default Domain attribute support
 	o Modecfg DNS/WINS server multiple attribute support
-	o NAT-T Original Address handling
 
 0.6	- 27 June 2005
 	o Generated policies are now correctly flushed
--- a/crypto/dist/ipsec-tools/configure.ac	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/configure.ac	Sun Feb 08 18:42:14 2009 +0000
@@ -2,7 +2,7 @@
 dnl Id: configure.ac,v 1.77 2006/07/20 19:19:27 manubsd Exp
 
 AC_PREREQ(2.52)
-AC_INIT(ipsec-tools, CVS)
+AC_INIT(ipsec-tools, 0.7.1)
 AC_CONFIG_SRCDIR([configure.ac])
 AM_CONFIG_HEADER(config.h)
 
@@ -242,7 +242,7 @@
 	    CRYPTOBJS="$CRYPTOBJS sha2.o"
 	])
 
-	CPPFLAGS_ADD="$CPPFLAGS_ADD -I\${top_srcdir}/src/racoon/missing"
+	CPPFLAGS_ADD="$CPPFLAGS_ADD -I./\${top_srcdir}/src/racoon/missing"
 ])
 AC_SUBST(CRYPTOBJS)
 
--- a/crypto/dist/ipsec-tools/netbsd-import.sh	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/netbsd-import.sh	Sun Feb 08 18:42:14 2009 +0000
@@ -1,6 +1,6 @@
 #! /bin/sh
 #
-#	$NetBSD: netbsd-import.sh,v 1.3 2008/04/30 13:10:46 martin Exp $
+#	$NetBSD: netbsd-import.sh,v 1.3.6.1 2009/02/08 18:42:14 snj Exp $
 #
 # Copyright (c) 2000-2005 The NetBSD Foundation, Inc.
 # All rights reserved.
@@ -13,6 +13,13 @@
 # 2. Redistributions in binary form must reproduce the above copyright
 #    notice, this list of conditions and the following disclaimer in the
 #    documentation and/or other materials provided with the distribution.
+# 3. All advertising materials mentioning features or use of this software
+#    must display the following acknowledgement:
+#	This product includes software developed by the NetBSD
+#	Foundation, Inc. and its contributors.
+# 4. Neither the name of The NetBSD Foundation nor the names of its
+#    contributors may be used to endorse or promote products derived
+#    from this software without specific prior written permission.
 #
 # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
 # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
--- a/crypto/dist/ipsec-tools/src/libipsec/ipsec_dump_policy.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/ipsec_dump_policy.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_dump_policy.c,v 1.8 2007/07/18 12:07:50 vanhu Exp $	*/
+/*	$NetBSD: ipsec_dump_policy.c,v 1.8.18.1 2009/02/08 18:42:14 snj Exp $	*/
 
 /* Id: ipsec_dump_policy.c,v 1.10 2005/06/29 09:12:37 manubsd Exp */
 
--- a/crypto/dist/ipsec-tools/src/libipsec/ipsec_get_policylen.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/ipsec_get_policylen.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_get_policylen.c,v 1.7 2007/07/18 12:07:50 vanhu Exp $	*/
+/*	$NetBSD: ipsec_get_policylen.c,v 1.7.18.1 2009/02/08 18:42:15 snj Exp $	*/
 
 /*	$KAME: ipsec_get_policylen.c,v 1.5 2000/05/07 05:25:03 itojun Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_strerror.c,v 1.5 2007/07/18 12:07:50 vanhu Exp $	*/
+/*	$NetBSD: ipsec_strerror.c,v 1.5.18.1 2009/02/08 18:42:15 snj Exp $	*/
 
 /*	$KAME: ipsec_strerror.c,v 1.7 2000/07/30 00:45:12 itojun Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/libipsec/key_debug.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/key_debug.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: key_debug.c,v 1.8 2007/07/18 12:07:50 vanhu Exp $	*/
+/*	$NetBSD: key_debug.c,v 1.8.18.1 2009/02/08 18:42:15 snj Exp $	*/
 
 /*	$KAME: key_debug.c,v 1.29 2001/08/16 14:25:41 itojun Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: libpfkey.h,v 1.13 2007/07/18 12:07:50 vanhu Exp $	*/
+/*	$NetBSD: libpfkey.h,v 1.13.18.1 2009/02/08 18:42:15 snj Exp $	*/
 
 /* Id: libpfkey.h,v 1.13 2005/12/04 20:26:43 manubsd Exp */
 
--- a/crypto/dist/ipsec-tools/src/libipsec/pfkey.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/pfkey.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: pfkey.c,v 1.16 2008/09/03 09:57:28 tteras Exp $	*/
+/*	$NetBSD: pfkey.c,v 1.16.4.1 2009/02/08 18:42:15 snj Exp $	*/
 
 /*	$KAME: pfkey.c,v 1.47 2003/10/02 19:52:12 itojun Exp $	*/
 
@@ -2112,12 +2112,6 @@
 			break;
 		/*FALLTHROUGH*/
 	default:
-#ifdef __linux__
-		/* Linux kernel seems to be buggy and return
-		 * uninitialized satype for spd flush message */
-		if (msg->sadb_msg_type == SADB_X_SPDFLUSH)
-			break;
-#endif
 		__ipsec_errcode = EIPSEC_INVAL_SATYPE;
 		return -1;
 	}
--- a/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: pfkey_dump.c,v 1.16 2007/07/18 12:07:50 vanhu Exp $	*/
+/*	$NetBSD: pfkey_dump.c,v 1.16.18.1 2009/02/08 18:42:15 snj Exp $	*/
 
 /*	$KAME: pfkey_dump.c,v 1.45 2003/09/08 10:14:56 itojun Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/libipsec/policy_parse.y	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/policy_parse.y	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: policy_parse.y,v 1.10 2007/07/18 12:07:50 vanhu Exp $	*/
+/*	$NetBSD: policy_parse.y,v 1.10.18.1 2009/02/08 18:42:15 snj Exp $	*/
 
 /*	$KAME: policy_parse.y,v 1.21 2003/12/12 08:01:26 itojun Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/libipsec/policy_token.l	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/policy_token.l	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: policy_token.l,v 1.7 2007/07/18 12:07:50 vanhu Exp $	*/
+/*	$NetBSD: policy_token.l,v 1.7.18.1 2009/02/08 18:42:15 snj Exp $	*/
 
 /* Id: policy_token.l,v 1.12 2005/05/05 12:32:18 manubsd Exp */
 
--- a/crypto/dist/ipsec-tools/src/libipsec/test-policy-priority.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/test-policy-priority.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: test-policy-priority.c,v 1.4 2007/07/18 12:07:51 vanhu Exp $	*/
+/*	$NetBSD: test-policy-priority.c,v 1.4.18.1 2009/02/08 18:42:15 snj Exp $	*/
 
 /*	$KAME: test-policy.c,v 1.16 2003/08/26 03:24:08 itojun Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/racoon/Makefile.am	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/Makefile.am	Sun Feb 08 18:42:14 2009 +0000
@@ -48,7 +48,6 @@
 racoonctl_LDADD = libracoon.la ../libipsec/libipsec.la 
 
 libracoon_la_SOURCES = kmpstat.c vmbuf.c sockmisc.c misc.c
-libracoon_la_CFLAGS = -DNOUSE_PRIVSEP $(AM_CFLAGS)
 
 plainrsa_gen_SOURCES = plainrsa-gen.c plog.c \
 	crypto_openssl.c logger.c 
@@ -89,7 +88,6 @@
    ${man5_MANS} ${man8_MANS} \
    missing/crypto/rijndael/boxes-fst.dat \
    doc/FAQ doc/README.certificate doc/README.gssapi doc/README.plainrsa \
-   doc/README.privsep \
    contrib/sp.pl stats.pl \
    samples/psk.txt.sample  samples/racoon.conf.sample \
    samples/psk.txt.in samples/racoon.conf.in \
--- a/crypto/dist/ipsec-tools/src/racoon/admin.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/admin.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: admin.c,v 1.26 2008/09/19 11:14:49 tteras Exp $	*/
+/*	$NetBSD: admin.c,v 1.26.4.1 2009/02/08 18:42:15 snj Exp $	*/
 
 /* Id: admin.c,v 1.25 2006/04/06 14:31:04 manubsd Exp */
 
@@ -76,7 +76,6 @@
 #include "evt.h"
 #include "pfkey.h"
 #include "ipsec_doi.h"
-#include "policy.h"
 #include "admin.h"
 #include "admin_var.h"
 #include "isakmp_inf.h"
@@ -94,7 +93,7 @@
 
 static struct sockaddr_un sunaddr;
 static int admin_process __P((int, char *));
-static int admin_reply __P((int, struct admin_com *, int, vchar_t *));
+static int admin_reply __P((int, struct admin_com *, vchar_t *));
 
 int
 admin_handler()
@@ -113,7 +112,6 @@
 			strerror(errno));
 		return -1;
 	}
-	close_on_exec(so2);
 
 	/* get buffer length */
 	while ((len = recv(so2, (char *)&com, sizeof(com), MSG_PEEK)) < 0) {
@@ -149,16 +147,16 @@
 		goto end;
 	}
 
+	if (com.ac_cmd == ADMIN_RELOAD_CONF) {
+		/* reload does not work at all! */
+		signal_handler(SIGHUP);
+		goto end;
+	}
+
 	error = admin_process(so2, combuf);
 
-end:
-	if (error == -2) {
-		plog(LLV_DEBUG, LOCATION, NULL,
-			"[%d] admin connection established\n", so2);
-	} else {
-		(void)close(so2);
-	}
-
+    end:
+	(void)close(so2);
 	if (combuf)
 		racoon_free(combuf);
 
@@ -178,110 +176,99 @@
 	vchar_t *id = NULL;
 	vchar_t *key = NULL;
 	int idtype = 0;
-	int error = 0, l_ac_errno = 0;
-	struct evt_listener_list *event_list = NULL;
+	int error = -1;
 
-	if (com->ac_cmd & ADMIN_FLAG_VERSION)
-		com->ac_cmd &= ~ADMIN_FLAG_VERSION;
-	else
-		com->ac_version = 0;
+	com->ac_errno = 0;
 
 	switch (com->ac_cmd) {
 	case ADMIN_RELOAD_CONF:
-		signal_handler(SIGHUP);
-		break;
+		/* don't entered because of proccessing it in other place. */
+		plog(LLV_ERROR, LOCATION, NULL, "should never reach here\n");
+		goto out;
 
-	case ADMIN_SHOW_SCHED: {
+	case ADMIN_SHOW_SCHED:
+	{
 		caddr_t p = NULL;
 		int len;
 
-		if (sched_dump(&p, &len) != -1) {
-			buf = vmalloc(len);
-			if (buf != NULL)
-				memcpy(buf->v, p, len);
-			else
-				l_ac_errno = ENOMEM;
-			racoon_free(p);
-		} else
-			l_ac_errno = ENOMEM;
+		com->ac_errno = -1;
+
+		if (sched_dump(&p, &len) == -1)
+			goto out2;
+
+		if ((buf = vmalloc(len)) == NULL)
+			goto out2;
+
+		memcpy(buf->v, p, len);
+
+		com->ac_errno = 0;
+out2:
+		racoon_free(p);
 		break;
 	}
 
 	case ADMIN_SHOW_EVT:
-		if (com->ac_version == 0) {
-			buf = evt_dump();
-			l_ac_errno = 0;
-		}
+		/* It's not really an error, don't force racoonctl to quit */
+		if ((buf = evt_dump()) == NULL)
+			com->ac_errno = 0; 
 		break;
 
 	case ADMIN_SHOW_SA:
+	case ADMIN_FLUSH_SA:
+	    {
 		switch (com->ac_proto) {
 		case ADMIN_PROTO_ISAKMP:
-			buf = dumpph1();
-			if (buf == NULL)
-				l_ac_errno = ENOMEM;
-			break;
-		case ADMIN_PROTO_IPSEC:
-		case ADMIN_PROTO_AH:
-		case ADMIN_PROTO_ESP: {
-			u_int p;
-			p = admin2pfkey_proto(com->ac_proto);
-			if (p != -1) {
-				buf = pfkey_dump_sadb(p);
+			switch (com->ac_cmd) {
+			case ADMIN_SHOW_SA:
+				buf = dumpph1();
 				if (buf == NULL)
-					l_ac_errno = ENOMEM;
-			} else
-				l_ac_errno = EINVAL;
-			break;
-		}
-		case ADMIN_PROTO_INTERNAL:
-		default:
-			l_ac_errno = ENOTSUP;
-			break;
-		}
-		break;
-
-	case ADMIN_GET_SA_CERT: {
-		struct admin_com_indexes *ndx;
-		struct sockaddr *src, *dst;
-		struct ph1handle *iph1;
-
-		ndx = (struct admin_com_indexes *) ((caddr_t)com + sizeof(*com));
-		src = (struct sockaddr *) &ndx->src;
-		dst = (struct sockaddr *) &ndx->dst;
-
-		if (com->ac_proto != ADMIN_PROTO_ISAKMP) {
-			l_ac_errno = ENOTSUP;
-			break;
-		}
-
-		iph1 = getph1byaddrwop(src, dst);
-		if (iph1 == NULL) {
-			l_ac_errno = ENOENT;
-			break;
-		}
-
-		if (iph1->cert_p != NULL)
-			buf = vdup(&iph1->cert_p->cert);
-		break;
-	}
-
-	case ADMIN_FLUSH_SA:
-		switch (com->ac_proto) {
-		case ADMIN_PROTO_ISAKMP:
-			flushph1();
+					com->ac_errno = -1;
+				break;
+			case ADMIN_FLUSH_SA:
+				flushph1();
+				break;
+			}
 			break;
 		case ADMIN_PROTO_IPSEC:
 		case ADMIN_PROTO_AH:
 		case ADMIN_PROTO_ESP:
-			pfkey_flush_sadb(com->ac_proto);
+			switch (com->ac_cmd) {
+			case ADMIN_SHOW_SA:
+			    {
+				u_int p;
+				p = admin2pfkey_proto(com->ac_proto);
+				if (p == -1)
+					goto out;
+				buf = pfkey_dump_sadb(p);
+				if (buf == NULL)
+					com->ac_errno = -1;
+			    }
+				break;
+			case ADMIN_FLUSH_SA:
+				pfkey_flush_sadb(com->ac_proto);
+				break;
+			}
 			break;
+
 		case ADMIN_PROTO_INTERNAL:
-			/*XXX flushph2();*/
+			switch (com->ac_cmd) {
+			case ADMIN_SHOW_SA:
+				buf = NULL; /*XXX dumpph2(&error);*/
+				if (buf == NULL)
+					com->ac_errno = error;
+				break;
+			case ADMIN_FLUSH_SA:
+				/*XXX flushph2();*/
+				com->ac_errno = 0;
+				break;
+			}
+			break;
+
 		default:
-			l_ac_errno = ENOTSUP;
-			break;
+			/* ignore */
+			com->ac_errno = -1;
 		}
+	    }
 		break;
 
 	case ADMIN_DELETE_SA: {
@@ -306,13 +293,14 @@
 			plog(LLV_ERROR, LOCATION, NULL, 
 			    "phase 1 for %s -> %s not found\n", loc, rem);
 		} else {
-			if (iph1->status >= PHASE1ST_ESTABLISHED)
+			if (iph1->status == PHASE1ST_ESTABLISHED)
 				isakmp_info_send_d1(iph1);
 			purge_remote(iph1);
 		}
 
 		racoon_free(loc);
 		racoon_free(rem);
+
 		break;
 	}
 
@@ -356,7 +344,7 @@
 			loc = racoon_strdup(saddrwop2str(iph1->local));
 			STRDUP_FATAL(loc);
 
-			if (iph1->status >= PHASE1ST_ESTABLISHED)
+			if (iph1->status == PHASE1ST_ESTABLISHED)
 				isakmp_info_send_d1(iph1);
 			purge_remote(iph1);
 
@@ -364,6 +352,7 @@
 		}
 		
 		racoon_free(rem);
+
 		break;
 	}
 
@@ -371,6 +360,8 @@
 		struct admin_com_psk *acp;
 		char *data;
 
+		com->ac_cmd = ADMIN_ESTABLISH_SA;
+
 		acp = (struct admin_com_psk *)
 		    ((char *)com + sizeof(*com) + 
 		    sizeof(struct admin_com_indexes));
@@ -398,35 +389,25 @@
 		memcpy(key->v, data, key->l);
 	}
 	/* FALLTHROUGH */
-	case ADMIN_ESTABLISH_SA: {
-		struct admin_com_indexes *ndx;
+	case ADMIN_ESTABLISH_SA:
+	    {
 		struct sockaddr *dst;
 		struct sockaddr *src;
-
-		ndx = (struct admin_com_indexes *) ((caddr_t)com + sizeof(*com));
-		src = (struct sockaddr *) &ndx->src;
-		dst = (struct sockaddr *) &ndx->dst;
+		src = (struct sockaddr *)
+			&((struct admin_com_indexes *)
+			    ((caddr_t)com + sizeof(*com)))->src;
+		dst = (struct sockaddr *)
+			&((struct admin_com_indexes *)
+			    ((caddr_t)com + sizeof(*com)))->dst;
 
 		switch (com->ac_proto) {
 		case ADMIN_PROTO_ISAKMP: {
-			struct ph1handle *ph1;
 			struct remoteconf *rmconf;
 			struct sockaddr *remote = NULL;
 			struct sockaddr *local = NULL;
 			u_int16_t port;
 
-			l_ac_errno = -1;
-
-			/* connected already? */
-			ph1 = getph1byaddrwop(src, dst);
-			if (ph1 != NULL) {
-				event_list = &ph1->evt_listeners;
-				if (ph1->status == PHASE1ST_ESTABLISHED)
-					l_ac_errno = EEXIST;
-				else
-					l_ac_errno = 0;
-				break;
-			}
+			com->ac_errno = -1;
 
 			/* search appropreate configuration */
 			rmconf = getrmconf(dst);
@@ -478,12 +459,10 @@
 				"%s\n", saddrwop2str(remote));
 
 			/* begin ident mode */
-			ph1 = isakmp_ph1begin_i(rmconf, remote, local);
-			if (ph1 == NULL)
+			if (isakmp_ph1begin_i(rmconf, remote, local) < 0)
 				goto out1;
 
-			event_list = &ph1->evt_listeners;
-			l_ac_errno = 0;
+			com->ac_errno = 0;
 out1:
 			if (local != NULL)
 				racoon_free(local);
@@ -492,125 +471,25 @@
 			break;
 		}
 		case ADMIN_PROTO_AH:
-		case ADMIN_PROTO_ESP: {
-			struct ph2handle *iph2;
-			struct secpolicy *sp_out = NULL, *sp_in = NULL;
-			struct policyindex spidx;
-
-			l_ac_errno = -1;
-
-			/* got outbound policy */
-			memset(&spidx, 0, sizeof(spidx));
-			spidx.dir = IPSEC_DIR_OUTBOUND;
-			memcpy(&spidx.src, src, sizeof(spidx.src));
-			memcpy(&spidx.dst, dst, sizeof(spidx.dst));
-			spidx.prefs = ndx->prefs;
-			spidx.prefd = ndx->prefd;
-			spidx.ul_proto = ndx->ul_proto;
-
-			sp_out = getsp_r(&spidx);
-			if (sp_out) {
-				plog(LLV_DEBUG, LOCATION, NULL,
-					"suitable outbound SP found: %s.\n",
-					spidx2str(&sp_out->spidx));
-			} else {
-				l_ac_errno = ENOENT;
-				plog(LLV_NOTIFY, LOCATION, NULL,
-					"no outbound policy found: %s\n",
-					spidx2str(&spidx));
-				break;
-			}
-
-			iph2 = getph2byid(src, dst, sp_out->id);
-			if (iph2 != NULL) {
-				event_list = &iph2->evt_listeners;
-				if (iph2->status == PHASE2ST_ESTABLISHED)
-					l_ac_errno = EEXIST;
-				else
-					l_ac_errno = 0;
-				break;
-			}
-
-			/* get inbound policy */
-			memset(&spidx, 0, sizeof(spidx));
-			spidx.dir = IPSEC_DIR_INBOUND;
-			memcpy(&spidx.src, dst, sizeof(spidx.src));
-			memcpy(&spidx.dst, src, sizeof(spidx.dst));
-			spidx.prefs = ndx->prefd;
-			spidx.prefd = ndx->prefs;
-			spidx.ul_proto = ndx->ul_proto;
-
-			sp_in = getsp_r(&spidx);
-			if (sp_in) {
-				plog(LLV_DEBUG, LOCATION, NULL,
-					"suitable inbound SP found: %s.\n",
-					spidx2str(&sp_in->spidx));
-			} else {
-				l_ac_errno = ENOENT;
-				plog(LLV_NOTIFY, LOCATION, NULL,
-					"no inbound policy found: %s\n",
-				spidx2str(&spidx));
-				break;
-			}
-
-			/* allocate a phase 2 */
-			iph2 = newph2();
-			if (iph2 == NULL) {
-				plog(LLV_ERROR, LOCATION, NULL,
-					"failed to allocate phase2 entry.\n");
-				break;
-			}
-			iph2->side = INITIATOR;
-			iph2->satype = admin2pfkey_proto(com->ac_proto);
-			iph2->spid = sp_out->id;
-			iph2->seq = pk_getseq();
-			iph2->status = PHASE2ST_STATUS2;
-
-			/* set end addresses of SA */
-			iph2->dst = dupsaddr(dst);
-			iph2->src = dupsaddr(src);
-			if (iph2->dst == NULL || iph2->src == NULL) {
-				delph2(iph2);
-				break;
-			}
-
-			if (isakmp_get_sainfo(iph2, sp_out, sp_in) < 0) {
-				delph2(iph2);
-				break;
-			}
-
-			insph2(iph2);
-			if (isakmp_post_acquire(iph2) < 0) {
-				remph2(iph2);
-				delph2(iph2);
-				break;
-			}
-
-			event_list = &iph2->evt_listeners;
-			l_ac_errno = 0;
+		case ADMIN_PROTO_ESP:
 			break;
-		}
 		default:
 			/* ignore */
-			l_ac_errno = ENOTSUP;
+			com->ac_errno = -1;
 		}
+	    }
 		break;
-	}
 
 	default:
 		plog(LLV_ERROR, LOCATION, NULL,
 			"invalid command: %d\n", com->ac_cmd);
-		l_ac_errno = ENOTSUP;
+		com->ac_errno = -1;
 	}
 
-	if ((error = admin_reply(so2, com, l_ac_errno, buf)) != 0)
+	if ((error = admin_reply(so2, com, buf)) != 0)
 		goto out;
 
-	/* start pushing events if so requested */
-	if ((l_ac_errno == 0) &&
-	    (com->ac_version >= 1) &&
-	    (com->ac_cmd == ADMIN_SHOW_EVT || event_list != NULL))
-		error = evt_subscribe(event_list, so2);
+	error = 0;
 out:
 	if (buf != NULL)
 		vfree(buf);
@@ -619,13 +498,12 @@
 }
 
 static int
-admin_reply(so, req, l_ac_errno, buf)
-	int so, l_ac_errno;
-	struct admin_com *req;
+admin_reply(so, combuf, buf)
+	int so;
+	struct admin_com *combuf;
 	vchar_t *buf;
 {
 	int tlen;
-	struct admin_com *combuf;
 	char *retbuf = NULL;
 
 	if (buf != NULL)
@@ -640,11 +518,8 @@
 		return -1;
 	}
 
-	combuf = (struct admin_com *) retbuf;
-	combuf->ac_len = tlen;
-	combuf->ac_cmd = req->ac_cmd & ~ADMIN_FLAG_VERSION;
-	combuf->ac_errno = l_ac_errno;
-	combuf->ac_proto = req->ac_proto;
+	memcpy(retbuf, combuf, sizeof(*combuf));
+	((struct admin_com *)retbuf)->ac_len = tlen;
 
 	if (buf != NULL)
 		memcpy(retbuf + sizeof(*combuf), buf->v, buf->l);
@@ -700,7 +575,6 @@
 			"socket: %s\n", strerror(errno));
 		return -1;
 	}
-	close_on_exec(lcconf->sock_admin);
 
 	unlink(sunaddr.sun_path);
 	if (bind(lcconf->sock_admin, (struct sockaddr *)&sunaddr,
--- a/crypto/dist/ipsec-tools/src/racoon/admin.h	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/admin.h	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: admin.h,v 1.7 2008/08/29 00:30:15 gmcgarry Exp $	*/
+/*	$NetBSD: admin.h,v 1.7.4.1 2009/02/08 18:42:15 snj Exp $	*/
 
 /* Id: admin.h,v 1.11 2005/06/19 22:37:47 manubsd Exp */
 
@@ -46,19 +46,9 @@
 struct admin_com {
 	u_int16_t ac_len;	/* total packet length including data */
 	u_int16_t ac_cmd;
-	union {
-		int16_t ac_un_errno;
-		uint16_t ac_un_version;
-	} u;
+	int16_t ac_errno;
 	u_int16_t ac_proto;
 };
-#define ac_errno u.ac_un_errno
-#define ac_version u.ac_un_version
-
-/*
- * Version field in request is valid.
- */
-#define ADMIN_FLAG_VERSION	0x8000
 
 /*
  * No data follows as the data.
@@ -82,8 +72,6 @@
 #define ADMIN_ESTABLISH_SA	0x0202
 #define ADMIN_DELETE_ALL_SA_DST	0x0204	/* All SA for a given peer */
 
-#define ADMIN_GET_SA_CERT	0x0206
-
 /*
  * The admin_com_indexes and admin_com_psk follow, see below.
  */
--- a/crypto/dist/ipsec-tools/src/racoon/backupsa.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/backupsa.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: backupsa.c,v 1.9 2007/07/18 12:07:51 vanhu Exp $	*/
+/*	$NetBSD: backupsa.c,v 1.9.18.1 2009/02/08 18:42:15 snj Exp $	*/
 
 /*	$KAME: backupsa.c,v 1.16 2001/12/31 20:13:40 thorpej Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/racoon/cfparse.y	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/cfparse.y	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: cfparse.y,v 1.31 2008/09/19 11:14:49 tteras Exp $	*/
+/*	$NetBSD: cfparse.y,v 1.31.4.1 2009/02/08 18:42:15 snj Exp $	*/
 
 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
 
@@ -196,8 +196,6 @@
 	/* ldap config */
 %token LDAPCFG LDAP_HOST LDAP_PORT LDAP_PVER LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE
 %token LDAP_ATTR_USER LDAP_ATTR_ADDR LDAP_ATTR_MASK LDAP_ATTR_GROUP LDAP_ATTR_MEMBER
-	/* radius config */
-%token RADCFG RAD_AUTH RAD_ACCT RAD_TIMEOUT RAD_RETRIES
 	/* modecfg */
 %token MODECFG CFG_NET4 CFG_MASK4 CFG_DNS4 CFG_NBNS4 CFG_DEFAULT_DOMAIN
 %token CFG_AUTH_SOURCE CFG_AUTH_GROUPS CFG_SYSTEM CFG_RADIUS CFG_PAM CFG_LDAP CFG_LOCAL CFG_NONE
@@ -213,7 +211,7 @@
 	/* sainfo */
 %token SAINFO FROM
 	/* remote */
-%token REMOTE ANONYMOUS CLIENTADDR INHERIT
+%token REMOTE ANONYMOUS INHERIT
 %token EXCHANGE_MODE EXCHANGETYPE DOI DOITYPE SITUATION SITUATIONTYPE
 %token CERTIFICATE_TYPE CERTTYPE PEERS_CERTFILE CA_TYPE
 %token VERIFY_CERT SEND_CERT SEND_CR
@@ -231,7 +229,6 @@
 %token DPD DPD_DELAY DPD_RETRY DPD_MAXFAIL
 %token PH1ID
 %token XAUTH_LOGIN WEAK_PHASE1_CHECK
-%token REKEY
 
 %token PREFIX PORT PORTANY UL_PROTO ANY IKE_FRAG ESP_FRAG MODE_CFG
 %token PFS_GROUP LIFETIME LIFETYPE_TIME LIFETYPE_BYTE STRENGTH REMOTEID
@@ -274,7 +271,6 @@
 	|	padding_statement
 	|	listen_statement
 	|	ldapcfg_statement
-	|	radcfg_statement
 	|	modecfg_statement
 	|	timer_statement
 	|	sainfo_statement
@@ -510,122 +506,6 @@
 	|	PORT		{ $$ = $1; }
 	;
 
-	/* radius configuration */
-radcfg_statement
-	:	RADCFG {
-#ifndef ENABLE_HYBRID
-			yyerror("racoon not configured with --enable-hybrid");
-			return -1;
-#endif
-#ifndef HAVE_LIBRADIUS
-			yyerror("racoon not configured with --with-libradius");
-			return -1;
-#endif
-#ifdef ENABLE_HYBRID
-#ifdef HAVE_LIBRADIUS
-			xauth_rad_config.timeout = 3;
-			xauth_rad_config.retries = 3;
-#endif
-#endif
-		} BOC radcfg_stmts EOC
-	;
-radcfg_stmts
-	:	/* nothing */
-	|	radcfg_stmts radcfg_stmt
-	;
-radcfg_stmt
-	:	RAD_AUTH QUOTEDSTRING QUOTEDSTRING
-		{
-#ifdef ENABLE_HYBRID
-#ifdef HAVE_LIBRADIUS
-			int i = xauth_rad_config.auth_server_count;
-			if (i == RADIUS_MAX_SERVERS) {
-				yyerror("maximum radius auth servers exceeded");
-				return -1;
-			}
-
-			xauth_rad_config.auth_server_list[i].host = vdup($2);
-			xauth_rad_config.auth_server_list[i].secret = vdup($3);
-			xauth_rad_config.auth_server_list[i].port = 0; // default port
-			xauth_rad_config.auth_server_count++;
-#endif
-#endif
-		}
-		EOS
-	|	RAD_AUTH QUOTEDSTRING NUMBER QUOTEDSTRING
-		{
-#ifdef ENABLE_HYBRID
-#ifdef HAVE_LIBRADIUS
-			int i = xauth_rad_config.auth_server_count;
-			if (i == RADIUS_MAX_SERVERS) {
-				yyerror("maximum radius auth servers exceeded");
-				return -1;
-			}
-
-			xauth_rad_config.auth_server_list[i].host = vdup($2);
-			xauth_rad_config.auth_server_list[i].secret = vdup($4);
-			xauth_rad_config.auth_server_list[i].port = $3;
-			xauth_rad_config.auth_server_count++;
-#endif
-#endif
-		}
-		EOS
-	|	RAD_ACCT QUOTEDSTRING QUOTEDSTRING
-		{
-#ifdef ENABLE_HYBRID
-#ifdef HAVE_LIBRADIUS
-			int i = xauth_rad_config.acct_server_count;
-			if (i == RADIUS_MAX_SERVERS) {
-				yyerror("maximum radius account servers exceeded");
-				return -1;
-			}
-
-			xauth_rad_config.acct_server_list[i].host = vdup($2);
-			xauth_rad_config.acct_server_list[i].secret = vdup($3);
-			xauth_rad_config.acct_server_list[i].port = 0; // default port
-			xauth_rad_config.acct_server_count++;
-#endif
-#endif
-		}
-		EOS
-	|	RAD_ACCT QUOTEDSTRING NUMBER QUOTEDSTRING
-		{
-#ifdef ENABLE_HYBRID
-#ifdef HAVE_LIBRADIUS
-			int i = xauth_rad_config.acct_server_count;
-			if (i == RADIUS_MAX_SERVERS) {
-				yyerror("maximum radius account servers exceeded");
-				return -1;
-			}
-
-			xauth_rad_config.acct_server_list[i].host = vdup($2);
-			xauth_rad_config.acct_server_list[i].secret = vdup($4);
-			xauth_rad_config.acct_server_list[i].port = $3;
-			xauth_rad_config.acct_server_count++;
-#endif
-#endif
-		}
-		EOS
-	|	RAD_TIMEOUT NUMBER
-		{
-#ifdef ENABLE_HYBRID
-#ifdef HAVE_LIBRADIUS
-			xauth_rad_config.timeout = $2;
-#endif
-#endif
-		}
-		EOS
-	|	RAD_RETRIES NUMBER
-		{
-#ifdef ENABLE_HYBRID
-#ifdef HAVE_LIBRADIUS
-			xauth_rad_config.retries = $2;
-#endif
-#endif
-		}
-		EOS
-	;
-
 	/* ldap configuration */
 ldapcfg_statement
 	:	LDAPCFG {
@@ -1135,16 +1015,12 @@
 
 			grouplist = racoon_realloc(icc->grouplist,
 					sizeof(char**)*(icc->groupcount+1));
-			if (grouplist == NULL) {
+			if (grouplist == NULL)
 				yyerror("unable to allocate auth group list");
-				return -1;
-			}
 
 			groupname = racoon_malloc($1->l+1);
-			if (groupname == NULL) {
+			if (groupname == NULL)
 				yyerror("unable to allocate auth group name");
-				return -1;
-			}
 
 			memcpy(groupname,$1->v,$1->l);
 			groupname[$1->l]=0;
@@ -1172,10 +1048,8 @@
 			if (!icc->splitdns_len)
 			{
 				icc->splitdns_list = racoon_malloc($1->l);
-				if(icc->splitdns_list == NULL) {
+				if(icc->splitdns_list == NULL)
 					yyerror("error allocating splitdns list buffer");
-					return -1;
-				}
 				memcpy(icc->splitdns_list,$1->v,$1->l);
 				icc->splitdns_len = $1->l;
 			}
@@ -1183,10 +1057,8 @@
 			{
 				int len = icc->splitdns_len + $1->l + 1;
 				icc->splitdns_list = racoon_realloc(icc->splitdns_list,len);
-				if(icc->splitdns_list == NULL) {
+				if(icc->splitdns_list == NULL)
 					yyerror("error allocating splitdns list buffer");
-					return -1;
-				}
 				icc->splitdns_list[icc->splitdns_len] = ',';
 				memcpy(icc->splitdns_list + icc->splitdns_len + 1, $1->v, $1->l);
 				icc->splitdns_len = len;
@@ -1282,16 +1154,12 @@
 			check = getsainfo(cur_sainfo->idsrc,
 					  cur_sainfo->iddst,
 					  cur_sainfo->id_i,
-					  NULL,
 					  cur_sainfo->remoteid);
-
-			if (check && ((check->idsrc != SAINFO_ANONYMOUS) &&
-				      (cur_sainfo->idsrc != SAINFO_ANONYMOUS))) {
+			if (check && (!check->idsrc && !cur_sainfo->idsrc)) {
 				yyerror("duplicated sainfo: %s",
 					sainfo2str(cur_sainfo));
 				return -1;
 			}
-
 			inssainfo(cur_sainfo);
 		}
 		EOC
@@ -1299,28 +1167,18 @@
 sainfo_name
 	:	ANONYMOUS
 		{
-			cur_sainfo->idsrc = SAINFO_ANONYMOUS;
-			cur_sainfo->iddst = SAINFO_ANONYMOUS;
-		}
-	|	ANONYMOUS CLIENTADDR
-		{
-			cur_sainfo->idsrc = SAINFO_ANONYMOUS;
-			cur_sainfo->iddst = SAINFO_CLIENTADDR;
+			cur_sainfo->idsrc = NULL;
+			cur_sainfo->iddst = NULL;
 		}
 	|	ANONYMOUS sainfo_id
 		{
-			cur_sainfo->idsrc = SAINFO_ANONYMOUS;
+			cur_sainfo->idsrc = NULL;
 			cur_sainfo->iddst = $2;
 		}
 	|	sainfo_id ANONYMOUS
 		{
 			cur_sainfo->idsrc = $1;
-			cur_sainfo->iddst = SAINFO_ANONYMOUS;
-		}
-	|	sainfo_id CLIENTADDR
-		{
-			cur_sainfo->idsrc = $1;
-			cur_sainfo->iddst = SAINFO_CLIENTADDR;
+			cur_sainfo->iddst = NULL;
 		}
 	|	sainfo_id sainfo_id
 		{
@@ -2037,8 +1895,6 @@
 #endif
 		}
 		EOS
-	|	REKEY SWITCH { cur_rmconf->rekey = $2; } EOS
-	|	REKEY REMOTE_FORCE_LEVEL { cur_rmconf->rekey = REKEY_FORCE; } EOS
 	|	PH1ID NUMBER
 		{
 			cur_rmconf->ph1id = $2;
--- a/crypto/dist/ipsec-tools/src/racoon/cftoken.l	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/cftoken.l	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: cftoken.l,v 1.16 2008/09/19 11:14:49 tteras Exp $	*/
+/*	$NetBSD: cftoken.l,v 1.16.4.1 2009/02/08 18:42:15 snj Exp $	*/
 
 /* Id: cftoken.l,v 1.53 2006/08/22 18:17:17 manubsd Exp */
 
@@ -214,15 +214,6 @@
 <S_LST>strict_address	{ YYD; return(STRICT_ADDRESS); }
 <S_LST>{ecl}		{ BEGIN S_INI; return(EOC); }
 
-	/* radius config */
-<S_INI>radiuscfg	{ BEGIN S_LDAP; YYDB; return(RADCFG); }
-<S_LDAP>{bcl}		{ return(BOC); }
-<S_LDAP>auth		{ YYD; return(RAD_AUTH); }
-<S_LDAP>acct		{ YYD; return(RAD_ACCT); }
-<S_LDAP>timeout		{ YYD; return(RAD_TIMEOUT); }
-<S_LDAP>retries		{ YYD; return(RAD_RETRIES); }
-<S_LDAP>{ecl}		{ BEGIN S_INI; return(EOC); }
-
 	/* ldap config */
 <S_INI>ldapcfg		{ BEGIN S_LDAP; YYDB; return(LDAPCFG); }
 <S_LDAP>{bcl}		{ return(BOC); }
@@ -286,7 +277,6 @@
 	/* sainfo */
 <S_INI>sainfo		{ BEGIN S_SAINF; YYDB; return(SAINFO); }
 <S_SAINF>anonymous	{ YYD; return(ANONYMOUS); }
-<S_SAINF>clientaddr	{ YYD; return(CLIENTADDR); }
 <S_SAINF>{blcl}any{elcl}	{ YYD; return(PORTANY); }
 <S_SAINF>any		{ YYD; return(ANY); }
 <S_SAINF>from		{ YYD; return(FROM); }
@@ -371,7 +361,6 @@
 <S_RMTS>phase1_down	{ YYD; return(PHASE1_DOWN); }
 <S_RMTS>mode_cfg	{ YYD; return(MODE_CFG); }
 <S_RMTS>weak_phase1_check { YYD; return(WEAK_PHASE1_CHECK); }
-<S_RMTS>rekey		{ YYD; return(REKEY); }
 	/* remote proposal */
 <S_RMTS>proposal	{ BEGIN S_RMTP; YYDB; return(PROPOSAL); }
 <S_RMTP>{bcl}		{ return(BOC); }
--- a/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: crypto_openssl.c,v 1.15 2008/07/15 00:47:09 mgrooms Exp $	*/
+/*	$NetBSD: crypto_openssl.c,v 1.15.4.1 2009/02/08 18:42:15 snj Exp $	*/
 
 /* Id: crypto_openssl.c,v 1.47 2006/05/06 20:42:09 manubsd Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/doc/README.privsep	Sat Feb 07 02:35:43 2009 +0000
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,152 +0,0 @@
-		Using Racoon with Privilege Separation
-		     Tue Mar 25 16:37:09 MDT 2008
-
-
-Racoon can run in a chroot'd environment.  When so instructed, it runs as two
-processes, one of which handles a small number of simple requests and runs as
-root in the full native filesystem, and another which runs as a less
-privileged user in a chroot'd environment and which handles all the other and
-very complex business of racoon.
-
-Because racoon does many complex things there are many opportunities for
-coding errors to lead to compromises and so this separation is important.  If
-someone breaks into your system using racoon and you have enabled privilege
-separation, they will find themselves in a very limited environment and unable
-to do much damage.  They may be able to alter the host's security associations
-or obtain the private keys stored on that system using file descriptors
-available to the unprivileged instance of racoon, and from there they will be
-able to alter security associations on other hosts in disruptive or dangerous
-ways if you have generate_policy enabled on those hosts.  But that's because
-in its current form generate_policy is itself dangerous and requires that you
-trust anyone with the credentials to use it.
-
-They will also be able to execute any scripts you have placed in the scripts
-directory, although racoon will prevent them from mis-using the traditional
-environment variables PATH, LD_LIBRARY_PATH, and IFS.  But if you have
-introduced vulnerabilities into your scripts you may want to re-visit them.
-The thing to watch for is blindly trusting the environment variables passed
-in by racoon - assume they could be set to anything by a malicious entity and
-check them for suitability before using them.
-
-All these possibilities are present when privilege separation is not enabled,
-and they are greatly reduced when it is enabled because the resources
-available to the attacker are less.
-
-*****
-
-The basic concept with racoon's privilege separation is that a minimal
-environment containing all the files racoon needs to operate - with the
-exception of private keys, scripts, and system-wide authentication services -
-is placed in a stripped-down copy of the original environment.  The private
-keys and scripts are left in the original environment where only the
-privileged instance of racoon will have access to them.
-
-Here are basic instructions for setting up racoon to run with privilege
-separation:
-
-
-First, create a user/group for racoon to run under.  For example, user:group
-ike:ike.  The account should not have a usable password or real home
-directory, so copy the general format of another system-services type account
-such as 'daemon'.
-
-You already have files in, e.g. /usr/local/etc/racoon - perhaps racoon.conf, a
-certs directory containing certificates, a scripts directory, and other
-miscellaneous files such as welcome messages.  Perform the following steps:
-
-cd /usr/local/etc/racoon
-mkdir root
-mv certs root
-mkdir certs
-mv root/certs/*.key certs
-
-If you want to be able to switch back and forth between using and not using
-privsep, do this too:
-
-cd /usr/local/etc/racoon/certs
-for i in ../root/certs/*
-do
-	ln -s $i .
-done
-
-Now root/certs contains certificates and certs contains the keys.  The idea is
-that the public certificates are in the chroot'd area
-(/usr/local/etc/racoon/root) and the keys are available only to the privileged
-instance of racoon.
-
-Move any other racoon configuration data into /usr/local/etc/racoon/root,
-with the exception of the scripts directory and racoon.conf.
-
-All the files in /usr/local/etc/racoon/root should be owned by root and the
-ike:ike user you created should not have write access to any directories or
-files (unless you are using something like 'path backupsa', but you get the
-idea).
-
-Create the device nodes:
-
-mkdir root/dev
-
-Do whatever your OS requires to populate the new dev directory with a
-minimal set of devices, e.g. mknod, MAKEDEV, or mount devfs...  In freebsd
-this is done by adding a line to /etc/fstab:
-
-devfs	/usr/local/etc/racoon/root/dev	devfs	rw		0	0
-
-and then adding a line like this to /etc/rc.conf:
-
-devfs_set_rulesets="/usr/local/etc/racoon/root/dev=devfsrules_basic"
-
-and then adding the following lines to /etc/devfs.rules:
-
-[devfsrules_basic=10]
-add include $devfsrules_hide_all
-add include $devfsrules_unhide_basic
-
-and then either rebooting or entering "mount -a && /etc/rc.d/devfs start".
-
-When done with that:
-
-mkdir -p root/usr/local/etc
-ln -s ../../../ root/usr/local/etc/racoon
-
-This dummy hierarchy keeps the config file consistent between both copies of
-racoon. Of course, you could actually put the certs directory and any other
-configuration data down in the hierarchy but I prefer to leave it at the root
-and link to it as shown.  You may end up with something like this:
-
-root# ls -FC /usr/local/etc/racoon/root
-certs/	dev/	usr/
-
-root# ls -l /usr/local/etc/racoon/root/usr/local/etc
-lrwxr-xr-x  1 root  wheel  9 Mar  7 22:13 racoon -> ../../../
-
-root# ls -FC /usr/local/etc/racoon/root/usr/local/etc/racoon/
-certs/	dev/	usr/
-
-Presumably your racoon.conf already contains something like:
-
-path certificate "/usr/local/etc/racoon/certs";
-path script "/usr/local/etc/racoon/scripts";
-
-If so, great. If not, add them. Then, finally, add the privsep section:
-
-privsep {
-	user "ike";
-	group "ike";
-	chroot "/usr/local/etc/racoon/root";
-}
-
-Apply the patches posted to the list and rebuild racoon (the patches will be
-incorporated into the release subsequent to the date of this memo, so if you
-use that or a later release you can skip this step).
-
-Restart racoon and hopefully things will work.  As of the date of this memo,
-re-loading the configuration file with racoonctl will not work with privsep
-enabled.  However, the problem is not insurmountable and if you figure it out
-let us know.
-
-I have not tested privsep with many of racoon's features such as XAUTH or
-scripts, so if you have trouble with them and work anything out please reply
-to the list so that your discoveries may be incorporated into this document.
-
-Last modified: $Date: 2008/03/28 04:18:52 $
--- a/crypto/dist/ipsec-tools/src/racoon/eaytest.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/eaytest.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: eaytest.c,v 1.9 2008/07/15 00:47:09 mgrooms Exp $	*/
+/*	$NetBSD: eaytest.c,v 1.9.4.1 2009/02/08 18:42:16 snj Exp $	*/
 
 /* Id: eaytest.c,v 1.22 2005/06/19 18:02:54 manubsd Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/evt.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/evt.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,10 +1,9 @@
-/*	$NetBSD: evt.c,v 1.6 2008/03/06 00:34:11 mgrooms Exp $	*/
+/*	$NetBSD: evt.c,v 1.6.8.1 2009/02/08 18:42:16 snj Exp $	*/
 
 /* Id: evt.c,v 1.5 2006/06/22 20:11:35 manubsd Exp */
 
 /*
  * Copyright (C) 2004 Emmanuel Dreyfus
- * Copyright (C) 2008 Timo Teras
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without
@@ -47,54 +46,14 @@
 #include "plog.h"
 #include "misc.h"
 #include "admin.h"
-#include "handler.h"
 #include "gcmalloc.h"
 #include "evt.h"
 
 #ifdef ENABLE_ADMINPORT
-
-static EVT_LISTENER_LIST(evt_listeners);
-static EVT_LISTENER_LIST(evt_fds);
-
-struct evt_message {
-	struct admin_com adm;
-	struct evt_async evt;
-};
-
-struct evt {
-	struct evtdump *dump;
-	TAILQ_ENTRY(evt) next;
-};
-
-TAILQ_HEAD(evtlist, evt);
-
-#define EVTLIST_MAX	32
-
-static struct evtlist evtlist = TAILQ_HEAD_INITIALIZER(evtlist);
-static int evtlist_len = 0;
-static int evtlist_inuse = 0;
+struct evtlist evtlist = TAILQ_HEAD_INITIALIZER(evtlist);
+int evtlist_len = 0;
 
-static struct {
-	int newtype, oldtype;
-} evttype_map[] = {
-	{ EVT_RACOON_QUIT,		EVTT_RACOON_QUIT },
-	{ EVT_PHASE1_UP,		EVTT_PHASE1_UP },
-	{ EVT_PHASE1_DOWN,		EVTT_PHASE1_DOWN },
-	{ EVT_PHASE1_NO_RESPONSE,	EVTT_PEER_NO_RESPONSE },
-	{ EVT_PHASE1_NO_PROPOSAL,	EVTT_PEERPH1_NOPROP },
-	{ EVT_PHASE1_AUTH_FAILED,	EVTT_PEERPH1AUTH_FAILED },
-	{ EVT_PHASE1_DPD_TIMEOUT,	EVTT_DPD_TIMEOUT },
-	{ EVT_PHASE1_PEER_DELETED,	EVTT_PEER_DELETE },
-	{ EVT_PHASE1_MODE_CFG,		EVTT_ISAKMP_CFG_DONE },
-	{ EVT_PHASE1_XAUTH_SUCCESS,	EVTT_XAUTH_SUCCESS },
-	{ EVT_PHASE1_XAUTH_FAILED,	EVTT_XAUTH_FAILED },
-	{ EVT_PHASE2_NO_PHASE1,		-1 },
-	{ EVT_PHASE2_UP,		EVTT_PHASE2_UP },
-	{ EVT_PHASE2_DOWN,		EVTT_PHASE2_DOWN },
-	{ EVT_PHASE2_NO_RESPONSE,	EVTT_PEER_NO_RESPONSE },
-};
-
-static void
+void
 evt_push(src, dst, type, optdata)
 	struct sockaddr *src;
 	struct sockaddr *dst;
@@ -104,21 +63,9 @@
 	struct evtdump *evtdump;
 	struct evt *evt;
 	size_t len;
-	int i;
 
 	/* If admin socket is disabled, silently discard anything */
-	if (adminsock_path == NULL || !evtlist_inuse)
-		return;
-
-	/* Map the event type to old */
-	for (i = 0; i < sizeof(evttype_map) / sizeof(evttype_map[0]); i++)
-		if (evttype_map[i].newtype == type)
-			break;
-	if (i >= sizeof(evttype_map) / sizeof(evttype_map[0]))
-		return;
-
-	type = evttype_map[i].oldtype;
-	if (type < 0)
+	if (adminsock_path == NULL)
 		return;
 
 	/* If we are above the limit, don't record anything */
@@ -174,7 +121,7 @@
 	return;
 }
 
-static struct evtdump *
+struct evtdump *
 evt_pop(void) {
 	struct evtdump *evtdump;
 	struct evt *evt;
@@ -195,12 +142,6 @@
 	struct evtdump *evtdump;
 	vchar_t *buf = NULL;
 
-	if (!evtlist_inuse) {
-		evtlist_inuse = 1;
-		plog(LLV_ERROR, LOCATION, NULL,
-		     "evt_dump: deprecated event polling used\n");
-	}
-
 	if ((evtdump = evt_pop()) != NULL) {
 		if ((buf = vmalloc(evtdump->len)) == NULL) {
 			plog(LLV_ERROR, LOCATION, NULL, 
@@ -214,208 +155,4 @@
 	return buf;
 }
 
-static struct evt_message *
-evtmsg_create(type, optdata)
-	int type;
-	vchar_t *optdata;
-{
-	struct evt_message *e;
-	size_t len;
-
-	len = sizeof(struct evt_message);
-	if (optdata != NULL)
-		len += optdata->l;
-
-	if ((e = racoon_malloc(len)) == NULL) {
-		plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate event: %s\n",
-		     strerror(errno));
-		return NULL;
-	}
-
-	memset(e, 0, sizeof(struct evt_message));
-	e->adm.ac_len = len;
-	e->adm.ac_cmd = ADMIN_SHOW_EVT;
-	e->adm.ac_errno = 0;
-	e->adm.ac_proto = 0;
-	e->evt.ec_type = type;
-	time(&e->evt.ec_timestamp);
-	if (optdata != NULL)
-		memcpy(e + 1, optdata->v, optdata->l);
-
-	return e;
-}
-
-static void
-evt_unsubscribe(l)
-	struct evt_listener *l;
-{
-	plog(LLV_DEBUG, LOCATION, NULL,
-	     "[%d] admin connection released\n", l->fd);
-
-	LIST_REMOVE(l, ll_chain);
-	LIST_REMOVE(l, fd_chain);
-	close(l->fd);
-	racoon_free(l);
-}
-
-static void
-evtmsg_broadcast(ll, e)
-	const struct evt_listener_list *ll;
-	struct evt_message *e;
-{
-	struct evt_listener *l, *nl;
-
-	for (l = LIST_FIRST(ll); l != NULL; l = nl) {
-		nl = LIST_NEXT(l, ll_chain);
-
-		if (send(l->fd, e, e->adm.ac_len,
-			 MSG_NOSIGNAL | MSG_DONTWAIT) < 0) {
-			plog(LLV_DEBUG, LOCATION, NULL, "Cannot send event to fd: %s\n",
-				strerror(errno));
-			evt_unsubscribe(l);
-		}
-	}
-}
-
-void
-evt_generic(type, optdata)
-	int type;
-	vchar_t *optdata;
-{
-	struct evt_message *e;
-
-	if ((e = evtmsg_create(type, optdata)) == NULL)
-		return;
-
-	evtmsg_broadcast(&evt_listeners, e);
-	evt_push(&e->evt.ec_ph1src, &e->evt.ec_ph1dst, type, optdata);
-
-	racoon_free(e);
-}
-
-void
-evt_phase1(ph1, type, optdata)
-	const struct ph1handle *ph1;
-	int type;
-	vchar_t *optdata;
-{
-	struct evt_message *e;
-
-	if ((e = evtmsg_create(type, optdata)) == NULL)
-		return;
-
-	if (ph1->local)
-		memcpy(&e->evt.ec_ph1src, ph1->local, sysdep_sa_len(ph1->local));
-	if (ph1->remote)
-		memcpy(&e->evt.ec_ph1dst, ph1->remote, sysdep_sa_len(ph1->remote));
-
-	evtmsg_broadcast(&ph1->evt_listeners, e);
-	evtmsg_broadcast(&evt_listeners, e);
-	evt_push(&e->evt.ec_ph1src, &e->evt.ec_ph1dst, type, optdata);
-
-	racoon_free(e);
-}
-
-void
-evt_phase2(ph2, type, optdata)
-	const struct ph2handle *ph2;
-	int type;
-	vchar_t *optdata;
-{
-	struct evt_message *e;
-	struct ph1handle *ph1 = ph2->ph1;
-
-	if ((e = evtmsg_create(type, optdata)) == NULL)
-		return;
-
-	if (ph1) {
-		if (ph1->local)
-			memcpy(&e->evt.ec_ph1src, ph1->local, sysdep_sa_len(ph1->local));
-		if (ph1->remote)
-			memcpy(&e->evt.ec_ph1dst, ph1->remote, sysdep_sa_len(ph1->remote));
-	}
-	e->evt.ec_ph2msgid = ph2->msgid;
-
-	evtmsg_broadcast(&ph2->evt_listeners, e);
-	if (ph1)
-		evtmsg_broadcast(&ph1->evt_listeners, e);
-	evtmsg_broadcast(&evt_listeners, e);
-	evt_push(&e->evt.ec_ph1src, &e->evt.ec_ph1dst, type, optdata);
-
-	racoon_free(e);
-}
-
-int
-evt_subscribe(list, fd)
-	struct evt_listener_list *list;
-	int fd;
-{
-	struct evt_listener *l;
-
-	if ((l = racoon_malloc(sizeof(*l))) == NULL) {
-		plog(LLV_ERROR, LOCATION, NULL,
-		     "Cannot allocate event listener: %s\n",
-		     strerror(errno));
-		return errno;
-	}
-
-	if (list == NULL)
-		list = &evt_listeners;
-
-	LIST_INSERT_HEAD(list, l, ll_chain);
-	LIST_INSERT_HEAD(&evt_fds, l, fd_chain);
-	l->fd = fd;
-
-	plog(LLV_DEBUG, LOCATION, NULL,
-	     "[%d] admin connection is polling events\n", fd);
-
-	return -2;
-}
-
-void
-evt_list_init(list)
-	struct evt_listener_list *list;
-{
-	LIST_INIT(list);
-}
-
-void
-evt_list_cleanup(list)
-	struct evt_listener_list *list;
-{
-	while (!LIST_EMPTY(list))
-		evt_unsubscribe(LIST_FIRST(list));
-}
-
-int
-evt_get_fdmask(nfds, fdset)
-	int nfds;
-	fd_set *fdset;
-{
-	struct evt_listener *l;
-
-	LIST_FOREACH(l, &evt_fds, fd_chain) {
-		FD_SET(l->fd, fdset);
-		if (l->fd + 1 > nfds)
-			nfds = l->fd + 1;
-	}
-
-	return nfds;
-}
-
-void
-evt_handle_fdmask(fdset)
-	fd_set *fdset;
-{
-	struct evt_listener *l, *nl;
-
-	for (l = LIST_FIRST(&evt_fds); l != NULL; l = nl) {
-		nl = LIST_NEXT(l, ll_chain);
-
-		if (FD_ISSET(l->fd, fdset))
-			evt_unsubscribe(l);
-	}
-}
-
-
 #endif /* ENABLE_ADMINPORT */
--- a/crypto/dist/ipsec-tools/src/racoon/evt.h	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/evt.h	Sun Feb 08 18:42:14 2009 +0000
@@ -1,10 +1,9 @@
-/*	$NetBSD: evt.h,v 1.6 2008/08/29 00:31:00 gmcgarry Exp $	*/
+/*	$NetBSD: evt.h,v 1.6.4.1 2009/02/08 18:42:16 snj Exp $	*/
 
 /* Id: evt.h,v 1.5 2006/01/19 10:24:09 fredsen Exp */
 
 /*
  * Copyright (C) 2004 Emmanuel Dreyfus
- * Copyright (C) 2008 Timo Teras
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without
@@ -35,10 +34,6 @@
 #ifndef _EVT_H
 #define _EVT_H
 
-/*
- * Old style (deprecated) events which are polled.
- */
-
 struct evtdump {
 	size_t len;	
 	struct sockaddr_storage src;
@@ -69,81 +64,25 @@
 #define EVTT_PEERPH1_NOPROP	14	/* NO_PROPOSAL_CHOSEN & friends */
 #define EVTT_NO_ISAKMP_CFG	15	/* no need to wait for mode_cfg */
 
-/*
- * New style, asynchronous events.
- */
-
-struct evt_async {
-	uint32_t ec_type;
-	time_t ec_timestamp;
-
-	struct sockaddr_storage ec_ph1src;
-	struct sockaddr_storage ec_ph1dst;
-	u_int32_t ec_ph2msgid;
-
-	/*
-	 * Optionnal list of struct isakmp_data
-	 * for type EVTT_ISAKMP_CFG_DONE
-	 */
+struct evt {
+	struct evtdump *dump;
+	TAILQ_ENTRY(evt) next;
 };
 
-/* type */
-#define EVT_RACOON_QUIT			0x0001
+TAILQ_HEAD(evtlist, evt);
 
-#define EVT_PHASE1_UP			0x0100
-#define EVT_PHASE1_DOWN			0x0101
-#define EVT_PHASE1_NO_RESPONSE		0x0102
-#define EVT_PHASE1_NO_PROPOSAL		0x0103
-#define EVT_PHASE1_AUTH_FAILED		0x0104
-#define EVT_PHASE1_DPD_TIMEOUT		0x0105
-#define EVT_PHASE1_PEER_DELETED		0x0106
-#define EVT_PHASE1_MODE_CFG		0x0107
-#define EVT_PHASE1_XAUTH_SUCCESS	0x0108
-#define EVT_PHASE1_XAUTH_FAILED		0x0109
-
-#define EVT_PHASE2_NO_PHASE1		0x0200
-#define EVT_PHASE2_UP			0x0201
-#define EVT_PHASE2_DOWN			0x0202
-#define EVT_PHASE2_NO_RESPONSE		0x0203
+#define EVTLIST_MAX	32
 
 #ifdef ENABLE_ADMINPORT
-
-struct ph1handle;
-struct ph2handle;
-
-struct evt_listener {
-	LIST_ENTRY(evt_listener) ll_chain;
-	LIST_ENTRY(evt_listener) fd_chain;
-	int fd;
-};
-LIST_HEAD(evt_listener_list, evt_listener);
-#define EVT_LISTENER_LIST(x) struct evt_listener_list x
-
-void evt_generic __P((int type, vchar_t *optdata));
-void evt_phase1 __P((const struct ph1handle *ph1, int type, vchar_t *optdata));
-void evt_phase2 __P((const struct ph2handle *ph2, int type, vchar_t *optdata));
-vchar_t *evt_dump __P((void));
+struct evtdump *evt_pop(void);
+vchar_t *evt_dump(void);
+void evt_push(struct sockaddr *, struct sockaddr *, int, vchar_t *);
+#endif
 
-int  evt_subscribe __P((struct evt_listener_list *list, int fd));
-void evt_list_init __P((struct evt_listener_list *list));
-void evt_list_cleanup __P((struct evt_listener_list *list));
-int  evt_get_fdmask __P((int nfds, fd_set *fdset));
-void evt_handle_fdmask __P((fd_set *fdset));
-
+#ifdef ENABLE_ADMINPORT
+#define EVT_PUSH(src, dst, type, optdata) evt_push(src, dst, type, optdata);
 #else
-
-#define EVT_LISTENER_LIST(x)
-
-#define evt_generic(type, optdata) ;
-#define evt_phase1(ph1, type, optdata) ;
-#define evt_phase2(ph2, type, optdata) ;
-
-#define evt_subscribe(eventlist, fd) ;
-#define evt_list_init(eventlist) ;
-#define evt_list_cleanup(eventlist) ;
-#define evt_get_fdmask(nfds, fdset) nfds
-#define evt_handle_fdmask(fdset) ;
-
-#endif /* ENABLE_ADMINPORT */
+#define EVT_PUSH(src, dst, type, optdata) ;
+#endif
 
 #endif /* _EVT_H */
--- a/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: grabmyaddr.c,v 1.10 2008/10/27 06:24:27 tteras Exp $	*/
+/*	$NetBSD: grabmyaddr.c,v 1.10.2.1 2009/02/08 18:42:16 snj Exp $	*/
 
 /* Id: grabmyaddr.c,v 1.27 2006/04/06 16:27:05 manubsd Exp */
 
@@ -403,10 +403,10 @@
 #endif
 #endif
 		if (getnameinfo(p->addr, sysdep_sa_len(p->addr),
-				addr1, sizeof(addr1), NULL, 0,
+				addr1, sizeof(addr1),
+				NULL, 0,
 				NI_NUMERICHOST | niflags))
-			strlcpy(addr1, "(invalid)", sizeof(addr1));
-
+		strlcpy(addr1, "(invalid)", sizeof(addr1));
 		plog(LLV_DEBUG, LOCATION, NULL,
 			"my interface: %s (%s)\n",
 			addr1, ifap->ifa_name);
@@ -519,10 +519,10 @@
 #endif
 #endif
 			if (getnameinfo(p->addr, sysdep_sa_len(p->addr),
-					addr1, sizeof(addr1), NULL, 0,
+					addr1, sizeof(addr1),
+					NULL, 0,
 					NI_NUMERICHOST | niflags))
-				strlcpy(addr1, "(invalid)", sizeof(addr1));
-
+			strlcpy(addr1, "(invalid)", sizeof(addr1));
 			plog(LLV_DEBUG, LOCATION, NULL,
 				"my interface: %s (%s)\n",
 				addr1, ifr->ifr_name);
@@ -667,9 +667,6 @@
 	case RTM_DELADDR:
 	case RTM_DELETE:
 	case RTM_IFINFO:
-#ifdef RTM_IFANNOUNCE
-	case RTM_IFANNOUNCE:
-#endif
 		break;
 	case RTM_MISS:
 		/* ignore this message silently */
@@ -834,7 +831,6 @@
 			strerror(errno));
 		return -1;
 	}
-	close_on_exec(lcconf->rtsock);
 
 #ifdef __linux__
    {
--- a/crypto/dist/ipsec-tools/src/racoon/handler.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/handler.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: handler.c,v 1.21 2008/09/19 11:14:49 tteras Exp $	*/
+/*	$NetBSD: handler.c,v 1.21.4.1 2009/02/08 18:42:16 snj Exp $	*/
 
 /* Id: handler.c,v 1.28 2006/05/26 12:17:29 manubsd Exp */
 
@@ -85,10 +85,10 @@
 static LIST_HEAD(_ph2tree_, ph2handle) ph2tree;
 static LIST_HEAD(_ctdtree_, contacted) ctdtree;
 static LIST_HEAD(_rcptree_, recvdpkt) rcptree;
-static struct sched sc_sweep = SCHED_INITIALIZER();
 
 static void del_recvdpkt __P((struct recvdpkt *));
 static void rem_recvdpkt __P((struct recvdpkt *));
+static void sweep_recvdpkt __P((void *));
 
 /*
  * functions about management of the isakmp status table
@@ -107,7 +107,7 @@
 	struct ph1handle *p;
 
 	LIST_FOREACH(p, &ph1tree, chain) {
-		if (p->status >= PHASE1ST_EXPIRED)
+		if (p->status == PHASE1ST_EXPIRED)
 			continue;
 		if (memcmp(&p->index, index, sizeof(*index)) == 0)
 			return p;
@@ -127,7 +127,7 @@
 	struct ph1handle *p;
 
 	LIST_FOREACH(p, &ph1tree, chain) {
-		if (p->status >= PHASE1ST_EXPIRED)
+		if (p->status == PHASE1ST_EXPIRED)
 			continue;
 		if (memcmp(&p->index, index, sizeof(cookie_t)) == 0)
 			return p;
@@ -153,12 +153,12 @@
 	plog(LLV_DEBUG2, LOCATION, NULL, "remote: %s\n", saddr2str(remote));
 
 	LIST_FOREACH(p, &ph1tree, chain) {
-		if (p->status >= PHASE1ST_DYING)
+		if (p->status == PHASE1ST_EXPIRED)
 			continue;
 		plog(LLV_DEBUG2, LOCATION, NULL, "p->local: %s\n", saddr2str(p->local));
 		plog(LLV_DEBUG2, LOCATION, NULL, "p->remote: %s\n", saddr2str(p->remote));
 
-		if (established && p->status != PHASE1ST_ESTABLISHED) {
+		if(established && p->status != PHASE1ST_ESTABLISHED){
 			plog(LLV_DEBUG2, LOCATION, NULL, "status %d, skipping\n", p->status);
 			continue;
 		}
@@ -181,7 +181,7 @@
 	struct ph1handle *p;
 
 	LIST_FOREACH(p, &ph1tree, chain) {
-		if (p->status >= PHASE1ST_DYING)
+		if (p->status == PHASE1ST_EXPIRED)
 			continue;
 		if (cmpsaddrwop(local, p->local) == 0
 		 && cmpsaddrwop(remote, p->remote) == 0)
@@ -203,7 +203,7 @@
 	struct ph1handle *p;
 
 	LIST_FOREACH(p, &ph1tree, chain) {
-		if (p->status >= PHASE1ST_DYING)
+		if (p->status == PHASE1ST_EXPIRED)
 			continue;
 		if (cmpsaddrwop(remote, p->remote) == 0)
 			return p;
@@ -213,48 +213,6 @@
 }
 
 /*
- * move phase2s from old_iph1 to new_iph1
- */
-void
-migrate_ph12(old_iph1, new_iph1)
-	struct ph1handle *old_iph1, *new_iph1;
-{
-	struct ph2handle *p, *next;
-
-	/* Relocate phase2s to better phase1s or request a new phase1. */
-	for (p = LIST_FIRST(&old_iph1->ph2tree); p; p = next) {
-		next = LIST_NEXT(p, ph1bind);
-
-		if (p->status != PHASE2ST_ESTABLISHED)
-			continue;
-
-		unbindph12(p);
-		bindph12(new_iph1, p);
-	}
-}
-
-/*
- * the iph1 is new, migrate all phase2s that belong to a dying or dead ph1
- */
-void migrate_dying_ph12(iph1)
-	struct ph1handle *iph1;
-{
-	struct ph1handle *p;
-
-	LIST_FOREACH(p, &ph1tree, chain) {
-		if (p == iph1)
-			continue;
-		if (p->status < PHASE1ST_DYING)
-			continue;
-
-		if (CMPSADDR(iph1->local, p->local) == 0
-		 && CMPSADDR(iph1->remote, p->remote) == 0)
-			migrate_ph12(p, iph1);
-	}
-}
-
-
-/*
  * dump isakmp-sa
  */
 vchar_t *
@@ -313,8 +271,8 @@
 	iph1->dpd_lastack = 0;
 	iph1->dpd_seq = 0;
 	iph1->dpd_fails = 0;
+	iph1->dpd_r_u = NULL;
 #endif
-	evt_list_init(&iph1->evt_listeners);
 
 	return iph1;
 }
@@ -331,7 +289,8 @@
 
 	/* SA down shell script hook */
 	script_hook(iph1, SCRIPT_PHASE1_DOWN);
-	evt_list_cleanup(&iph1->evt_listeners);
+
+	EVT_PUSH(iph1->local, iph1->remote, EVTT_PHASE1_DOWN, NULL);
 
 #ifdef ENABLE_NATT
 	if (iph1->natt_flags & NAT_KA_QUEUED)
@@ -349,10 +308,8 @@
 #endif
 
 #ifdef ENABLE_DPD
-	sched_cancel(&iph1->dpd_r_u);
+	SCHED_KILL(iph1->dpd_r_u);
 #endif
-	sched_cancel(&iph1->sce);
-	sched_cancel(&iph1->scr);
 
 	if (iph1->remote) {
 		racoon_free(iph1->remote);
@@ -368,7 +325,13 @@
 	}
 
 	VPTRINIT(iph1->authstr);
+
+	sched_scrub_param(iph1);
+	iph1->sce = NULL;
+	iph1->scr = NULL;
+
 	VPTRINIT(iph1->sendbuf);
+
 	VPTRINIT(iph1->dhpriv);
 	VPTRINIT(iph1->dhpub);
 	VPTRINIT(iph1->dhpub_p);
@@ -452,7 +415,7 @@
 		next = LIST_NEXT(p, chain);
 
 		/* send delete information */
-		if (p->status >= PHASE1ST_ESTABLISHED)
+		if (p->status == PHASE1ST_ESTABLISHED) 
 			isakmp_info_send_d1(p);
 
 		remph1(p);
@@ -532,8 +495,8 @@
 
 	LIST_FOREACH(p, &ph2tree, chain) {
 		if (spid == p->spid &&
-		    cmpsaddrwild(src, p->src) == 0 &&
-		    cmpsaddrwild(dst, p->dst) == 0){
+		    CMPSADDR(src, p->src) == 0 &&
+		    CMPSADDR(dst, p->dst) == 0){
 			/* Sanity check to detect zombie handlers
 			 * XXX Sould be done "somewhere" more interesting,
 			 * because we have lots of getph2byxxxx(), but this one
@@ -541,7 +504,7 @@
 			 */
 			if(p->status < PHASE2ST_ESTABLISHED &&
 			   p->retry_counter == 0
-			   && p->sce.func == NULL && p->scr.func == NULL) {
+			   && p->sce == NULL && p->scr == NULL){
 				plog(LLV_DEBUG, LOCATION, NULL,
 					 "Zombie ph2 found, expiring it\n");
 				isakmp_ph2expire(p);
@@ -619,7 +582,6 @@
 		return NULL;
 
 	iph2->status = PHASE1ST_SPAWN;
-	evt_list_init(&iph2->evt_listeners);
 
 	return iph2;
 }
@@ -633,11 +595,9 @@
 initph2(iph2)
 	struct ph2handle *iph2;
 {
-	evt_list_cleanup(&iph2->evt_listeners);
-	unbindph12(iph2);
-
-	sched_cancel(&iph2->sce);
-	sched_cancel(&iph2->scr);
+	sched_scrub_param(iph2);
+	iph2->sce = NULL;
+	iph2->scr = NULL;
 
 	VPTRINIT(iph2->sendbuf);
 	VPTRINIT(iph2->msg1);
@@ -702,23 +662,13 @@
 		iph2->dst = NULL;
 	}
 	if (iph2->src_id) {
-		racoon_free(iph2->src_id);
-		iph2->src_id = NULL;
+	      racoon_free(iph2->src_id);
+	      iph2->src_id = NULL;
 	}
 	if (iph2->dst_id) {
-		racoon_free(iph2->dst_id);
-		iph2->dst_id = NULL;
+	      racoon_free(iph2->dst_id);
+	      iph2->dst_id = NULL;
 	}
-#ifdef ENABLE_NATT
-	if (iph2->natoa_src) {
-		racoon_free(iph2->natoa_src);
-		iph2->natoa_src = NULL;
-	}
-	if (iph2->natoa_dst) {
-		racoon_free(iph2->natoa_dst);
-		iph2->natoa_dst = NULL;
-	}
-#endif
 
 	if (iph2->proposal) {
 		flushsaprop(iph2->proposal);
@@ -744,7 +694,6 @@
 remph2(iph2)
 	struct ph2handle *iph2;
 {
-	unbindph12(iph2);
 	LIST_REMOVE(iph2, chain);
 }
 
@@ -776,6 +725,7 @@
 		}
 
 		delete_spd(p, 0);
+		unbindph12(p);
 		remph2(p);
 		delph2(p);
 	}
@@ -813,6 +763,7 @@
 		}
 		continue;
  zap_it:
+		unbindph12(iph2);
 		remph2(iph2);
 		delph2(iph2);
 	}
@@ -824,10 +775,7 @@
 	struct ph1handle *iph1;
 	struct ph2handle *iph2;
 {
-	unbindph12(iph2);
-
 	iph2->ph1 = iph1;
-	iph1->ph2cnt++;
 	LIST_INSERT_HEAD(&iph1->ph2tree, iph2, ph1bind);
 }
 
@@ -836,9 +784,8 @@
 	struct ph2handle *iph2;
 {
 	if (iph2->ph1 != NULL) {
+		iph2->ph1 = NULL;
 		LIST_REMOVE(iph2, ph1bind);
-		iph2->ph1->ph2cnt--;
-		iph2->ph1 = NULL;
 	}
 }
 
@@ -1060,9 +1007,9 @@
 	LIST_REMOVE(r, chain);
 }
 
-static void
+void
 sweep_recvdpkt(dummy)
-	struct sched *dummy;
+	void *dummy;
 {
 	struct recvdpkt *r, *next;
 	time_t t, lt;
@@ -1082,7 +1029,7 @@
 		}
 	}
 
-	sched_schedule(&sc_sweep, lt, sweep_recvdpkt);
+	sched_new(lt, sweep_recvdpkt, NULL);
 }
 
 void
@@ -1092,7 +1039,7 @@
 
 	LIST_INIT(&rcptree);
 
-	sched_schedule(&sc_sweep, lt, sweep_recvdpkt);
+	sched_new(lt, sweep_recvdpkt, NULL);
 }
 
 #ifdef ENABLE_HYBRID
@@ -1139,7 +1086,7 @@
 	if (iph2->sainfo != NULL) {
 		iph2->sainfo = getsainfo(iph2->sainfo->idsrc, 
 					  iph2->sainfo->iddst, iph2->sainfo->id_i,
-					  NULL, iph2->sainfo->remoteid);
+					  iph2->sainfo->remoteid);
 	}
 	approval = iph2->approval;
 	sainfo = iph2->sainfo;
@@ -1342,6 +1289,7 @@
 		purge_ipsec_spi(iph2->dst, iph2->approval->head->proto_id,
 						spis, 2);
 	}else{
+		unbindph12(iph2);
 		remph2(iph2);
 		delph2(iph2);
 	}
@@ -1356,8 +1304,7 @@
 	plog(LLV_DEBUG, LOCATION, NULL,
 		 "Removing PH1...\n");
 
-	if (iph1->status == PHASE1ST_ESTABLISHED ||
-	    iph1->status == PHASE1ST_DYING) {
+	if (iph1->status == PHASE1ST_ESTABLISHED){
 		for (iph2 = LIST_FIRST(&iph1->ph2tree); iph2; iph2 = iph2_next) {
 			iph2_next = LIST_NEXT(iph2, chain);
 			remove_ph2(iph2);
@@ -1365,7 +1312,7 @@
 		isakmp_info_send_d1(iph1);
 	}
 	iph1->status = PHASE1ST_EXPIRED;
-	sched_schedule(&iph1->sce, 1, isakmp_ph1delete_stub);
+	iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
 }
 
 
@@ -1376,10 +1323,10 @@
 	for (p = LIST_FIRST(&ph1tree); p; p = next) {
 		next = LIST_NEXT(p, chain);
 
-		if (p->status >= PHASE1ST_EXPIRED)
+		if (p->status == PHASE1ST_EXPIRED)
 			continue;
 
-		newrmconf = getrmconf(p->remote);
+		newrmconf=getrmconf(p->remote);
 		if(newrmconf == NULL){
 			p->rmconf = NULL;
 			remove_ph1(p);
@@ -1543,10 +1490,10 @@
 	for (p = LIST_FIRST(&ph1tree); p; p = next) {
 		next = LIST_NEXT(p, chain);
 
-		if (p->status >= PHASE1ST_EXPIRED)
+		if (p->status == PHASE1ST_EXPIRED)
 			continue;
 
-		if (!revalidate_ph1(p))
+		if(!revalidate_ph1(p))
 			remove_ph1(p);
 	}
 
@@ -1612,10 +1559,7 @@
 		if (p->mode_cfg == NULL)
 			continue;
 		if (strncmp(p->mode_cfg->login, login, LOGINLEN) == 0) {
-			if (p->status >= PHASE1ST_EXPIRED)
-				continue;
-
-			if (p->status >= PHASE1ST_ESTABLISHED)
+			if (p->status == PHASE1ST_ESTABLISHED)
 				isakmp_info_send_d1(p);
 			purge_remote(p);
 			found++;
--- a/crypto/dist/ipsec-tools/src/racoon/handler.h	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/handler.h	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: handler.h,v 1.16 2008/09/19 11:14:49 tteras Exp $	*/
+/*	$NetBSD: handler.h,v 1.16.4.1 2009/02/08 18:42:16 snj Exp $	*/
 
 /* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
 
@@ -41,8 +41,6 @@
 
 #include "isakmp_var.h"
 #include "oakley.h"
-#include "schedule.h"
-#include "evt.h"
 
 /* Phase 1 handler */
 /*
@@ -95,9 +93,8 @@
 #define PHASE1ST_MSG3SENT		7
 #define PHASE1ST_MSG4RECEIVED		8
 #define PHASE1ST_ESTABLISHED		9
-#define PHASE1ST_DYING			10
-#define PHASE1ST_EXPIRED		11
-#define PHASE1ST_MAX			12
+#define PHASE1ST_EXPIRED		10
+#define PHASE1ST_MAX			11
 
 /* About address semantics in each case.
  *			initiator(addr=I)	responder(addr=R)
@@ -143,9 +140,9 @@
 	struct isakmp_frag_item *frag_chain;	/* Received fragments */
 #endif
 
-	struct sched sce;		/* schedule for expire */
+	struct sched *sce;		/* schedule for expire */
 
-	struct sched scr;		/* schedule for resend */
+	struct sched *scr;		/* schedule for resend */
 	int retry_counter;		/* for resend. */
 	vchar_t *sendbuf;		/* buffer for re-sending */
 
@@ -193,7 +190,6 @@
 	struct isakmp_pl_hash *pl_hash;	/* pointer to hash payload */
 
 	time_t created;			/* timestamp for establish */
-	int initial_contact_received;	/* set if initial contact received */
 #ifdef ENABLE_STATS
 	struct timeval start;
 	struct timeval end;
@@ -204,7 +200,7 @@
 	time_t		dpd_lastack;	/* Last ack received */
 	u_int16_t	dpd_seq;		/* DPD seq number to receive */
 	u_int8_t	dpd_fails;		/* number of failures */
-	struct sched	dpd_r_u;
+	struct sched	*dpd_r_u;
 #endif
 
 	u_int32_t msgid2;		/* msgid counter for Phase 2 */
@@ -215,7 +211,7 @@
 #ifdef ENABLE_HYBRID
 	struct isakmp_cfg_state *mode_cfg;	/* ISAKMP mode config state */
 #endif       
-	EVT_LISTENER_LIST(evt_listeners);
+
 };
 
 /* Phase 2 handler */
@@ -257,18 +253,14 @@
 		 */
 	struct sockaddr *src_id;
 	struct sockaddr *dst_id;
-#ifdef ENABLE_NATT
-	struct sockaddr *natoa_src;	/* peer's view of my address */
-	struct sockaddr *natoa_dst;	/* peer's view of his address */
-#endif
 
 	u_int32_t spid;			/* policy id by kernel */
 
 	int status;			/* ipsec sa status */
 	u_int8_t side;			/* INITIATOR or RESPONDER */
 
-	struct sched sce;		/* schedule for expire */
-	struct sched scr;		/* schedule for resend */
+	struct sched *sce;		/* schedule for expire */
+	struct sched *scr;		/* schedule for resend */
 	int retry_counter;		/* for resend. */
 	vchar_t *sendbuf;		/* buffer for re-sending */
 	vchar_t *msg1;			/* buffer for re-sending */
@@ -296,8 +288,6 @@
 	struct sainfo *sainfo;		/* place holder of sainfo */
 	struct saprop *proposal;	/* SA(s) proposal. */
 	struct saprop *approval;	/* SA(s) approved. */
-	u_int32_t lifetime_secs;	/* responder lifetime (seconds) */
-	u_int32_t lifetime_kb;		/* responder lifetime (kbytes) */
 	caddr_t spidx_gen;		/* policy from peer's proposal */
 
 	struct dhgroup *pfsgrp;		/* DH; prime number */
@@ -330,7 +320,6 @@
 
 	LIST_ENTRY(ph2handle) chain;
 	LIST_ENTRY(ph2handle) ph1bind;	/* chain to ph1handle */
-	EVT_LISTENER_LIST(evt_listeners);
 };
 
 /*
@@ -353,6 +342,8 @@
 	time_t time_send;		/* timestamp to send a packet */
 	time_t created;			/* timestamp to create a queue */
 
+	struct sched *scr;		/* schedule for resend, may not used */
+
 	LIST_ENTRY(recvdpkt) chain;
 };
 
@@ -435,16 +426,14 @@
 extern struct ph1handle *getph1byindex __P((isakmp_index *));
 extern struct ph1handle *getph1byindex0 __P((isakmp_index *));
 extern struct ph1handle *getph1byaddr __P((struct sockaddr *,
-					   struct sockaddr *, int));
+										   struct sockaddr *, int));
 extern struct ph1handle *getph1byaddrwop __P((struct sockaddr *,
-					      struct sockaddr *));
+	struct sockaddr *));
 extern struct ph1handle *getph1bydstaddrwop __P((struct sockaddr *));
 #ifdef ENABLE_HYBRID
 struct ph1handle *getph1bylogin __P((char *));
 int purgeph1bylogin __P((char *));
 #endif
-extern void migrate_ph12 __P((struct ph1handle *old_iph1, struct ph1handle *new_iph1));
-extern void migrate_dying_ph12 __P((struct ph1handle *iph1));
 extern vchar_t *dumpph1 __P((void));
 extern struct ph1handle *newph1 __P((void));
 extern void delph1 __P((struct ph1handle *));
--- a/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_doi.c,v 1.37 2008/10/29 18:49:45 spz Exp $	*/
+/*	$NetBSD: ipsec_doi.c,v 1.37.2.1 2009/02/08 18:42:16 snj Exp $	*/
 
 /* Id: ipsec_doi.c,v 1.55 2006/08/17 09:20:41 vanhu Exp */
 
@@ -316,7 +316,7 @@
 	}
 
 	newsa = get_sabyproppair(p, iph1);
-	if (newsa == NULL && iph1->approval != NULL){
+	if (newsa == NULL){
 		delisakmpsa(iph1->approval);
 		iph1->approval = NULL;
 	}
@@ -1824,96 +1824,6 @@
 	return ld;
 }
 
-/*
- * parse responder-lifetime attributes from payload
- */
-int
-ipsecdoi_parse_responder_lifetime(notify, lifetime_sec, lifetime_kb)
-	struct isakmp_pl_n *notify;
-	u_int32_t *lifetime_sec;
-	u_int32_t *lifetime_kb;
-{
-	struct isakmp_data *d;
-	int flag, type, tlen, ld_type = -1;
-	u_int16_t lorv;
-	u_int32_t value;
-
-	tlen = ntohs(notify->h.len) - sizeof(*notify) - notify->spi_size;
-        d = (struct isakmp_data *)((char *)(notify + 1) +
-		notify->spi_size);
-
-	while (tlen >= sizeof(struct isakmp_data)) {
-		type = ntohs(d->type) & ~ISAKMP_GEN_MASK;
-		flag = ntohs(d->type) & ISAKMP_GEN_MASK;
-		lorv = ntohs(d->lorv);
-
-		plog(LLV_DEBUG, LOCATION, NULL,
-			"type=%s, flag=0x%04x, lorv=%s\n",
-			s_ipsecdoi_attr(type), flag,
-			s_ipsecdoi_attr_v(type, lorv));
-
-		switch (type) {
-		case IPSECDOI_ATTR_SA_LD_TYPE:
-			if (! flag) {
-				plog(LLV_ERROR, LOCATION, NULL,
-					"must be TV when LD_TYPE.\n");
-				return -1;
-			}
-			ld_type = lorv;
-			break;
-		case IPSECDOI_ATTR_SA_LD:
-			if (flag)
-				value = lorv;
-			else if (lorv == 2)
-				value = ntohs(*(u_int16_t *)(d + 1));
-			else if (lorv == 4)
-				value = ntohl(*(u_int32_t *)(d + 1));
-			else {
-				plog(LLV_ERROR, LOCATION, NULL,
-					"payload length %d for lifetime "
-					"data length is unsupported.\n", lorv);
-				return -1;
-			}
-
-			switch (ld_type) {
-			case IPSECDOI_ATTR_SA_LD_TYPE_SEC:
-				if (lifetime_sec != NULL)
-					*lifetime_sec = value;
-				plog(LLV_INFO, LOCATION, NULL,
-					"received RESPONDER-LIFETIME: %d "
-					"seconds\n", value);
-				break;
-			case IPSECDOI_ATTR_SA_LD_TYPE_KB:
-				if (lifetime_kb != NULL)
-					*lifetime_kb = value;
-				plog(LLV_INFO, LOCATION, NULL,
-					"received RESPONDER-LIFETIME: %d "
-					"kbytes\n", value);
-				break;
-			default:
-				plog(LLV_ERROR, LOCATION, NULL,
-					"lifetime data received without "
-					"lifetime data type.\n");
-				return -1;
-			}
-			break;
-		}
-
-		if (flag) {
-			tlen -= sizeof(*d);
-			d = (struct isakmp_data *)((char *)d
-				+ sizeof(*d));
-		} else {
-			tlen -= (sizeof(*d) + lorv);
-			d = (struct isakmp_data *)((char *)d
-				+ sizeof(*d) + lorv);
-		}
-	}
-
-	return 0;
-}
-
-
 /*%%%*/
 /*
  * check DOI
@@ -3327,9 +3237,7 @@
 
 	for (; pp; pp = pp->next) {
 		for (pr = pp->head; pr; pr = pr->next) {
-			if (pr->encmode != IPSECDOI_ATTR_ENC_MODE_TRNS &&
-			    pr->encmode != IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC &&
-			    pr->encmode != IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT)
+			if (pr->encmode != IPSECDOI_ATTR_ENC_MODE_TRNS)
 				return 0;
 		}
 	}
@@ -4142,12 +4050,8 @@
 		return -1;
 	}
 
-	if (!ipsecdoi_transportmode(iph2->proposal))
-		iph2->id = ipsecdoi_sockaddr2id((struct sockaddr *)&sp->spidx.src,
-				sp->spidx.prefs, sp->spidx.ul_proto);
-	else
-		iph2->id = ipsecdoi_sockaddr2id(iph2->src, IPSECDOI_PREFIX_HOST,
-				sp->spidx.ul_proto);
+	iph2->id = ipsecdoi_sockaddr2id((struct sockaddr *)&sp->spidx.src,
+					sp->spidx.prefs, sp->spidx.ul_proto);
 	if (iph2->id == NULL) {
 		plog(LLV_ERROR, LOCATION, NULL,
 			"failed to get ID for %s\n",
@@ -4158,12 +4062,8 @@
 		s_ipsecdoi_ident(((struct ipsecdoi_id_b *)iph2->id->v)->type));
 
 	/* remote side */
-	if (!ipsecdoi_transportmode(iph2->proposal))
-		iph2->id_p = ipsecdoi_sockaddr2id((struct sockaddr *)&sp->spidx.dst,
+	iph2->id_p = ipsecdoi_sockaddr2id((struct sockaddr *)&sp->spidx.dst,
 				sp->spidx.prefd, sp->spidx.ul_proto);
-	else
-		iph2->id_p = ipsecdoi_sockaddr2id(iph2->dst, IPSECDOI_PREFIX_HOST,
-			sp->spidx.ul_proto);
 	if (iph2->id_p == NULL) {
 		plog(LLV_ERROR, LOCATION, NULL,
 			"failed to get ID for %s\n",
@@ -4200,7 +4100,7 @@
 	switch (saddr->sa_family) {
 	case AF_INET:
 		len1 = sizeof(struct in_addr);
-		if (prefixlen >= (sizeof(struct in_addr) << 3)) {
+		if (prefixlen == (sizeof(struct in_addr) << 3)) {
 			type = IPSECDOI_ID_IPV4_ADDR;
 			len2 = 0;
 		} else {
@@ -4213,7 +4113,7 @@
 #ifdef INET6
 	case AF_INET6:
 		len1 = sizeof(struct in6_addr);
-		if (prefixlen >= (sizeof(struct in6_addr) << 3)) {
+		if (prefixlen == (sizeof(struct in6_addr) << 3)) {
 			type = IPSECDOI_ID_IPV6_ADDR;
 			len2 = 0;
 		} else {
--- a/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.h	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.h	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_doi.h,v 1.11 2008/07/14 05:45:15 tteras Exp $	*/
+/*	$NetBSD: ipsec_doi.h,v 1.11.4.1 2009/02/08 18:42:16 snj Exp $	*/
 
 /* Id: ipsec_doi.h,v 1.15 2006/08/11 16:06:30 vanhu Exp */
 
@@ -197,12 +197,6 @@
 #define IPSECDOI_TYPE_PH1	0
 #define IPSECDOI_TYPE_PH2	1
 
-/*
- * Prefix that will make ipsecdoi_sockaddr2id() generate address type
- * identities without knowning the exact length of address.
- */
-#define IPSECDOI_PREFIX_HOST	0xff
-
 struct isakmpsa;
 struct ipsecdoi_pl_sa;
 struct saprop;
@@ -245,8 +239,5 @@
 extern int idtype2doi __P((int));
 extern int doi2idtype __P((int));
 
-extern int ipsecdoi_parse_responder_lifetime __P((struct isakmp_pl_n *notify,
-	u_int32_t *lifetime_sec, u_int32_t *liftime_kb));
-
 
 #endif /* _IPSEC_DOI_H */
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp.c,v 1.42 2008/09/25 09:34:13 vanhu Exp $	*/
+/*	$NetBSD: isakmp.c,v 1.42.4.1 2009/02/08 18:42:16 snj Exp $	*/
 
 /* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
 
@@ -88,9 +88,6 @@
 #include "pfkey.h"
 #include "crypto_openssl.h"
 #include "policy.h"
-#include "algorithm.h"
-#include "proposal.h"
-#include "sainfo.h"
 #include "isakmp_ident.h"
 #include "isakmp_agg.h"
 #include "isakmp_base.h"
@@ -137,34 +134,34 @@
 static int (*ph1exchange[][2][PHASE1ST_MAX])
 	__P((struct ph1handle *, vchar_t *)) = {
  /* error */
- { { 0 }, { 0 }, },
+ { {}, {}, },
  /* Identity Protection exchange */
  {
   { nostate1, ident_i1send, nostate1, ident_i2recv, ident_i2send,
-    ident_i3recv, ident_i3send, ident_i4recv, ident_i4send, nostate1, nostate1,},
+    ident_i3recv, ident_i3send, ident_i4recv, ident_i4send, nostate1, },
   { nostate1, ident_r1recv, ident_r1send, ident_r2recv, ident_r2send,
-    ident_r3recv, ident_r3send, nostate1, nostate1, nostate1, nostate1, },
+    ident_r3recv, ident_r3send, nostate1, nostate1, nostate1, },
  },
  /* Aggressive exchange */
  {
   { nostate1, agg_i1send, nostate1, agg_i2recv, agg_i2send,
-    nostate1, nostate1, nostate1, nostate1, nostate1, nostate1, },
+    nostate1, nostate1, nostate1, nostate1, nostate1, },
   { nostate1, agg_r1recv, agg_r1send, agg_r2recv, agg_r2send,
-    nostate1, nostate1, nostate1, nostate1, nostate1, nostate1, },
+    nostate1, nostate1, nostate1, nostate1, nostate1, },
  },
  /* Base exchange */
  {
   { nostate1, base_i1send, nostate1, base_i2recv, base_i2send,
-    base_i3recv, base_i3send, nostate1, nostate1, nostate1, nostate1, },
+    base_i3recv, base_i3send, nostate1, nostate1, nostate1, },
   { nostate1, base_r1recv, base_r1send, base_r2recv, base_r2send,
-    nostate1, nostate1, nostate1, nostate1, nostate1, nostate1, },
+    nostate1, nostate1, nostate1, nostate1, nostate1, },
  },
 };
 
 static int (*ph2exchange[][2][PHASE2ST_MAX])
 	__P((struct ph2handle *, vchar_t *)) = {
  /* error */
- { { 0 }, { 0 }, },
+ { {}, {}, },
  /* Quick mode for IKE */
  {
   { nostate2, nostate2, quick_i1prep, nostate2, quick_i1send,
@@ -215,7 +212,7 @@
 	unsigned int local_len = sizeof(local);
 	int len = 0, extralen = 0;
 	vchar_t *buf = NULL, *tmpbuf = NULL;
-	int error = -1, res;
+	int error = -1;
 
 	/* read message by MSG_PEEK */
 	while ((len = recvfromto(so_isakmp, x.buf, sizeof(x),
@@ -366,11 +363,11 @@
 	/* XXX: I don't know how to check isakmp half connection attack. */
 
 	/* simply reply if the packet was processed. */
-	res=check_recvdpkt((struct sockaddr *)&remote,(struct sockaddr *)&local, buf);
-	if (res) {
+	if (check_recvdpkt((struct sockaddr *)&remote,
+			(struct sockaddr *)&local, buf)) {
 		plog(LLV_NOTIFY, LOCATION, NULL,
-			"the packet is retransmitted by %s (%d).\n",
-			 saddr2str((struct sockaddr *)&remote), res);
+			"the packet is retransmitted by %s.\n",
+			saddr2str((struct sockaddr *)&remote));
 		error = 0;
 		goto end;
 	}
@@ -683,8 +680,7 @@
 #endif
 
 		/* check status of phase 1 whether negotiated or not. */
-		if (iph1->status != PHASE1ST_ESTABLISHED &&
-		    iph1->status != PHASE1ST_DYING) {
+		if (iph1->status != PHASE1ST_ESTABLISHED) {
 			plog(LLV_ERROR, LOCATION, remote,
 				"can't start the quick mode, "
 				"there is no valid ISAKMP-SA, %s\n",
@@ -716,6 +712,7 @@
 		if (quick_main(iph2, msg) < 0) {
 			plog(LLV_ERROR, LOCATION, iph1->remote,
 				"phase2 negotiation failed.\n");
+			unbindph12(iph2);
 			remph2(iph2);
 			delph2(iph2);
 			return -1;
@@ -783,7 +780,7 @@
 #endif
 
 	/* ignore a packet */
-	if (iph1->status >= PHASE1ST_ESTABLISHED)
+	if (iph1->status == PHASE1ST_ESTABLISHED)
 		return 0;
 
 #ifdef ENABLE_STATS
@@ -801,24 +798,20 @@
 			    [iph1->side]
 			    [iph1->status])(iph1, msg);
 	if (error != 0) {
-
+#if 0
 		/* XXX
 		 * When an invalid packet is received on phase1, it should
 		 * be selected to process this packet.  That is to respond
 		 * with a notify and delete phase 1 handler, OR not to respond
-		 * and keep phase 1 handler. However, in PHASE1ST_START when
-		 * acting as RESPONDER we must not keep phase 1 handler or else
-		 * it will stay forever.
+		 * and keep phase 1 handler.
 		 */
-
-		if (iph1->side == RESPONDER && iph1->status == PHASE1ST_START) {
-			plog(LLV_ERROR, LOCATION, iph1->remote,
-				"failed to pre-process packet.\n");
-			return -1;
-		} else {
-			/* ignore the error and keep phase 1 handler */
-			return 0;
-		}
+		plog(LLV_ERROR, LOCATION, iph1->remote,
+			"failed to pre-process packet.\n");
+		return -1;
+#else
+		/* ignore the error and keep phase 1 handler */
+		return 0;
+#endif
 	}
 
 #ifndef ENABLE_FRAG
@@ -833,7 +826,7 @@
 	VPTRINIT(iph1->sendbuf);
 
 	/* turn off schedule */
-	sched_cancel(&iph1->scr);
+	SCHED_KILL(iph1->scr);
 
 	/* send */
 	plog(LLV_DEBUG, LOCATION, NULL, "===\n");
@@ -863,22 +856,9 @@
 		/* save created date. */
 		(void)time(&iph1->created);
 
-		/* migrate ph2s from dying ph1s */
-		migrate_dying_ph12(iph1);
-
 		/* add to the schedule to expire, and seve back pointer. */
-		if ((iph1->rmconf->rekey == REKEY_FORCE) ||
-		    (iph1->rmconf->rekey == REKEY_ON && iph1->dpd_support &&
-		     iph1->rmconf->dpd_interval)) {
-			sched_schedule(&iph1->sce,
-				       iph1->approval->lifetime *
-				       PFKEY_SOFT_LIFETIME_RATE / 100,
-				       isakmp_ph1dying_stub);
-		} else {
-			sched_schedule(&iph1->sce, iph1->approval->lifetime,
-				       isakmp_ph1expire_stub);
-		}
-
+		iph1->sce = sched_new(iph1->approval->lifetime,
+		    isakmp_ph1expire_stub, iph1);
 #ifdef ENABLE_HYBRID
 		if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) {
 			switch(AUTHMETHOD(iph1)) {
@@ -918,8 +898,6 @@
 				/* ignore */
 			}
 		}
-		if (iph1->initial_contact_received)
-			isakmp_info_recv_initialcontact(iph1, NULL);
 
 		log_ph1established(iph1);
 		plog(LLV_DEBUG, LOCATION, NULL, "===\n");
@@ -1009,7 +987,7 @@
 	VPTRINIT(iph2->sendbuf);
 
 	/* turn off schedule */
-	sched_cancel(&iph2->scr);
+	SCHED_KILL(iph2->scr);
 
 	/* send */
 	plog(LLV_DEBUG, LOCATION, NULL, "===\n");
@@ -1033,7 +1011,7 @@
 }
 
 /* new negotiation of phase 1 for initiator */
-struct ph1handle *
+int
 isakmp_ph1begin_i(rmconf, remote, local)
 	struct remoteconf *rmconf;
 	struct sockaddr *remote, *local;
@@ -1046,7 +1024,7 @@
 	/* get new entry to isakmp status table. */
 	iph1 = newph1();
 	if (iph1 == NULL)
-		return NULL;
+		return -1;
 
 	iph1->status = PHASE1ST_START;
 	iph1->rmconf = rmconf;
@@ -1061,7 +1039,7 @@
 #ifdef ENABLE_HYBRID
 	if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) {
 		delph1(iph1);
-		return NULL;
+		return -1;
 	}
 #endif
 #ifdef ENABLE_FRAG
@@ -1077,7 +1055,7 @@
 	/* XXX copy remote address */
 	if (copy_ph1addresses(iph1, rmconf, remote, local) < 0) {
 		delph1(iph1);
-		return NULL;
+		return -1;
 	}
 
 	(void)insph1(iph1);
@@ -1113,7 +1091,7 @@
 		remph1(iph1);
 		delph1(iph1);
 
-		return NULL;
+		return -1;
 	}
 
 #ifdef ENABLE_STATS
@@ -1124,7 +1102,7 @@
 		timedelta(&start, &end));
 #endif
 
-	return iph1;
+	return 0;
 }
 
 /* new negotiation of phase 1 for responder */
@@ -1299,6 +1277,7 @@
 	if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
 			 [iph2->side]
 			 [iph2->status])(iph2, NULL) < 0) {
+		unbindph12(iph2);
 		/* release ipsecsa handler due to internal error. */
 		remph2(iph2);
 		return -1;
@@ -1333,6 +1312,7 @@
 		return -1;
 	}
 
+	iph2->ph1 = iph1;
 	iph2->side = RESPONDER;
 	iph2->status = PHASE2ST_START;
 	iph2->flags = isakmp->flags;
@@ -1396,6 +1376,7 @@
 		 * release handler because it's wrong that ph2handle is kept
 		 * after failed to check message for responder's.
 		 */
+		unbindph12(iph2);
 		remph2(iph2);
 		delph2(iph2);
 		return -1;
@@ -1634,13 +1615,11 @@
 		}
 #endif
 
-		if ((p->sock = privsep_socket(p->addr->sa_family,
-					      SOCK_DGRAM, 0)) < 0) {
+		if ((p->sock = socket(p->addr->sa_family, SOCK_DGRAM, 0)) < 0) {
 			plog(LLV_ERROR, LOCATION, NULL,
 				"socket (%s)\n", strerror(errno));
 			goto err_and_next;
 		}
-		close_on_exec(p->sock);
 
 		if (fcntl(p->sock, F_SETFL, O_NONBLOCK) == -1)
 			plog(LLV_WARNING, LOCATION, NULL,
@@ -1696,24 +1675,10 @@
 		}
 #endif
 
-		if (setsockopt(p->sock, SOL_SOCKET,
-#ifdef __linux__
-					 SO_REUSEADDR,
-#else
-					 SO_REUSEPORT,
-#endif
-					 (void *)&yes, sizeof(yes)) < 0) {
-			plog(LLV_ERROR, LOCATION, NULL,
-				"failed to set REUSE flag on %s (%s).\n",
-				saddr2str(p->addr), strerror(errno));
-			close(p->sock);
-			goto err_and_next;
-		}
-
 		if (setsockopt_bypass(p->sock, p->addr->sa_family) < 0)
 			goto err_and_next;
 
-		if (privsep_bind(p->sock, p->addr, sysdep_sa_len(p->addr)) < 0) {
+		if (bind(p->sock, p->addr, sysdep_sa_len(p->addr)) < 0) {
 			plog(LLV_ERROR, LOCATION, p->addr,
 				"failed to bind to address %s (%s).\n",
 				saddr2str(p->addr), strerror(errno));
@@ -1812,17 +1777,11 @@
 {
 	int len = 0;
 	int s;
-	vchar_t *vbuf = NULL, swap;
+	vchar_t *vbuf = NULL;
 
 #ifdef ENABLE_NATT
 	size_t extralen = NON_ESP_MARKER_USE(iph1) ? NON_ESP_MARKER_LEN : 0;
 
-	/* Check if NON_ESP_MARKER_LEN is already there (happens when resending packets)
-	 */
-	if(extralen == NON_ESP_MARKER_LEN &&
-	   *(u_int32_t *)sbuf->v == 0)
-		extralen = 0;
-
 #ifdef ENABLE_FRAG
 	/* 
 	 * Do not add the non ESP marker for a packet that will
@@ -1846,19 +1805,15 @@
 		}
 		*(u_int32_t *)vbuf->v = 0;
 		memcpy (vbuf->v + extralen, sbuf->v, sbuf->l);
-		/* ensures that the modified buffer will be sent back to the caller, so
-		 * add_recvdpkt() will add the correct buffer
-		 */
-		swap = *sbuf;
-		*sbuf = *vbuf;
-		*vbuf = swap;
-		vfree(vbuf);
+		sbuf = vbuf;
 	}
 #endif
 
 	/* select the socket to be sent */
 	s = getsockmyaddr(iph1->local);
 	if (s == -1){
+		if ( vbuf != NULL )
+			vfree(vbuf);
 		return -1;
 	}
 
@@ -1870,6 +1825,8 @@
 		if (isakmp_sendfrags(iph1, sbuf) == -1) {
 			plog(LLV_ERROR, LOCATION, NULL, 
 			    "isakmp_sendfrags failed\n");
+			if ( vbuf != NULL )
+				vfree(vbuf);
 			return -1;
 		}
 	} else 
@@ -1880,21 +1837,34 @@
 
 		if (len == -1) {
 			plog(LLV_ERROR, LOCATION, NULL, "sendfromto failed\n");
+			if ( vbuf != NULL )
+				vfree(vbuf);
 			return -1;
 		}
 	}
 	
+	if ( vbuf != NULL )
+		vfree(vbuf);
+	
 	return 0;
 }
 
 /* called from scheduler */
 void
 isakmp_ph1resend_stub(p)
-	struct sched *p;
+	void *p;
 {
-	struct ph1handle *iph1 = container_of(p, struct ph1handle, scr);
-
-	if (isakmp_ph1resend(iph1) < 0) {
+	struct ph1handle *iph1;
+
+	iph1=(struct ph1handle *)p;
+	if(isakmp_ph1resend(iph1) < 0){
+		if(iph1->scr != NULL){
+			/* Should not happen...
+			 */
+			sched_kill(iph1->scr);
+			iph1->scr=NULL;
+		}
+
 		remph1(iph1);
 		delph1(iph1);
 	}
@@ -1910,7 +1880,8 @@
 		plog(LLV_ERROR, LOCATION, NULL,
 			"phase1 negotiation failed due to time up. %s\n",
 			isakmp_pindex(&iph1->index, iph1->msgid));
-		evt_phase1(iph1, EVT_PHASE1_NO_RESPONSE, NULL);
+		EVT_PUSH(iph1->local, iph1->remote, 
+		    EVTT_PEER_NO_RESPONSE, NULL);
 
 		return -1;
 	}
@@ -1919,7 +1890,8 @@
 		plog(LLV_ERROR, LOCATION, NULL,
 			 "phase1 negotiation failed due to send error. %s\n",
 			 isakmp_pindex(&iph1->index, iph1->msgid));
-		evt_phase1(iph1, EVT_PHASE1_NO_RESPONSE, NULL);
+		EVT_PUSH(iph1->local, iph1->remote, 
+				 EVTT_PEER_NO_RESPONSE, NULL);
 		return -1;
 	}
 
@@ -1929,8 +1901,8 @@
 
 	iph1->retry_counter--;
 
-	sched_schedule(&iph1->scr, iph1->rmconf->retry_interval,
-		       isakmp_ph1resend_stub);
+	iph1->scr = sched_new(iph1->rmconf->retry_interval,
+		isakmp_ph1resend_stub, iph1);
 
 	return 0;
 }
@@ -1938,11 +1910,14 @@
 /* called from scheduler */
 void
 isakmp_ph2resend_stub(p)
-	struct sched *p;
+	void *p;
 {
-	struct ph2handle *iph2 = container_of(p, struct ph2handle, scr);
-
-	if (isakmp_ph2resend(iph2) < 0) {
+	struct ph2handle *iph2;
+
+	iph2=(struct ph2handle *)p;
+
+	if(isakmp_ph2resend(iph2) < 0){
+		unbindph12(iph2);
 		remph2(iph2);
 		delph2(iph2);
 	}
@@ -1954,7 +1929,7 @@
 {
 	/* Note: NEVER do the unbind/rem/del here, it will be done by the caller or by the _stub function
 	 */
-	if (iph2->ph1->status >= PHASE1ST_EXPIRED) {
+	if (iph2->ph1->status == PHASE1ST_EXPIRED){
 		plog(LLV_ERROR, LOCATION, NULL,
 			"phase2 negotiation failed due to phase1 expired. %s\n",
 				isakmp_pindex(&iph2->ph1->index, iph2->msgid));
@@ -1965,7 +1940,7 @@
 		plog(LLV_ERROR, LOCATION, NULL,
 			"phase2 negotiation failed due to time up. %s\n",
 				isakmp_pindex(&iph2->ph1->index, iph2->msgid));
-		evt_phase2(iph2, EVT_PHASE2_NO_RESPONSE, NULL);
+		EVT_PUSH(iph2->src, iph2->dst, EVTT_PEER_NO_RESPONSE, NULL);
 		unbindph12(iph2);
 		return -1;
 	}
@@ -1974,7 +1949,8 @@
 		plog(LLV_ERROR, LOCATION, NULL,
 			"phase2 negotiation failed due to send error. %s\n",
 				isakmp_pindex(&iph2->ph1->index, iph2->msgid));
-		evt_phase2(iph2, EVT_PHASE2_NO_RESPONSE, NULL);
+		EVT_PUSH(iph2->src, iph2->dst, EVTT_PEER_NO_RESPONSE, NULL);
+
 		return -1;
 	}
 
@@ -1984,75 +1960,19 @@
 
 	iph2->retry_counter--;
 
-	sched_schedule(&iph2->scr, iph2->ph1->rmconf->retry_interval,
-		       isakmp_ph2resend_stub);
+	iph2->scr = sched_new(iph2->ph1->rmconf->retry_interval,
+		isakmp_ph2resend_stub, iph2);
 
 	return 0;
 }
 
 /* called from scheduler */
 void
-isakmp_ph1dying_stub(p)
-	struct sched *p;
-{
-
-	isakmp_ph1dying(container_of(p, struct ph1handle, sce));
-}
-
-void
-isakmp_ph1dying(iph1)
-	struct ph1handle *iph1;
+isakmp_ph1expire_stub(p)
+	void *p;
 {
-	struct ph1handle *new_iph1;
-	struct ph2handle *p;
-	struct remoteconf *rmconf;
-
-	if (iph1->status >= PHASE1ST_DYING)
-		return;
-
-	/* Going away in after a while... */
-	iph1->status = PHASE1ST_DYING;
-
-	/* Any fresh phase1s? */
-	new_iph1 = getph1byaddr(iph1->local, iph1->remote, 1);
-	if (new_iph1 == NULL) {
-		LIST_FOREACH(p, &iph1->ph2tree, ph1bind) {
-			if (p->status != PHASE2ST_ESTABLISHED)
-				continue;
-
-			rmconf = getrmconf(iph1->remote);
-			if (rmconf == NULL) {
-				plog(LLV_ERROR, LOCATION, NULL,
-				     "no configuration found "
-				     "for %s\n", saddrwop2str(iph1->remote));
-			} else {
-				plog(LLV_INFO, LOCATION, NULL,
-				     "renegotiating phase1 to %s due to "
-				      "active phase2\n",
-					saddrwop2str(iph1->remote));
-
-				if (iph1->side == INITIATOR)
-					isakmp_ph1begin_i(rmconf, iph1->remote,
-							  iph1->local);
-			}
-			break;
-		}
-	} else {
-		migrate_ph12(iph1, new_iph1);
-	}
-
-	/* Schedule for expiration */
-	sched_schedule(&iph1->sce, iph1->approval->lifetime *
-		       (100 - PFKEY_SOFT_LIFETIME_RATE) / 100,
-		       isakmp_ph1expire_stub);
-}
-
-/* called from scheduler */
-void
-isakmp_ph1expire_stub(p)
-	struct sched *p;
-{
-	isakmp_ph1expire(container_of(p, struct ph1handle, sce));
+
+	isakmp_ph1expire((struct ph1handle *)p);
 }
 
 void
@@ -2061,7 +1981,9 @@
 {
 	char *src, *dst;
 
-	if (iph1->status < PHASE1ST_EXPIRED) {
+	SCHED_KILL(iph1->sce);
+
+	if(iph1->status != PHASE1ST_EXPIRED){
 		src = racoon_strdup(saddr2str(iph1->local));
 		dst = racoon_strdup(saddr2str(iph1->remote));
 		STRDUP_FATAL(src);
@@ -2076,40 +1998,36 @@
 		iph1->status = PHASE1ST_EXPIRED;
 	}
 
-	sched_schedule(&iph1->sce, 1, isakmp_ph1delete_stub);
+	/*
+	 * the phase1 deletion is postponed until there is no phase2.
+	 */
+	if (LIST_FIRST(&iph1->ph2tree) != NULL) {
+		iph1->sce = sched_new(1, isakmp_ph1expire_stub, iph1);
+		return;
+	}
+
+	iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
 }
 
 /* called from scheduler */
 void
 isakmp_ph1delete_stub(p)
-	struct sched *p;
+	void *p;
 {
 
-	isakmp_ph1delete(container_of(p, struct ph1handle, sce));
+	isakmp_ph1delete((struct ph1handle *)p);
 }
 
 void
 isakmp_ph1delete(iph1)
 	struct ph1handle *iph1;
 {
-	struct ph2handle *p, *next;
-	struct ph1handle *new_iph1;
 	char *src, *dst;
 
-	/* Migrate established phase2s. Any fresh phase1s? */
-	new_iph1 = getph1byaddr(iph1->local, iph1->remote, 1);
-	if (new_iph1 != NULL)
-		migrate_ph12(iph1, new_iph1);
-
-	/* Discard any left phase2s */
-	for (p = LIST_FIRST(&iph1->ph2tree); p; p = next) {
-		next = LIST_NEXT(p, ph1bind);
-		if (p->status >= PHASE2ST_ESTABLISHED)
-			unbindph12(p);
-	}
+	SCHED_KILL(iph1->sce);
 
 	if (LIST_FIRST(&iph1->ph2tree) != NULL) {
-		sched_schedule(&iph1->sce, 1, isakmp_ph1delete_stub);
+		iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
 		return;
 	}
 
@@ -2123,12 +2041,14 @@
 	plog(LLV_INFO, LOCATION, NULL,
 		"ISAKMP-SA deleted %s-%s spi:%s\n",
 		src, dst, isakmp_pindex(&iph1->index, 0));
-	evt_phase1(iph1, EVT_PHASE1_DOWN, NULL);
+	EVT_PUSH(iph1->local, iph1->remote, EVTT_PHASE1_DOWN, NULL);
 	racoon_free(src);
 	racoon_free(dst);
 
 	remph1(iph1);
 	delph1(iph1);
+
+	return;
 }
 
 /* called from scheduler.
@@ -2139,10 +2059,10 @@
  */
 void
 isakmp_ph2expire_stub(p)
-	struct sched *p;
+	void *p;
 {
 
-	isakmp_ph2expire(container_of(p, struct ph2handle, sce));
+	isakmp_ph2expire((struct ph2handle *)p);
 }
 
 void
@@ -2151,6 +2071,8 @@
 {
 	char *src, *dst;
 
+	SCHED_KILL(iph2->sce);
+
 	src = racoon_strdup(saddrwop2str(iph2->src));
 	dst = racoon_strdup(saddrwop2str(iph2->dst));
 	STRDUP_FATAL(src);
@@ -2162,16 +2084,19 @@
 	racoon_free(dst);
 
 	iph2->status = PHASE2ST_EXPIRED;
-	sched_schedule(&iph2->sce, 1, isakmp_ph2delete_stub);
+
+	iph2->sce = sched_new(1, isakmp_ph2delete_stub, iph2);
+
+	return;
 }
 
 /* called from scheduler */
 void
 isakmp_ph2delete_stub(p)
-	struct sched *p;
+	void *p;
 {
 
-	isakmp_ph2delete(container_of(p, struct ph2handle, sce));
+	isakmp_ph2delete((struct ph2handle *)p);
 }
 
 void
@@ -2180,6 +2105,8 @@
 {
 	char *src, *dst;
 
+	SCHED_KILL(iph2->sce);
+
 	src = racoon_strdup(saddrwop2str(iph2->src));
 	dst = racoon_strdup(saddrwop2str(iph2->dst));
 	STRDUP_FATAL(src);
@@ -2190,6 +2117,7 @@
 	racoon_free(src);
 	racoon_free(dst);
 
+	unbindph12(iph2);
 	remph2(iph2);
 	delph2(iph2);
 
@@ -2250,16 +2178,18 @@
 
 	/* no ISAKMP-SA found. */
 	if (iph1 == NULL) {
+		struct sched *sc;
+
 		iph2->retry_checkph1 = lcconf->retry_checkph1;
-		sched_schedule(&iph2->sce, 1, isakmp_chkph1there_stub);
+		sc = sched_new(1, isakmp_chkph1there_stub, iph2);
 		plog(LLV_INFO, LOCATION, NULL,
 			"IPsec-SA request for %s queued "
 			"due to no phase1 found.\n",
 			saddrwop2str(iph2->dst));
 
 		/* start phase 1 negotiation as a initiator. */
-		if (isakmp_ph1begin_i(rmconf, iph2->dst, iph2->src) == NULL) {
-			sched_cancel(&iph2->sce);
+		if (isakmp_ph1begin_i(rmconf, iph2->dst, iph2->src) < 0) {
+			SCHED_KILL(sc);
 			return -1;
 		}
 
@@ -2268,9 +2198,9 @@
 	}
 
 	/* found ISAKMP-SA, but on negotiation. */
-	if (iph1->status < PHASE1ST_ESTABLISHED) {
+	if (iph1->status != PHASE1ST_ESTABLISHED) {
 		iph2->retry_checkph1 = lcconf->retry_checkph1;
-		sched_schedule(&iph2->sce, 1, isakmp_chkph1there_stub);
+		sched_new(1, isakmp_chkph1there_stub, iph2);
 		plog(LLV_INFO, LOCATION, iph2->dst,
 			"request for establishing IPsec-SA was queued "
 			"due to no phase1 found.\n");
@@ -2291,71 +2221,6 @@
 	return 0;
 }
 
-int
-isakmp_get_sainfo(iph2, sp_out, sp_in)
-	struct ph2handle *iph2;
-	struct secpolicy *sp_out, *sp_in;
-{
-	int remoteid=0;
-
-	plog(LLV_DEBUG, LOCATION, NULL,
-		"new acquire %s\n", spidx2str(&sp_out->spidx));
-
-	/* get sainfo */
-	{
-		vchar_t *idsrc, *iddst;
-
-		idsrc = ipsecdoi_sockaddr2id((struct sockaddr *)&sp_out->spidx.src,
-			sp_out->spidx.prefs, sp_out->spidx.ul_proto);
-		if (idsrc == NULL) {
-			plog(LLV_ERROR, LOCATION, NULL,
-				"failed to get ID for %s\n",
-				spidx2str(&sp_out->spidx));
-			return -1;
-		}
-		iddst = ipsecdoi_sockaddr2id((struct sockaddr *)&sp_out->spidx.dst,
-			sp_out->spidx.prefd, sp_out->spidx.ul_proto);
-		if (iddst == NULL) {
-			plog(LLV_ERROR, LOCATION, NULL,
-				"failed to get ID for %s\n",
-				spidx2str(&sp_out->spidx));
-			vfree(idsrc);
-			return -1;
-		}
-		{
-			struct remoteconf *conf;
-			conf = getrmconf(iph2->dst);
-			if (conf != NULL)
-				remoteid=conf->ph1id;
-			else{
-				plog(LLV_DEBUG, LOCATION, NULL, "Warning: no valid rmconf !\n");
-				remoteid=0;
-			}
-		}
-		iph2->sainfo = getsainfo(idsrc, iddst, NULL, NULL, remoteid);
-		vfree(idsrc);
-		vfree(iddst);
-		if (iph2->sainfo == NULL) {
-			plog(LLV_ERROR, LOCATION, NULL,
-				"failed to get sainfo.\n");
-			return -1;
-			/* XXX should use the algorithm list from register message */
-		}
-
-		plog(LLV_DEBUG, LOCATION, NULL,
-			"selected sainfo: %s\n", sainfo2str(iph2->sainfo));
-	}
-
-	if (set_proposal_from_policy(iph2, sp_out, sp_in) < 0) {
-		plog(LLV_ERROR, LOCATION, NULL,
-			"failed to create saprop.\n");
-		return -1;
-	}
-
-	return 0;
-}
-
-
 /*
  * receive GETSPI from kernel.
  */
@@ -2368,7 +2233,7 @@
 #endif
 
 	/* don't process it because there is no suitable phase1-sa. */
-	if (iph2->ph1->status >= PHASE1ST_EXPIRED) {
+	if (iph2->ph1->status == PHASE1ST_EXPIRED) {
 		plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
 			"the negotiation is stopped, "
 			"because there is no suitable ISAKMP-SA.\n");
@@ -2396,9 +2261,9 @@
 /* called by scheduler */
 void
 isakmp_chkph1there_stub(p)
-	struct sched *p;
+	void *p;
 {
-	isakmp_chkph1there(container_of(p, struct ph2handle, sce));
+	isakmp_chkph1there((struct ph2handle *)p);
 }
 
 void
@@ -2420,6 +2285,7 @@
 		/* send acquire to kernel as error */
 		pk_sendeacquire(iph2);
 
+		unbindph12(iph2);
 		remph2(iph2);
 		delph2(iph2);
 
@@ -2473,7 +2339,7 @@
 	plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: no established ph1 handler found\n");
 
 	/* no isakmp-sa found */
-	sched_schedule(&iph2->sce, 1, isakmp_chkph1there_stub);
+	sched_new(1, isakmp_chkph1there_stub, iph2);
 
 	return;
 }
@@ -3058,9 +2924,9 @@
 		src, dst,
 		isakmp_pindex(&iph1->index, 0));
 	
-	evt_phase1(iph1, EVT_PHASE1_UP, NULL);
+	EVT_PUSH(iph1->local, iph1->remote, EVTT_PHASE1_UP, NULL);
 	if(!iph1->rmconf->mode_cfg)
-		evt_phase1(iph1, EVT_PHASE1_MODE_CFG, NULL);
+		EVT_PUSH(iph1->local, iph1->remote, EVTT_NO_ISAKMP_CFG, NULL);
 
 	racoon_free(src);
 	racoon_free(dst);
@@ -3428,6 +3294,7 @@
 		/* delete a relative phase 2 handle. */
 		if (iph2 != NULL) {
 			delete_spd(iph2, 0);
+			unbindph12(iph2);
 			remph2(iph2);
 			delph2(iph2);
 		}
@@ -3447,7 +3314,9 @@
 		 "purged ISAKMP-SA spi=%s.\n",
 		 isakmp_pindex(&(iph1->index), iph1->msgid));
 
-	sched_schedule(&iph1->sce, 1, isakmp_ph1delete_stub);
+	SCHED_KILL(iph1->sce);
+
+	iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
 }
 
 void 
@@ -3651,7 +3520,7 @@
 		spidx.ul_proto = IPSEC_ULPROTO_ANY;
 
 #undef _XIDT
-	
+
 	/* Check if the generated SPD has the same timestamp as the SA.
 	 * If timestamps are different, this means that the SPD entry has been
 	 * refreshed by another SA, and should NOT be deleted with the current SA.
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_agg.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_agg.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_agg.c,v 1.12 2008/07/21 06:26:06 tteras Exp $	*/
+/*	$NetBSD: isakmp_agg.c,v 1.12.4.1 2009/02/08 18:42:16 snj Exp $	*/
 
 /* Id: isakmp_agg.c,v 1.28 2006/04/06 16:46:08 manubsd Exp */
 
@@ -426,12 +426,36 @@
 			break;
 		case ISAKMP_NPTYPE_VID:
 			vid_numeric = check_vendorid(pa->ptr);
-			handle_vendorid(iph1, vid_numeric);
+#ifdef ENABLE_NATT
+			if (iph1->rmconf->nat_traversal && 
+			    natt_vendorid(vid_numeric))
+				natt_handle_vendorid(iph1, vid_numeric);
+#endif
+#ifdef ENABLE_HYBRID
+			switch (vid_numeric) {
+			case VENDORID_XAUTH:
+				iph1->mode_cfg->flags |= 
+				    ISAKMP_CFG_VENDORID_XAUTH;
+				break;
+
+			case VENDORID_UNITY:
+				iph1->mode_cfg->flags |= 
+				    ISAKMP_CFG_VENDORID_UNITY;
+				break;
+			default:
+				break;
+			}
+#endif
+#ifdef ENABLE_DPD
+			if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd) {
+				iph1->dpd_support=1;
+				plog(LLV_DEBUG, LOCATION, NULL,
+					 "remote supports DPD\n");
+			}
+#endif
 			break;
 		case ISAKMP_NPTYPE_N:
-			isakmp_log_notify(iph1,
-				(struct isakmp_pl_n *) pa->ptr,
-				"aggressive exchange");
+			isakmp_check_notify(pa->ptr, iph1);
 			break;
 #ifdef HAVE_GSSAPI
 		case ISAKMP_NPTYPE_GSS:
@@ -563,7 +587,8 @@
 			/* message printed inner oakley_validate_auth() */
 			goto end;
 		}
-		evt_phase1(iph1, EVT_PHASE1_AUTH_FAILED, NULL);
+		EVT_PUSH(iph1->local, iph1->remote, 
+		    EVTT_PEERPH1AUTH_FAILED, NULL);
 		isakmp_info_send_n1(iph1, ptype, NULL);
 		goto end;
 	}
@@ -836,7 +861,36 @@
 			break;
 		case ISAKMP_NPTYPE_VID:
 			vid_numeric = check_vendorid(pa->ptr);
-			handle_vendorid(iph1, vid_numeric);
+
+#ifdef ENABLE_NATT
+			if (iph1->rmconf->nat_traversal &&
+			    natt_vendorid(vid_numeric)) {
+				natt_handle_vendorid(iph1, vid_numeric);
+				break;
+			}
+#endif
+#ifdef ENABLE_HYBRID
+			switch (vid_numeric) {
+			case VENDORID_XAUTH:
+				iph1->mode_cfg->flags |= 
+				    ISAKMP_CFG_VENDORID_XAUTH;
+				break;
+
+			case VENDORID_UNITY:
+				iph1->mode_cfg->flags |= 
+				    ISAKMP_CFG_VENDORID_UNITY;
+				break;
+			default:
+				break;
+			}
+#endif
+#ifdef ENABLE_DPD
+			if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd) {
+				iph1->dpd_support=1;
+				plog(LLV_DEBUG, LOCATION, NULL,
+					 "remote supports DPD\n");
+			}
+#endif
 #ifdef ENABLE_FRAG
 			if ((vid_numeric == VENDORID_FRAG) &&
 			    (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_AGG))
@@ -1325,7 +1379,7 @@
 	vchar_t *pbuf = NULL;
 	struct isakmp_parse_t *pa;
 	int error = -1;
-	int ptype, vid_numeric;
+	int ptype;
 
 #ifdef ENABLE_NATT
 	int natd_seq = 0;
@@ -1364,8 +1418,7 @@
 			iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
 			break;
 		case ISAKMP_NPTYPE_VID:
-			vid_numeric = check_vendorid(pa->ptr);
-			handle_vendorid(iph1, vid_numeric);
+			(void)check_vendorid(pa->ptr);
 			break;
 		case ISAKMP_NPTYPE_CERT:
 			if (oakley_savecert(iph1, pa->ptr) < 0)
@@ -1376,9 +1429,7 @@
 				goto end;
 			break;
 		case ISAKMP_NPTYPE_N:
-			isakmp_log_notify(iph1,
-				(struct isakmp_pl_n *) pa->ptr,
-				"aggressive exchange");
+			isakmp_check_notify(pa->ptr, iph1);
 			break;
 
 #ifdef ENABLE_NATT
@@ -1435,7 +1486,8 @@
 			/* message printed inner oakley_validate_auth() */
 			goto end;
 		}
-		evt_phase1(iph1, EVT_PHASE1_AUTH_FAILED, NULL);
+		EVT_PUSH(iph1->local, iph1->remote, 
+		    EVTT_PEERPH1AUTH_FAILED, NULL);
 		isakmp_info_send_n1(iph1, ptype, NULL);
 		goto end;
 	}
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_base.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_base.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_base.c,v 1.9 2008/07/21 06:26:06 tteras Exp $	*/
+/*	$NetBSD: isakmp_base.c,v 1.9.4.1 2009/02/08 18:42:16 snj Exp $	*/
 
 /*	$KAME: isakmp_base.c,v 1.49 2003/11/13 02:30:20 sakane Exp $	*/
 
@@ -343,7 +343,33 @@
 			break;
 		case ISAKMP_NPTYPE_VID:
 			vid_numeric = check_vendorid(pa->ptr);
-			handle_vendorid(iph1, vid_numeric);
+#ifdef ENABLE_NATT
+			if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric))
+			  natt_handle_vendorid(iph1, vid_numeric);
+#endif
+#ifdef ENABLE_HYBRID
+			switch (vid_numeric) {
+			case VENDORID_XAUTH:
+				iph1->mode_cfg->flags |=
+				    ISAKMP_CFG_VENDORID_XAUTH;
+				break;
+
+			case VENDORID_UNITY:
+				iph1->mode_cfg->flags |=
+				    ISAKMP_CFG_VENDORID_UNITY;
+				break;
+
+			default:
+				break;
+			}
+#endif
+#ifdef ENABLE_DPD
+			if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd) {
+				iph1->dpd_support=1;
+				plog(LLV_DEBUG, LOCATION, NULL,
+					 "remote supports DPD\n");
+			}
+#endif
 			break;
 		default:
 			/* don't send information, see ident_r1recv() */
@@ -589,7 +615,7 @@
 	vchar_t *pbuf = NULL;
 	struct isakmp_parse_t *pa;
 	int error = -1;
-	int ptype, vid_numeric;
+	int ptype;
 #ifdef ENABLE_NATT
 	vchar_t	*natd_received;
 	int natd_seq = 0, natd_verified;
@@ -628,8 +654,7 @@
 				goto end;
 			break;
 		case ISAKMP_NPTYPE_VID:
-			vid_numeric = check_vendorid(pa->ptr);
-			handle_vendorid(iph1, vid_numeric);
+			(void)check_vendorid(pa->ptr);
 			break;
 
 #ifdef ENABLE_NATT
@@ -691,7 +716,8 @@
 			/* message printed inner oakley_validate_auth() */
 			goto end;
 		}
-		evt_phase1(iph1, EVT_PHASE1_AUTH_FAILED, NULL);
+		EVT_PUSH(iph1->local, iph1->remote, 
+		    EVTT_PEERPH1AUTH_FAILED, NULL);
 		isakmp_info_send_n1(iph1, ptype, NULL);
 		goto end;
 	}
@@ -803,6 +829,9 @@
 	}
 
 	/* validate the type of next payload */
+	/*
+	 * NOTE: XXX even if multiple VID, we'll silently ignore those.
+	 */
 	pbuf = isakmp_parse(msg);
 	if (pbuf == NULL)
 		goto end;
@@ -835,12 +864,38 @@
 			break;
 		case ISAKMP_NPTYPE_VID:
 			vid_numeric = check_vendorid(pa->ptr);
-			handle_vendorid(iph1, vid_numeric);
+#ifdef ENABLE_NATT
+			if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric))
+				natt_handle_vendorid(iph1, vid_numeric);
+#endif
 #ifdef ENABLE_FRAG
 			if ((vid_numeric == VENDORID_FRAG) &&
 			    (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_BASE))
 				iph1->frag = 1;
 #endif
+#ifdef ENABLE_HYBRID
+			switch (vid_numeric) {
+			case VENDORID_XAUTH:
+				iph1->mode_cfg->flags |=
+				    ISAKMP_CFG_VENDORID_XAUTH;
+				break;
+
+			case VENDORID_UNITY:
+				iph1->mode_cfg->flags |=
+				    ISAKMP_CFG_VENDORID_UNITY;
+				break;
+
+			default:
+				break;
+			}
+#endif
+#ifdef ENABLE_DPD
+			if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd) {
+				iph1->dpd_support=1;
+				plog(LLV_DEBUG, LOCATION, NULL,
+					 "remote supports DPD\n");
+			}
+#endif 
 			break;
 		default:
 			/* don't send information, see ident_r1recv() */
@@ -1076,7 +1131,7 @@
 	vchar_t *pbuf = NULL;
 	struct isakmp_parse_t *pa;
 	int error = -1;
-	int ptype, vid_numeric;
+	int ptype;
 #ifdef ENABLE_NATT
 	int natd_seq = 0;
 #endif
@@ -1116,8 +1171,7 @@
 				goto end;
 			break;
 		case ISAKMP_NPTYPE_VID:
-			vid_numeric = check_vendorid(pa->ptr);
-			handle_vendorid(iph1, vid_numeric);
+			(void)check_vendorid(pa->ptr);
 			break;
 
 #ifdef ENABLE_NATT
@@ -1188,7 +1242,8 @@
 			/* message printed inner oakley_validate_auth() */
 			goto end;
 		}
-		evt_phase1(iph1, EVT_PHASE1_AUTH_FAILED, NULL);
+		EVT_PUSH(iph1->local, iph1->remote, 
+		    EVTT_PEERPH1AUTH_FAILED, NULL);
 		isakmp_info_send_n1(iph1, ptype, NULL);
 		goto end;
 	}
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_cfg.c,v 1.19 2008/09/19 11:14:49 tteras Exp $	*/
+/*	$NetBSD: isakmp_cfg.c,v 1.19.4.1 2009/02/08 18:42:16 snj Exp $	*/
 
 /* Id: isakmp_cfg.c,v 1.55 2006/08/22 18:17:17 manubsd Exp */
 
@@ -473,7 +473,8 @@
 			    "Cannot allocate memory: %s\n", strerror(errno));
 		} else {
 			memcpy(buf->v, attrpl + 1, buf->l);
-			evt_phase1(iph1, EVT_PHASE1_MODE_CFG, buf);
+			EVT_PUSH(iph1->local, iph1->remote, 
+			    EVTT_ISAKMP_CFG_DONE, buf);
 			vfree(buf);
 		}
 	}
@@ -730,8 +731,7 @@
 	    ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 0);
 
 	if (iph1->mode_cfg->flags & ISAKMP_CFG_DELETE_PH1) {
-		if (iph1->status == PHASE1ST_ESTABLISHED ||
-		    iph1->status == PHASE1ST_DYING)
+		if (iph1->status == PHASE1ST_ESTABLISHED)
 			isakmp_info_send_d1(iph1);
 		remph1(iph1);
 		delph1(iph1);
@@ -1127,7 +1127,7 @@
 	struct isakmp_cfg_state *ics = iph1->mode_cfg;
 
 	/* Check if phase 1 is established */
-	if ((iph1->status < PHASE1ST_ESTABLISHED) ||
+	if ((iph1->status != PHASE1ST_ESTABLISHED) || 
 	    (iph1->local == NULL) ||
 	    (iph1->remote == NULL)) {
 		plog(LLV_ERROR, LOCATION, NULL, 
@@ -1160,6 +1160,7 @@
 		goto end;
 	}
 #endif
+	iph2->ph1 = iph1;
 	iph2->side = INITIATOR;
 	iph2->status = PHASE2ST_START;
 
@@ -1178,7 +1179,7 @@
 		}
 
 		/* generate HASH(1) */
-		hash = oakley_compute_hash1(iph1, iph2->msgid, payload);
+		hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, payload);
 		if (hash == NULL) {
 			delph2(iph2);
 			goto end;
@@ -1277,6 +1278,7 @@
 	if (iph2->sendbuf != NULL)
 		vfree(iph2->sendbuf);
 
+	unbindph12(iph2);
 	remph2(iph2);
 	delph2(iph2);
 end:
@@ -1490,6 +1492,24 @@
 	struct ph1handle *iph1;
 	int inout;
 {
+	/* For first time use, initialize Radius */
+	if (radius_acct_state == NULL) {
+		if ((radius_acct_state = rad_acct_open()) == NULL) {
+			plog(LLV_ERROR, LOCATION, NULL,
+			    "Cannot init librradius\n");
+			return -1;
+		}
+
+		if (rad_config(radius_acct_state, NULL) != 0) {
+			 plog(LLV_ERROR, LOCATION, NULL,
+			     "Cannot open librarius config file: %s\n",
+			     rad_strerror(radius_acct_state));
+			  rad_close(radius_acct_state);
+			  radius_acct_state = NULL;
+			  return -1;
+		}
+	}
+
 	if (rad_create_request(radius_acct_state, 
 	    RAD_ACCOUNTING_REQUEST) != 0) {
 		plog(LLV_ERROR, LOCATION, NULL,
@@ -1845,7 +1865,6 @@
 	char addrstr[IP_MAX];
 	char addrlist[IP_MAX * MAXNS + MAXNS];
 	char *splitlist = addrlist;
-	char *splitlist_cidr;
 	char defdom[MAXPATHLEN + 1];
 	int cidr, tmp;
 	char cidrstr[4];
@@ -1986,14 +2005,10 @@
 	}
 
 	/* Split networks */
-	if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_SPLIT_INCLUDE) {
-		splitlist = 
-		    splitnet_list_2str(iph1->mode_cfg->split_include, NETMASK);
-		splitlist_cidr = 
-		    splitnet_list_2str(iph1->mode_cfg->split_include, CIDR);
-	} else {
+	if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_SPLIT_INCLUDE)
+		splitlist = splitnet_list_2str(iph1->mode_cfg->split_include);
+	else {
 		splitlist = addrlist;
-		splitlist_cidr = addrlist;
 		addrlist[0] = '\0';
 	}
 
@@ -2001,25 +2016,13 @@
 		plog(LLV_ERROR, LOCATION, NULL, "Cannot set SPLIT_INCLUDE\n");
 		return -1;
 	}
-	if (script_env_append(envp, envc, 
-	    "SPLIT_INCLUDE_CIDR", splitlist_cidr) != 0) {
-		plog(LLV_ERROR, LOCATION, NULL,
-		     "Cannot set SPLIT_INCLUDE_CIDR\n");
-		return -1;
-	}
 	if (splitlist != addrlist)
 		racoon_free(splitlist);
-	if (splitlist_cidr != addrlist)
-		racoon_free(splitlist_cidr);
 
-	if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_SPLIT_LOCAL) {
-		splitlist =
-		    splitnet_list_2str(iph1->mode_cfg->split_local, NETMASK);
-		splitlist_cidr =
-		    splitnet_list_2str(iph1->mode_cfg->split_local, CIDR);
-	} else {
+	if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_SPLIT_LOCAL)
+		splitlist = splitnet_list_2str(iph1->mode_cfg->split_local);
+	else {
 		splitlist = addrlist;
-		splitlist_cidr = addrlist;
 		addrlist[0] = '\0';
 	}
 
@@ -2027,16 +2030,8 @@
 		plog(LLV_ERROR, LOCATION, NULL, "Cannot set SPLIT_LOCAL\n");
 		return -1;
 	}
-	if (script_env_append(envp, envc,
-	    "SPLIT_LOCAL_CIDR", splitlist_cidr) != 0) {
-		plog(LLV_ERROR, LOCATION, NULL,
-		     "Cannot set SPLIT_LOCAL_CIDR\n");
-		return -1;
-	}
 	if (splitlist != addrlist)
 		racoon_free(splitlist);
-	if (splitlist_cidr != addrlist)
-		racoon_free(splitlist_cidr);
 	
 	return 0;
 }
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_ident.c,v 1.9 2008/07/21 06:26:06 tteras Exp $	*/
+/*	$NetBSD: isakmp_ident.c,v 1.9.4.1 2009/02/08 18:42:16 snj Exp $	*/
 
 /* Id: isakmp_ident.c,v 1.21 2006/04/06 16:46:08 manubsd Exp */
 
@@ -92,7 +92,6 @@
 
 static vchar_t *ident_ir2mx __P((struct ph1handle *));
 static vchar_t *ident_ir3mx __P((struct ph1handle *));
-static int ident_recv_n __P((struct ph1handle *, struct isakmp_gen *));
 
 /* %%%
  * begin Identity Protection Mode as initiator.
@@ -301,7 +300,30 @@
 		switch (pa->type) {
 		case ISAKMP_NPTYPE_VID:
 			vid_numeric = check_vendorid(pa->ptr);
-			handle_vendorid(iph1, vid_numeric);
+#ifdef ENABLE_NATT
+			if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric))
+			  natt_handle_vendorid(iph1, vid_numeric);
+#endif
+#ifdef ENABLE_HYBRID
+			switch (vid_numeric) {
+			case VENDORID_XAUTH:
+				iph1->mode_cfg->flags |=
+				    ISAKMP_CFG_VENDORID_XAUTH;
+				break;
+	
+			case VENDORID_UNITY:
+				iph1->mode_cfg->flags |=
+				    ISAKMP_CFG_VENDORID_UNITY;
+				break;
+	
+			default:
+				break;
+			}
+#endif  
+#ifdef ENABLE_DPD
+			if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd)
+				iph1->dpd_support=1;
+#endif
 			break;
 		default:
 			/* don't send information, see ident_r1recv() */
@@ -428,7 +450,7 @@
 {
 	vchar_t *pbuf = NULL;
 	struct isakmp_parse_t *pa;
-	int error = -1, vid_numeric;
+	int error = -1;
 #ifdef HAVE_GSSAPI
 	vchar_t *gsstoken = NULL;
 #endif
@@ -463,8 +485,7 @@
 				goto end;
 			break;
 		case ISAKMP_NPTYPE_VID:
-			vid_numeric = check_vendorid(pa->ptr);
-			handle_vendorid(iph1, vid_numeric);
+			(void)check_vendorid(pa->ptr);
 			break;
 		case ISAKMP_NPTYPE_CR:
 			if (oakley_savecr(iph1, pa->ptr) < 0)
@@ -675,7 +696,7 @@
 	struct isakmp_parse_t *pa;
 	vchar_t *msg = NULL;
 	int error = -1;
-	int type, vid_numeric;
+	int type;
 #ifdef HAVE_GSSAPI
 	vchar_t *gsstoken = NULL;
 #endif
@@ -733,11 +754,10 @@
 			break;
 #endif
 		case ISAKMP_NPTYPE_VID:
-			vid_numeric = check_vendorid(pa->ptr);
-			handle_vendorid(iph1, vid_numeric);
+			(void)check_vendorid(pa->ptr);
 			break;
 		case ISAKMP_NPTYPE_N:
-			ident_recv_n(iph1, pa->ptr);
+			isakmp_check_notify(pa->ptr, iph1);
 			break;
 		default:
 			/* don't send information, see ident_r1recv() */
@@ -768,7 +788,8 @@
 				/* msg printed inner oakley_validate_auth() */
 				goto end;
 			}
-			evt_phase1(iph1, EVT_PHASE1_AUTH_FAILED, NULL);
+			EVT_PUSH(iph1->local, iph1->remote, 
+			    EVTT_PEERPH1AUTH_FAILED, NULL);
 			isakmp_info_send_n1(iph1, type, NULL);
 			goto end;
 		}
@@ -901,11 +922,34 @@
 		switch (pa->type) {
 		case ISAKMP_NPTYPE_VID:
 			vid_numeric = check_vendorid(pa->ptr);
-			handle_vendorid(iph1, vid_numeric);
+#ifdef ENABLE_NATT
+			if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric))
+				natt_handle_vendorid(iph1, vid_numeric);
+#endif
 #ifdef ENABLE_FRAG
 			if ((vid_numeric == VENDORID_FRAG) &&
 			    (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_IDENT))
 				iph1->frag = 1;
+#endif   
+#ifdef ENABLE_HYBRID
+			switch (vid_numeric) {
+			case VENDORID_XAUTH:
+				iph1->mode_cfg->flags |=
+				    ISAKMP_CFG_VENDORID_XAUTH;
+				break;
+		
+			case VENDORID_UNITY:
+				iph1->mode_cfg->flags |=
+				    ISAKMP_CFG_VENDORID_UNITY;
+				break;
+	
+			default:  
+				break;
+			}
+#endif
+#ifdef ENABLE_DPD
+			if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd)
+				iph1->dpd_support=1;
 #endif
 			break;
 		default:
@@ -1126,7 +1170,7 @@
 {
 	vchar_t *pbuf = NULL;
 	struct isakmp_parse_t *pa;
-	int error = -1, vid_numeric;
+	int error = -1;
 #ifdef HAVE_GSSAPI
 	vchar_t *gsstoken = NULL;
 #endif
@@ -1159,8 +1203,7 @@
 				goto end;
 			break;
 		case ISAKMP_NPTYPE_VID:
-			vid_numeric = check_vendorid(pa->ptr);
-			handle_vendorid(iph1, vid_numeric);
+			(void)check_vendorid(pa->ptr);
 			break;
 		case ISAKMP_NPTYPE_CR:
 			plog(LLV_WARNING, LOCATION, iph1->remote,
@@ -1348,7 +1391,7 @@
 	vchar_t *pbuf = NULL;
 	struct isakmp_parse_t *pa;
 	int error = -1;
-	int type, vid_numeric;
+	int type;
 #ifdef HAVE_GSSAPI
 	vchar_t *gsstoken = NULL;
 #endif
@@ -1410,11 +1453,10 @@
 			break;
 #endif
 		case ISAKMP_NPTYPE_VID:
-			vid_numeric = check_vendorid(pa->ptr);
-			handle_vendorid(iph1, vid_numeric);
+			(void)check_vendorid(pa->ptr);
 			break;
 		case ISAKMP_NPTYPE_N:
-			ident_recv_n(iph1, pa->ptr);
+			isakmp_check_notify(pa->ptr, iph1);
 			break;
 		default:
 			/* don't send information, see ident_r1recv() */
@@ -1495,7 +1537,8 @@
 				/* msg printed inner oakley_validate_auth() */
 				goto end;
 			}
-			evt_phase1(iph1, EVT_PHASE1_AUTH_FAILED, NULL);
+			EVT_PUSH(iph1->local, iph1->remote, 
+			    EVTT_PEERPH1AUTH_FAILED, NULL);
 			isakmp_info_send_n1(iph1, type, NULL);
 			goto end;
 		}
@@ -1914,28 +1957,3 @@
 
 	return buf;
 }
-
-/*
- * handle a notification payload inside identity exchange.
- * called only when the packet has been verified to be encrypted.
- */
-static int
-ident_recv_n(iph1, gen)
-	struct ph1handle *iph1;
-	struct isakmp_gen *gen;
-{
-	struct isakmp_pl_n *notify = (struct isakmp_pl_n *) gen;
-	u_int type;
-
-	type = ntohs(notify->type);
-	switch (type) {
-	case ISAKMP_NTYPE_INITIAL_CONTACT:
-		iph1->initial_contact_received = TRUE;
-		break;
-	default:
-		isakmp_log_notify(iph1, notify, "identity exchange");
-		break;
-	}
-	return 0;
-}
-
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_inf.c,v 1.34 2008/09/19 11:14:49 tteras Exp $	*/
+/*	$NetBSD: isakmp_inf.c,v 1.34.4.1 2009/02/08 18:42:17 snj Exp $	*/
 
 /* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
 
@@ -107,10 +107,11 @@
 	struct isakmp_pl_ru *, u_int32_t));
 static int isakmp_info_recv_r_u_ack __P((struct ph1handle *,
 	struct isakmp_pl_ru *, u_int32_t));
-static void isakmp_info_send_r_u __P((struct sched *));
+static void isakmp_info_send_r_u __P((void *));
 #endif
 
 static void purge_isakmp_spi __P((int, isakmp_index *, size_t));
+static void info_recv_initialcontact __P((struct ph1handle *));
 
 /* %%%
  * Information Exchange
@@ -168,8 +169,7 @@
 	if (msg->l < sizeof(*isakmp) + sizeof(*gen)) {
 		plog(LLV_ERROR, LOCATION, NULL, 
 			"ignore information because the "
-			"message is way too short - %zu byte(s).\n",
-			(int)msg->l);
+			"message is way too short - %zu byte(s).\n", msg->l);
 		goto end;
 	}
 
@@ -180,15 +180,14 @@
 	if (encrypted) {
 		if (isakmp->np != ISAKMP_NPTYPE_HASH) {
 			plog(LLV_ERROR, LOCATION, NULL,
-			    "ignore information because the "
+			    "ignore information because the"
 			    "message has no hash payload.\n");
 			goto end;
 		}
 
-		if (iph1->status != PHASE1ST_ESTABLISHED &&
-		    iph1->status != PHASE1ST_DYING) {
+		if (iph1->status != PHASE1ST_ESTABLISHED) {
 			plog(LLV_ERROR, LOCATION, NULL,
-			    "ignore information because ISAKMP-SA "
+			    "ignore information because ISAKMP-SA"
 			    "has not been established yet.\n");
 			goto end;
 		}
@@ -197,8 +196,7 @@
 		if (msg->l < sizeof(*isakmp) + ntohs(gen->len) + sizeof(*nd)) {
 			plog(LLV_ERROR, LOCATION, NULL, 
 				"ignore information because the "
-				"message is too short - %zu byte(s).\n",
-				(int)msg->l);
+				"message is too short - %zu byte(s).\n", msg->l);
 			goto end;
 		}
 
@@ -329,67 +327,6 @@
 	return error;
 }
 
-
-/*
- * log unhandled / unallowed Notification payload
- */
-int
-isakmp_log_notify(iph1, notify, exchange)
-	struct ph1handle *iph1;
-	struct isakmp_pl_n *notify;
-	const char *exchange;
-{
-	u_int type;
-	vchar_t *ndata;
-	char *nraw, *nhex;
-	size_t l;
-
-	type = ntohs(notify->type);
-	if (ntohs(notify->h.len) < sizeof(*notify) + notify->spi_size) {
-		plog(LLV_ERROR, LOCATION, iph1->remote,
-			"invalid spi_size in %s notification in %s.\n",
-			s_isakmp_notify_msg(type), exchange);
-		return -1;
-	}
-
-	plog(LLV_ERROR, LOCATION, iph1->remote,
-		"notification %s received in %s.\n",
-		s_isakmp_notify_msg(type), exchange);
-
-	nraw = ((char*) notify) + sizeof(*notify) + notify->spi_size;
-	l = ntohs(notify->h.len) - sizeof(*notify) - notify->spi_size;
-	if (l > 0) {
-		if (type >= ISAKMP_NTYPE_MINERROR &&
-		    type <= ISAKMP_NTYPE_MAXERROR) {
-			ndata = vmalloc(l);
-			if (ndata != NULL) {
-				memcpy(ndata->v, nraw, ndata->l);
-				plog(LLV_ERROR, LOCATION, iph1->remote,
-					"error message: '%s'.\n",
-					binsanitize(ndata->v, ndata->l));
-				vfree(ndata);
-			} else {
-				plog(LLV_ERROR, LOCATION, iph1->remote,
-					"Cannot allocate memory\n");
-			}
-		} else {
-			nhex = val2str(nraw, l);
-			if (nhex != NULL) {
-				plog(LLV_ERROR, LOCATION, iph1->remote,
-					"notification payload: %s.\n",
-					nhex);
-				racoon_free(nhex);
-			} else {
-				plog(LLV_ERROR, LOCATION, iph1->remote,
-					"Cannot allocate memory\n");
-			}
-		}
-	}
-
-	return 0;
-}
-
-
 /*
  * handling of Notification payload
  */
@@ -401,8 +338,14 @@
 	int encrypted;
 {
 	u_int type;
+	vchar_t *pbuf;
+	vchar_t *ndata;
+	char *nraw;
+	size_t l;
+	char *spi;
 
 	type = ntohs(notify->type);
+
 	switch (type) {
 	case ISAKMP_NTYPE_CONNECTED:
 	case ISAKMP_NTYPE_RESPONDER_LIFETIME:
@@ -414,7 +357,8 @@
 		break;
 	case ISAKMP_NTYPE_INITIAL_CONTACT:
 		if (encrypted)
-			return isakmp_info_recv_initialcontact(iph1, NULL);
+			info_recv_initialcontact(iph1);
+			return 0;
 		break;
 #ifdef ENABLE_DPD
 	case ISAKMP_NTYPE_R_U_THERE:
@@ -428,23 +372,76 @@
 				(struct isakmp_pl_ru *)notify, msgid);
 		break;
 #endif
+	default:
+	    {
+		/* XXX there is a potential of dos attack. */
+		if(type >= ISAKMP_NTYPE_MINERROR &&
+		   type <= ISAKMP_NTYPE_MAXERROR) {
+			if (msgid == 0) {
+				/* don't think this realy deletes ph1 ? */
+				plog(LLV_ERROR, LOCATION, iph1->remote,
+					"delete phase1 handle.\n");
+				return -1;
+			} else {
+				if (getph2bymsgid(iph1, msgid) == NULL) {
+					plog(LLV_ERROR, LOCATION, iph1->remote,
+						"fatal %s notify messsage, "
+						"phase1 should be deleted.\n",
+						s_isakmp_notify_msg(type));
+				} else {
+					plog(LLV_ERROR, LOCATION, iph1->remote,
+						"fatal %s notify messsage, "
+						"phase2 should be deleted.\n",
+						s_isakmp_notify_msg(type));
+				}
+			}
+		} else {
+			plog(LLV_ERROR, LOCATION, iph1->remote,
+				"unhandled notify message %s, "
+				"no phase2 handle found.\n",
+				s_isakmp_notify_msg(type));
+		}
+	    }
+	    break;
 	}
 
-	/* If we receive a error notification we should delete the related
-	 * phase1 / phase2 handle, and send an event to racoonctl.
-	 * However, since phase1 error notifications are not encrypted and
-	 * can not be authenticated, it would allow a DoS attack possibility
-	 * to handle them.
-	 * Phase2 error notifications should be encrypted, so we could handle
-	 * those, but it needs implementing (the old code didn't implement
-	 * that either).
-	 * So we are good to just log the messages here.
-	 */
-	if (encrypted)
-		isakmp_log_notify(iph1, notify, "informational exchange");
-	else
-		isakmp_log_notify(iph1, notify, "unencrypted informational exchange");
+	/* get spi if specified and allocate */
+	if(notify->spi_size > 0) {
+		if (ntohs(notify->h.len) < sizeof(*notify) + notify->spi_size) {
+			plog(LLV_ERROR, LOCATION, iph1->remote,
+				"invalid spi_size in notification payload.\n");
+			return -1;
+		}
+		spi = val2str((char *)(notify + 1), notify->spi_size);
+
+		plog(LLV_DEBUG, LOCATION, iph1->remote,
+			"notification message %d:%s, "
+			"doi=%d proto_id=%d spi=%s(size=%d).\n",
+			type, s_isakmp_notify_msg(type),
+			ntohl(notify->doi), notify->proto_id, spi, notify->spi_size);
+
+		racoon_free(spi);
+	}
 
+	/* Send the message data to the logs */
+	if(type >= ISAKMP_NTYPE_MINERROR &&
+	   type <= ISAKMP_NTYPE_MAXERROR) {
+		l = ntohs(notify->h.len) - sizeof(*notify) - notify->spi_size;
+		if (l > 0) {
+			nraw = (char*)notify;	
+			nraw += sizeof(*notify) + notify->spi_size;
+			if ((ndata = vmalloc(l)) != NULL) {
+				memcpy(ndata->v, nraw, ndata->l);
+				plog(LLV_ERROR, LOCATION, iph1->remote,
+				    "Message: '%s'.\n", 
+				    binsanitize(ndata->v, ndata->l));
+				vfree(ndata);
+			} else {
+				plog(LLV_ERROR, LOCATION, iph1->remote,
+				    "Cannot allocate memory\n");
+			}
+		}
+	}
 	return 0;
 }
 
@@ -518,8 +515,10 @@
 		del_ph1=getph1byindex((isakmp_index *)(delete + 1));
 		if(del_ph1 != NULL){
 
-			evt_phase1(iph1, EVT_PHASE1_PEER_DELETED, NULL);
-			sched_cancel(&del_ph1->scr);
+			EVT_PUSH(del_ph1->local, del_ph1->remote,
+			EVTT_PEERPH1_NOPROP, NULL);
+			if (del_ph1->scr)
+				SCHED_KILL(del_ph1->scr);
 
 			/*
 			 * Do not delete IPsec SAs when receiving an IKE delete notification.
@@ -538,6 +537,8 @@
 				delete->spi_size, delete->proto_id);
 			return 0;
 		}
+		EVT_PUSH(iph1->local, iph1->remote, 
+		    EVTT_PEER_DELETE, NULL);
 		purge_ipsec_spi(iph1->remote, delete->proto_id,
 		    (u_int32_t *)(delete + 1), num_spi);
 		break;
@@ -640,7 +641,7 @@
 	 * don't send delete information if there is no phase 1 handler.
 	 * It's nonsensical to negotiate phase 1 to send the information.
 	 */
-	iph1 = getph1byaddr(iph2->src, iph2->dst, 0); 
+	iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
 	if (iph1 == NULL){
 		plog(LLV_DEBUG2, LOCATION, NULL,
 			 "No ph1 handler found, could not send DELETE_SA\n");
@@ -924,6 +925,7 @@
 		goto end;
 	}
 #endif
+	iph2->ph1 = iph1;
 	iph2->side = INITIATOR;
 	iph2->status = PHASE2ST_START;
 	iph2->msgid = isakmp_newmsgid2(iph1);
@@ -937,7 +939,7 @@
 		}
 
 		/* generate HASH(1) */
-		hash = oakley_compute_hash1(iph1, iph2->msgid, payload);
+		hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, payload);
 		if (hash == NULL) {
 			delph2(iph2);
 			goto end;
@@ -1038,6 +1040,7 @@
 	return error;
 
 err:
+	unbindph12(iph2);
 	remph2(iph2);
 	delph2(iph2);
 	goto end;
@@ -1116,8 +1119,9 @@
 			s_ipsecdoi_proto(proto),
 			isakmp_pindex(&spi[i], 0));
 
+		SCHED_KILL(iph1->sce);
 		iph1->status = PHASE1ST_EXPIRED;
-		sched_schedule(&iph1->sce, 1, isakmp_ph1delete_stub);
+		iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
 	}
 }
 
@@ -1207,11 +1211,6 @@
 			natt_port = (void *)mhp[SADB_X_EXT_NAT_T_DPORT];
 			if (extract_port(dst) == 0 && natt_port != NULL)
 				set_port(dst, ntohs(natt_port->sadb_x_nat_t_port_port));
-		}else{
-			/* Force default UDP ports, so CMPSADDR will match SAs with NO encapsulation
-			 */
-			set_port(src, PORT_ISAKMP);
-			set_port(dst, PORT_ISAKMP);
 		}
 #endif
 		plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(src));
@@ -1226,15 +1225,6 @@
 			continue;
 		}
 
-#ifdef ENABLE_NATT
-		if (natt_type == NULL ||
-			! natt_type->sadb_x_nat_t_type_type) {
-			/* Set back port to 0 if it was forced to default UDP port
-			 */
-			set_port(src, 0);
-			set_port(dst, 0);
-		}
-#endif
 		for (i = 0; i < n; i++) {
 			plog(LLV_DEBUG, LOCATION, NULL,
 				"check spi(packet)=%u spi(db)=%u.\n",
@@ -1255,6 +1245,7 @@
 			iph2 = getph2bysaidx(src, dst, proto, spi[i]);
 			if(iph2 != NULL){
 				delete_spd(iph2, created);
+				unbindph12(iph2);
 				remph2(iph2);
 				delph2(iph2);
 			}
@@ -1273,17 +1264,15 @@
 }
 
 /*
- * delete all phase2 sa relatived to the destination address
- * (except the phase2 within which the INITIAL-CONTACT was received).
+ * delete all phase2 sa relatived to the destination address.
  * Don't delete Phase 1 handlers on INITIAL-CONTACT, and don't ignore
  * an INITIAL-CONTACT if we have contacted the peer.  This matches the
  * Sun IKE behavior, and makes rekeying work much better when the peer
  * restarts.
  */
-int
-isakmp_info_recv_initialcontact(iph1, protectedph2)
+static void
+info_recv_initialcontact(iph1)
 	struct ph1handle *iph1;
-	struct ph2handle *protectedph2;
 {
 	vchar_t *buf = NULL;
 	struct sadb_msg *msg, *next, *end;
@@ -1296,10 +1285,8 @@
 	char *loc, *rem;
 #endif
 
-	plog(LLV_INFO, LOCATION, iph1->remote, "received INITIAL-CONTACT\n");
-
 	if (f_local)
-		return 0;
+		return;
 
 #if 0
 	loc = racoon_strdup(saddrwop2str(iph1->local));
@@ -1348,7 +1335,7 @@
 
 	racoon_free(loc);
 	racoon_free(rem);
-	return 0;
+	return;
 
  the_hard_way:
 	racoon_free(loc);
@@ -1359,7 +1346,7 @@
 	if (buf == NULL) {
 		plog(LLV_DEBUG, LOCATION, NULL,
 			"pfkey_dump_sadb returned nothing.\n");
-		return 0;
+		return;
 	}
 
 	msg = (struct sadb_msg *)buf->v;
@@ -1467,8 +1454,9 @@
 		 */
 		proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
 		iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi);
-		if (iph2 && iph2 != protectedph2) {
+		if (iph2) {
 			delete_spd(iph2, 0);
+			unbindph12(iph2);
 			remph2(iph2);
 			delph2(iph2);
 		}
@@ -1477,7 +1465,43 @@
 	}
 
 	vfree(buf);
-	return 0;
+}
+
+void
+isakmp_check_notify(gen, iph1)
+	struct isakmp_gen *gen;		/* points to Notify payload */
+	struct ph1handle *iph1;
+{
+	struct isakmp_pl_n *notify = (struct isakmp_pl_n *)gen;
+
+	plog(LLV_DEBUG, LOCATION, iph1->remote,
+		"Notify Message received\n");
+
+	switch (ntohs(notify->type)) {
+	case ISAKMP_NTYPE_CONNECTED:
+	case ISAKMP_NTYPE_RESPONDER_LIFETIME:
+	case ISAKMP_NTYPE_REPLAY_STATUS:
+	case ISAKMP_NTYPE_HEARTBEAT:
+#ifdef ENABLE_HYBRID
+	case ISAKMP_NTYPE_UNITY_HEARTBEAT:
+#endif
+		plog(LLV_WARNING, LOCATION, iph1->remote,
+			"ignore %s notification.\n",
+			s_isakmp_notify_msg(ntohs(notify->type)));
+		break;
+	case ISAKMP_NTYPE_INITIAL_CONTACT:
+		plog(LLV_WARNING, LOCATION, iph1->remote,
+			"ignore INITIAL-CONTACT notification, "
+			"because it is only accepted after phase1.\n");
+		break;
+	default:
+		isakmp_info_send_n1(iph1, ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE, NULL);
+		plog(LLV_ERROR, LOCATION, iph1->remote,
+			"received unknown notification type %s.\n",
+			s_isakmp_notify_msg(ntohs(notify->type)));
+	}
+
+	return;
 }
 
 
@@ -1560,7 +1584,8 @@
 	/* Useless ??? */
 	iph1->dpd_lastack = time(NULL);
 
-	sched_cancel(&iph1->dpd_r_u);
+	SCHED_KILL(iph1->dpd_r_u);
+
 	isakmp_sched_r_u(iph1, 0);
 
 	plog(LLV_DEBUG, LOCATION, NULL, "received an R-U-THERE-ACK\n");
@@ -1575,10 +1600,10 @@
  * send DPD R-U-THERE payload in Informational exchange.
  */
 static void
-isakmp_info_send_r_u(sc)
-	struct sched *sc;
+isakmp_info_send_r_u(arg)
+	void *arg;
 {
-	struct ph1handle *iph1 = container_of(sc, struct ph1handle, dpd_r_u);
+	struct ph1handle *iph1 = arg;
 
 	/* create R-U-THERE payload */
 	struct isakmp_pl_ru *ru;
@@ -1588,13 +1613,15 @@
 
 	plog(LLV_DEBUG, LOCATION, iph1->remote, "DPD monitoring....\n");
 
+	iph1->dpd_r_u=NULL;
+
 	if (iph1->dpd_fails >= iph1->rmconf->dpd_maxfails) {
 
 		plog(LLV_INFO, LOCATION, iph1->remote,
 			"DPD: remote (ISAKMP-SA spi=%s) seems to be dead.\n",
 			isakmp_pindex(&iph1->index, 0));
 
-		evt_phase1(iph1, EVT_PHASE1_DPD_TIMEOUT, NULL);
+		EVT_PUSH(iph1->local, iph1->remote, EVTT_DPD_TIMEOUT, NULL);
 		purge_remote(iph1);
 
 		/* Do not reschedule here: phase1 is deleted,
@@ -1667,11 +1694,11 @@
 		return 0;
 
 	if(retry)
-		sched_schedule(&iph1->dpd_r_u, iph1->rmconf->dpd_retry,
-			       isakmp_info_send_r_u);
+		iph1->dpd_r_u = sched_new(iph1->rmconf->dpd_retry,
+								  isakmp_info_send_r_u, iph1);
 	else
-		sched_schedule(&iph1->dpd_r_u, iph1->rmconf->dpd_interval,
-			       isakmp_info_send_r_u);
+		iph1->dpd_r_u = sched_new(iph1->rmconf->dpd_interval,
+								  isakmp_info_send_r_u, iph1);
 
 	return 0;
 }
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.h	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.h	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_inf.h,v 1.5 2008/07/14 05:40:13 tteras Exp $	*/
+/*	$NetBSD: isakmp_inf.h,v 1.5.4.1 2009/02/08 18:42:17 snj Exp $	*/
 
 /* Id: isakmp_inf.h,v 1.6 2005/05/07 14:15:59 manubsd Exp */
 
@@ -48,8 +48,7 @@
 extern vchar_t * isakmp_add_pl_n __P((vchar_t *, u_int8_t **, int,
 	struct saproto *, vchar_t *));
 
-extern int isakmp_log_notify __P((struct ph1handle *, struct isakmp_pl_n *, const char *exchange));
-extern int isakmp_info_recv_initialcontact __P((struct ph1handle *, struct ph2handle *));
+extern void isakmp_check_notify __P((struct isakmp_gen *, struct ph1handle *));
 
 #ifdef ENABLE_DPD
 extern int isakmp_sched_r_u __P((struct ph1handle *, int));
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_quick.c,v 1.22 2008/10/09 15:53:12 tteras Exp $	*/
+/*	$NetBSD: isakmp_quick.c,v 1.22.2.1 2009/02/08 18:42:17 snj Exp $	*/
 
 /* Id: isakmp_quick.c,v 1.29 2006/08/22 18:17:17 manubsd Exp */
 
@@ -53,6 +53,9 @@
 #  include <time.h>
 # endif
 #endif
+#ifdef ENABLE_HYBRID
+#include <resolv.h>
+#endif
 
 #include PATH_IPSEC_H
 
@@ -84,47 +87,10 @@
 #include "admin.h"
 #include "strnames.h"
 
-#ifdef ENABLE_HYBRID
-#include <resolv.h>
-#include "isakmp_xauth.h"
-#include "isakmp_cfg.h"
-#endif
-
-#ifdef ENABLE_NATT
-#include "nattraversal.h"
-#endif
-
 /* quick mode */
 static vchar_t *quick_ir1mx __P((struct ph2handle *, vchar_t *, vchar_t *));
 static int get_sainfo_r __P((struct ph2handle *));
 static int get_proposal_r __P((struct ph2handle *));
-static int ph2_recv_n __P((struct ph2handle *, struct isakmp_gen *));
-static void quick_timeover_stub __P((struct sched *));
-static void quick_timeover __P((struct ph2handle *));
-
-/* called from scheduler */
-static void
-quick_timeover_stub(p)
-	struct sched *p;
-{
-	quick_timeover(container_of(p, struct ph2handle, sce));
-}
-
-static void
-quick_timeover(iph2)
-	struct ph2handle *iph2;
-{
-	plog(LLV_ERROR, LOCATION, NULL,
-		"%s give up to get IPsec-SA due to time up to wait.\n",
-		saddrwop2str(iph2->dst));
-
-	/* If initiator side, send error to kernel by SADB_ACQUIRE. */
-	if (iph2->side == INITIATOR)
-		pk_sendeacquire(iph2);
-
-	remph2(iph2);
-	delph2(iph2);
-}
 
 /* %%%
  * Quick Mode
@@ -165,8 +131,8 @@
 
 	plog(LLV_DEBUG, LOCATION, NULL, "pfkey getspi sent.\n");
 
-	sched_schedule(&iph2->sce, lcconf->wait_ph2complete,
-		       quick_timeover_stub);
+	iph2->sce = sched_new(lcconf->wait_ph2complete,
+		pfkey_timeover_stub, iph2);
 
 	error = 0;
 
@@ -176,7 +142,7 @@
 
 /*
  * send to responder
- * 	HDR*, HASH(1), SA, Ni [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ]
+ * 	HDR*, HASH(1), SA, Ni [, KE ] [, IDi2, IDr2 ]
  */
 int
 quick_i1send(iph2, msg)
@@ -189,14 +155,9 @@
 	char *p;
 	int tlen;
 	int error = ISAKMP_INTERNAL_ERROR;
-	int natoa = ISAKMP_NPTYPE_NONE;
 	int pfsgroup, idci, idcr;
 	int np;
 	struct ipsecdoi_id_b *id, *id_p;
-#ifdef ENABLE_NATT
-	vchar_t *nat_oai = NULL;
-	vchar_t *nat_oar = NULL;
-#endif
 
 	/* validity check */
 	if (msg != NULL) {
@@ -267,35 +228,6 @@
 	} else
 		idci = idcr = 1;
 
-#ifdef ENABLE_NATT
-	/*
-	 * RFC3947 5.2. if we propose UDP-Encapsulated-Transport
-	 * we should send NAT-OA
-	 */
-	if (ipsecdoi_transportmode(iph2->proposal)
-	 && (iph2->ph1->natt_flags & NAT_DETECTED)) {
-		natoa = iph2->ph1->natt_options->payload_nat_oa;
-
-		nat_oai = ipsecdoi_sockaddr2id(iph2->src,
-			IPSECDOI_PREFIX_HOST, IPSEC_ULPROTO_ANY);
-		nat_oar = ipsecdoi_sockaddr2id(iph2->dst,
-			IPSECDOI_PREFIX_HOST, IPSEC_ULPROTO_ANY);
-
-		if (nat_oai == NULL || nat_oar == NULL) {
-			plog(LLV_ERROR, LOCATION, NULL,
-				"failed to generate NAT-OA payload.\n");
-			goto end;
-		}
-
-		plog(LLV_DEBUG, LOCATION, NULL, "NAT-OAi:\n");
-		plogdump(LLV_DEBUG, nat_oai->v, nat_oai->l);
-		plog(LLV_DEBUG, LOCATION, NULL, "NAT-OAr:\n");
-		plogdump(LLV_DEBUG, nat_oar->v, nat_oar->l);
-	} else {
-		natoa = ISAKMP_NPTYPE_NONE;
-	}
-#endif
-
 	/* create SA;NONCE payload, and KE if need, and IDii, IDir. */
 	tlen = + sizeof(*gen) + iph2->sa->l
 		+ sizeof(*gen) + iph2->nonce->l;
@@ -305,10 +237,6 @@
 		tlen += sizeof(*gen) + iph2->id->l;
 	if (idcr)
 		tlen += sizeof(*gen) + iph2->id_p->l;
-#ifdef ENABLE_NATT
-	if (natoa != ISAKMP_NPTYPE_NONE)
-		tlen += 2 * sizeof(*gen) + nat_oai->l + nat_oar->l;
-#endif
 
 	body = vmalloc(tlen);
 	if (body == NULL) {
@@ -328,30 +256,22 @@
 	else if (idci || idcr)
 		np = ISAKMP_NPTYPE_ID;
 	else
-		np = natoa;
+		np = ISAKMP_NPTYPE_NONE;
 	p = set_isakmp_payload(p, iph2->nonce, np);
 
 	/* add KE payload if need. */
-	np = (idci || idcr) ? ISAKMP_NPTYPE_ID : natoa;
+	np = (idci || idcr) ? ISAKMP_NPTYPE_ID : ISAKMP_NPTYPE_NONE;
 	if (pfsgroup)
 		p = set_isakmp_payload(p, iph2->dhpub, np);
 
 	/* IDci */
-	np = (idcr) ? ISAKMP_NPTYPE_ID : natoa;
+	np = (idcr) ? ISAKMP_NPTYPE_ID : ISAKMP_NPTYPE_NONE;
 	if (idci)
 		p = set_isakmp_payload(p, iph2->id, np);
 
 	/* IDcr */
 	if (idcr)
-		p = set_isakmp_payload(p, iph2->id_p, natoa);
-
-#ifdef ENABLE_NATT
-	/* NAT-OA */
-	if (natoa != ISAKMP_NPTYPE_NONE) {
-		p = set_isakmp_payload(p, nat_oai, natoa);
-		p = set_isakmp_payload(p, nat_oar, ISAKMP_NPTYPE_NONE);
-	}
-#endif
+		p = set_isakmp_payload(p, iph2->id_p, ISAKMP_NPTYPE_NONE);
 
 	/* generate HASH(1) */
 	hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, body);
@@ -378,19 +298,13 @@
 		vfree(body);
 	if (hash != NULL)
 		vfree(hash);
-#ifdef ENABLE_NATT
-	if (nat_oai != NULL)
-		vfree(nat_oai);
-	if (nat_oar != NULL)
-		vfree(nat_oar);
-#endif
 
 	return error;
 }
 
 /*
  * receive from responder
- * 	HDR*, HASH(2), SA, Nr [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ]
+ * 	HDR*, HASH(2), SA, Nr [, KE ] [, IDi2, IDr2 ]
  */
 int
 quick_i2recv(iph2, msg0)
@@ -400,11 +314,10 @@
 	vchar_t *msg = NULL;
 	vchar_t *hbuf = NULL;	/* for hash computing. */
 	vchar_t *pbuf = NULL;	/* for payload parsing */
-	vchar_t *idci = NULL;
-	vchar_t *idcr = NULL;
 	struct isakmp_parse_t *pa;
 	struct isakmp *isakmp = (struct isakmp *)msg0->v;
 	struct isakmp_pl_hash *hash = NULL;
+	int f_id;
 	char *p;
 	int tlen;
 	int error = ISAKMP_INTERNAL_ERROR;
@@ -478,6 +391,7 @@
 	 * copy non-HASH payloads into hbuf, so that we can validate HASH.
 	 */
 	iph2->sa_ret = NULL;
+	f_id = 0;	/* flag to use checking ID */
 	tlen = 0;	/* count payload length except of HASH payload. */
 	for (; pa->type; pa++) {
 
@@ -508,56 +422,37 @@
 			break;
 
 		case ISAKMP_NPTYPE_ID:
-			if (idci == NULL) {
-				if (isakmp_p2ph(&idci, pa->ptr) < 0)
-					goto end;
-			} else if (idcr == NULL) {
-				if (isakmp_p2ph(&idcr, pa->ptr) < 0)
-					goto end;
+		    {
+			vchar_t *vp;
+
+			/* check ID value */
+			if (f_id == 0) {
+				/* for IDci */
+				f_id = 1;
+				vp = iph2->id;
 			} else {
+				/* for IDcr */
+				vp = iph2->id_p;
+			}
+
+			if (memcmp(vp->v, (caddr_t)pa->ptr + sizeof(struct isakmp_gen), vp->l)) {
+
+				plog(LLV_ERROR, LOCATION, NULL,
+					"mismatched ID was returned.\n");
+				error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED;
 				goto end;
 			}
+		    }
 			break;
 
 		case ISAKMP_NPTYPE_N:
-			ph2_recv_n(iph2, pa->ptr);
+			isakmp_check_notify(pa->ptr, iph2->ph1);
 			break;
 
 #ifdef ENABLE_NATT
 		case ISAKMP_NPTYPE_NATOA_DRAFT:
 		case ISAKMP_NPTYPE_NATOA_RFC:
-		    {
-			struct sockaddr_storage addr;
-			struct sockaddr *daddr;
-			u_int8_t prefix;
-			u_int16_t ul_proto;
-			vchar_t *vp = NULL;
-
-			if (isakmp_p2ph(&vp, pa->ptr) < 0)
-				goto end;
-
-			error = ipsecdoi_id2sockaddr(vp,
-					(struct sockaddr *) &addr,
-					&prefix, &ul_proto);
-
-			vfree(vp);
-
-			if (error)
-				goto end;
-
-			daddr = dupsaddr((struct sockaddr *) &addr);
-			if (daddr == NULL)
-				goto end;
-
-			if (iph2->natoa_src == NULL)
-				iph2->natoa_src = daddr;
-			else if (iph2->natoa_dst == NULL)
-				iph2->natoa_dst = daddr;
-			else {
-				racoon_free(daddr);
-				goto end;
-			}
-		    }
+			/* Ignore original source/destination messages */
 			break;
 #endif
 
@@ -583,98 +478,6 @@
 		goto end;
 	}
 
-	/* identity check */
-	if (idci != NULL) {
-		struct sockaddr_storage proposed_addr, got_addr;
-		u_int8_t proposed_prefix, got_prefix;
-		u_int16_t proposed_ulproto, got_ulproto;
-
-		error = ipsecdoi_id2sockaddr(iph2->id,
-					(struct sockaddr *) &proposed_addr,
-					&proposed_prefix, &proposed_ulproto);
-		if (error)
-			goto end;
-
-		error = ipsecdoi_id2sockaddr(idci,
-					(struct sockaddr *) &got_addr,
-					&got_prefix, &got_ulproto);
-		if (error)
-			goto end;
-
-		if (proposed_prefix != got_prefix
-		 || proposed_ulproto != got_ulproto) {
-			plog(LLV_DEBUG, LOCATION, NULL,
-				"IDci prefix/ulproto does not match proposal.\n");
-			error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED;
-			goto end;
-		}
-
-		if (cmpsaddrstrict((struct sockaddr *) &proposed_addr,
-				   (struct sockaddr *) &got_addr) == 0) {
-			plog(LLV_DEBUG, LOCATION, NULL,
-				"IDci matches proposal.\n");
-#ifdef ENABLE_NATT
-		} else if (iph2->natoa_src != NULL
-			&& cmpsaddrwop(iph2->natoa_src,
-				       (struct sockaddr *) &got_addr) == 0
-			&& extract_port((struct sockaddr *) &proposed_addr) ==
-			   extract_port((struct sockaddr *) &got_addr)) {
-			plog(LLV_DEBUG, LOCATION, NULL,
-				"IDci matches NAT-OAi.\n");
-#endif
-		} else {
-			plog(LLV_ERROR, LOCATION, NULL,
-				"mismatched IDci was returned.\n");
-			error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED;
-			goto end;
-		}
-	}
-	if (idcr != NULL) {
-		struct sockaddr_storage proposed_addr, got_addr;
-		u_int8_t proposed_prefix, got_prefix;
-		u_int16_t proposed_ulproto, got_ulproto;
-
-		error = ipsecdoi_id2sockaddr(iph2->id_p,
-					(struct sockaddr *) &proposed_addr,
-					&proposed_prefix, &proposed_ulproto);
-		if (error)
-			goto end;
-
-		error = ipsecdoi_id2sockaddr(idcr,
-					(struct sockaddr *) &got_addr,
-					&got_prefix, &got_ulproto);
-		if (error)
-			goto end;
-
-		if (proposed_prefix != got_prefix
-		 || proposed_ulproto != got_ulproto) {
-			plog(LLV_DEBUG, LOCATION, NULL,
-				"IDcr prefix/ulproto does not match proposal.\n");
-			error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED;
-			goto end;
-		}
-
-		if (cmpsaddrstrict((struct sockaddr *) &proposed_addr,
-				   (struct sockaddr *) &got_addr) == 0) {
-			plog(LLV_DEBUG, LOCATION, NULL,
-				"IDcr matches proposal.\n");
-#ifdef ENABLE_NATT
-		} else if (iph2->natoa_dst != NULL
-			&& cmpsaddrwop(iph2->natoa_dst,
-				       (struct sockaddr *) &got_addr) == 0
-			&& extract_port((struct sockaddr *) &proposed_addr) ==
-			   extract_port((struct sockaddr *) &got_addr)) {
-			plog(LLV_DEBUG, LOCATION, NULL,
-				"IDcr matches NAT-OAr.\n");
-#endif
-		} else {
-			plog(LLV_ERROR, LOCATION, NULL,
-				"mismatched IDcr was returned.\n");
-			error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED;
-			goto end;
-		}
-	}
-
 	/* Fixed buffer for calculating HASH */
 	memcpy(hbuf->v, iph2->nonce->v, iph2->nonce->l);
 	plog(LLV_DEBUG, LOCATION, NULL,
@@ -727,10 +530,6 @@
 		vfree(pbuf);
 	if (msg)
 		vfree(msg);
-	if (idci)
-		vfree(idci);
-	if (idcr)
-		vfree(idcr);
 
 	if (error) {
 		VPTRINIT(iph2->sa_ret);
@@ -738,16 +537,6 @@
 		VPTRINIT(iph2->dhpub_p);
 		VPTRINIT(iph2->id);
 		VPTRINIT(iph2->id_p);
-#ifdef ENABLE_NATT
-		if (iph2->natoa_src) {
-			racoon_free(iph2->natoa_src);
-			iph2->natoa_src = NULL;
-		}
-		if (iph2->natoa_dst) {
-			racoon_free(iph2->natoa_dst);
-			iph2->natoa_dst = NULL;
-		}
-#endif
 	}
 
 	return error;
@@ -944,7 +733,7 @@
 				    "Ignoring multiples notifications\n");
 				break;
 			}
-			ph2_recv_n(iph2, pa->ptr);
+			isakmp_check_notify(pa->ptr, iph2->ph1);
 			notify = vmalloc(pa->len);
 			if (notify == NULL) {
 				plog(LLV_ERROR, LOCATION, NULL,
@@ -1037,7 +826,7 @@
 
 /*
  * receive from initiator
- * 	HDR*, HASH(1), SA, Ni [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ]
+ * 	HDR*, HASH(1), SA, Ni [, KE ] [, IDi2, IDr2 ]
  */
 int
 quick_r1recv(iph2, msg0)
@@ -1200,44 +989,13 @@
 			break;
 
 		case ISAKMP_NPTYPE_N:
-			ph2_recv_n(iph2, pa->ptr);
+			isakmp_check_notify(pa->ptr, iph2->ph1);
 			break;
 
 #ifdef ENABLE_NATT
 		case ISAKMP_NPTYPE_NATOA_DRAFT:
 		case ISAKMP_NPTYPE_NATOA_RFC:
-		    {
-			struct sockaddr_storage addr;
-			struct sockaddr *daddr;
-			u_int8_t prefix;
-			u_int16_t ul_proto;
-			vchar_t *vp = NULL;
-
-			if (isakmp_p2ph(&vp, pa->ptr) < 0)
-				goto end;
-
-			error = ipsecdoi_id2sockaddr(vp,
-					(struct sockaddr *) &addr,
-					&prefix, &ul_proto);
-
-			vfree(vp);
-
-			if (error)
-				goto end;
-
-			daddr = dupsaddr((struct sockaddr *) &addr);
-			if (daddr == NULL)
-				goto end;
-
-			if (iph2->natoa_dst == NULL)
-				iph2->natoa_dst = daddr;
-			else if (iph2->natoa_src == NULL)
-				iph2->natoa_src = daddr;
-			else {
-				racoon_free(daddr);
-				goto end;
-			}
-		    }
+			/* Ignore original source/destination messages */
 			break;
 #endif
 
@@ -1320,8 +1078,7 @@
 			plog(LLV_ERROR, LOCATION, NULL,
 				"failed to generate a proposal template "
 				"from client's proposal.\n");
-			error = ISAKMP_INTERNAL_ERROR;
-			goto end;
+			return ISAKMP_INTERNAL_ERROR;
 		}
 		/*FALLTHROUGH*/
 	case 0:
@@ -1376,16 +1133,6 @@
 		VPTRINIT(iph2->dhpub_p);
 		VPTRINIT(iph2->id);
 		VPTRINIT(iph2->id_p);
-#ifdef ENABLE_NATT
-		if (iph2->natoa_src) {
-			racoon_free(iph2->natoa_src);
-			iph2->natoa_src = NULL;
-		}
-		if (iph2->natoa_dst) {
-			racoon_free(iph2->natoa_dst);
-			iph2->natoa_dst = NULL;
-		}
-#endif
 	}
 
 	return error;
@@ -1416,8 +1163,8 @@
 
 	plog(LLV_DEBUG, LOCATION, NULL, "pfkey getspi sent.\n");
 
-	sched_schedule(&iph2->sce, lcconf->wait_ph2complete,
-		       quick_timeover_stub);
+	iph2->sce = sched_new(lcconf->wait_ph2complete,
+		pfkey_timeover_stub, iph2);
 
 	error = 0;
 
@@ -1427,7 +1174,7 @@
 
 /*
  * send to initiator
- * 	HDR*, HASH(2), SA, Nr [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ]
+ * 	HDR*, HASH(2), SA, Nr [, KE ] [, IDi2, IDr2 ]
  */
 int
 quick_r2send(iph2, msg)
@@ -1440,13 +1187,8 @@
 	char *p;
 	int tlen;
 	int error = ISAKMP_INTERNAL_ERROR;
-	int natoa = ISAKMP_NPTYPE_NONE;
 	int pfsgroup;
 	u_int8_t *np_p = NULL;
-#ifdef ENABLE_NATT
-	vchar_t *nat_oai = NULL;
-	vchar_t *nat_oar = NULL;
-#endif
 
 	/* validity check */
 	if (msg != NULL) {
@@ -1487,33 +1229,6 @@
 		}
 	}
 
-#ifdef ENABLE_NATT
-	/*
-	 * RFC3947 5.2. if we chose UDP-Encapsulated-Transport
-	 * we should send NAT-OA
-	 */
-	if (ipsecdoi_transportmode(iph2->proposal)
-	 && (iph2->ph1->natt_flags & NAT_DETECTED)) {
-		natoa = iph2->ph1->natt_options->payload_nat_oa;
-
-		nat_oai = ipsecdoi_sockaddr2id(iph2->dst,
-			IPSECDOI_PREFIX_HOST, IPSEC_ULPROTO_ANY);
-		nat_oar = ipsecdoi_sockaddr2id(iph2->src,
-			IPSECDOI_PREFIX_HOST, IPSEC_ULPROTO_ANY);
-
-		if (nat_oai == NULL || nat_oar == NULL) {
-			plog(LLV_ERROR, LOCATION, NULL,
-				"failed to generate NAT-OA payload.\n");
-			goto end;
-		}
-
-		plog(LLV_DEBUG, LOCATION, NULL, "NAT-OAi:\n");
-		plogdump(LLV_DEBUG, nat_oai->v, nat_oai->l);
-		plog(LLV_DEBUG, LOCATION, NULL, "NAT-OAr:\n");
-		plogdump(LLV_DEBUG, nat_oar->v, nat_oar->l);
-	}
-#endif
-
 	/* create SA;NONCE payload, and KE and ID if need */
 	tlen = sizeof(*gen) + iph2->sa_ret->l
 		+ sizeof(*gen) + iph2->nonce->l;
@@ -1522,10 +1237,6 @@
 	if (iph2->id_p != NULL)
 		tlen += (sizeof(*gen) + iph2->id_p->l
 			+ sizeof(*gen) + iph2->id->l);
-#ifdef ENABLE_NATT
-	if (natoa != ISAKMP_NPTYPE_NONE)
-		tlen += 2 * sizeof(*gen) + nat_oai->l + nat_oar->l;
-#endif
 
 	body = vmalloc(tlen);
 	if (body == NULL) { 
@@ -1545,14 +1256,14 @@
 				? ISAKMP_NPTYPE_KE
 				: (iph2->id_p != NULL
 					? ISAKMP_NPTYPE_ID
-					: natoa));
+					: ISAKMP_NPTYPE_NONE));
 
 	/* add KE payload if need. */
 	if (iph2->dhpub_p != NULL && pfsgroup != 0) {
 		np_p = &((struct isakmp_gen *)p)->np;	/* XXX */
 		p = set_isakmp_payload(p, iph2->dhpub,
 			(iph2->id_p == NULL)
-				? natoa
+				? ISAKMP_NPTYPE_NONE
 				: ISAKMP_NPTYPE_ID);
 	}
 
@@ -1562,17 +1273,9 @@
 		p = set_isakmp_payload(p, iph2->id_p, ISAKMP_NPTYPE_ID);
 		/* IDcr */
 		np_p = &((struct isakmp_gen *)p)->np;	/* XXX */
-		p = set_isakmp_payload(p, iph2->id, natoa);
+		p = set_isakmp_payload(p, iph2->id, ISAKMP_NPTYPE_NONE);
 	}
 
-#ifdef ENABLE_NATT
-	/* NAT-OA */
-	if (natoa != ISAKMP_NPTYPE_NONE) {
-		p = set_isakmp_payload(p, nat_oai, natoa);
-		p = set_isakmp_payload(p, nat_oar, ISAKMP_NPTYPE_NONE);
-	}
-#endif
-
 	/* add a RESPONDER-LIFETIME notify payload if needed */
     {
 	vchar_t *data = NULL;
@@ -1666,12 +1369,6 @@
 		vfree(body);
 	if (hash != NULL)
 		vfree(hash);
-#ifdef ENABLE_NATT
-	if (nat_oai != NULL)
-		vfree(nat_oai);
-	if (nat_oar != NULL)
-		vfree(nat_oar);
-#endif
 
 	return error;
 }
@@ -1679,7 +1376,6 @@
 /*
  * receive from initiator
  * 	HDR*, HASH(3)
-
  */
 int
 quick_r3recv(iph2, msg0)
@@ -1723,7 +1419,7 @@
 			hash = (struct isakmp_pl_hash *)pa->ptr;
 			break;
 		case ISAKMP_NPTYPE_N:
-			ph2_recv_n(iph2, pa->ptr);
+			isakmp_check_notify(pa->ptr, iph2->ph1);
 			break;
 		default:
 			/* don't send information, see ident_r1recv() */
@@ -2104,11 +1800,25 @@
 get_sainfo_r(iph2)
 	struct ph2handle *iph2;
 {
-	vchar_t *idsrc = NULL, *iddst = NULL, *client = NULL;
+	vchar_t *idsrc = NULL, *iddst = NULL;
+	int prefixlen;
 	int error = ISAKMP_INTERNAL_ERROR;
+	int remoteid = 0;
 
 	if (iph2->id == NULL) {
-		idsrc = ipsecdoi_sockaddr2id(iph2->src, IPSECDOI_PREFIX_HOST,
+		switch (iph2->src->sa_family) {
+		case AF_INET:
+			prefixlen = sizeof(struct in_addr) << 3;
+			break;
+		case AF_INET6:
+			prefixlen = sizeof(struct in6_addr) << 3;
+			break;
+		default:
+			plog(LLV_ERROR, LOCATION, NULL,
+				"invalid family: %d\n", iph2->src->sa_family);
+			goto end;
+		}
+		idsrc = ipsecdoi_sockaddr2id(iph2->src, prefixlen,
 					IPSEC_ULPROTO_ANY);
 	} else {
 		idsrc = vdup(iph2->id);
@@ -2120,7 +1830,19 @@
 	}
 
 	if (iph2->id_p == NULL) {
-		iddst = ipsecdoi_sockaddr2id(iph2->dst, IPSECDOI_PREFIX_HOST,
+		switch (iph2->dst->sa_family) {
+		case AF_INET:
+			prefixlen = sizeof(struct in_addr) << 3;
+			break;
+		case AF_INET6:
+			prefixlen = sizeof(struct in6_addr) << 3;
+			break;
+		default:
+			plog(LLV_ERROR, LOCATION, NULL,
+				"invalid family: %d\n", iph2->dst->sa_family);
+			goto end;
+		}
+		iddst = ipsecdoi_sockaddr2id(iph2->dst, prefixlen,
 					IPSEC_ULPROTO_ANY);
 	} else {
 		iddst = vdup(iph2->id_p);
@@ -2131,34 +1853,19 @@
 		goto end;
 	}
 
-#ifdef ENABLE_HYBRID
-
-	/* clientaddr check : obtain modecfg address */
-	if (iph2->ph1->mode_cfg != NULL) {
-		if ((iph2->ph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) ||
-		    (iph2->ph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_LOCAL)){
-			struct sockaddr saddr;
-			saddr.sa_family = AF_INET;
-#ifndef __linux__
-			saddr.sa_len = sizeof(struct sockaddr_in);
-#endif
-			((struct sockaddr_in *)&saddr)->sin_port = IPSEC_PORT_ANY;
-			memcpy(&((struct sockaddr_in *)&saddr)->sin_addr, 
-				&iph2->ph1->mode_cfg->addr4, sizeof(struct in_addr));
-			client = ipsecdoi_sockaddr2id(&saddr, 32, IPSEC_ULPROTO_ANY);
+	{
+		struct remoteconf *conf;
+		conf = getrmconf(iph2->dst);
+		if (conf != NULL)
+			remoteid=conf->ph1id;
+		else{
+			plog(LLV_DEBUG, LOCATION, NULL, "Warning: no valid rmconf !\n");
+			remoteid=0;
 		}
+		
 	}
 
-	/* clientaddr check, fallback to peer address */
-	if (client == NULL)
-	{
-		client = ipsecdoi_sockaddr2id(iph2->dst, IPSECDOI_PREFIX_HOST,
-					IPSEC_ULPROTO_ANY);
-	}
-#endif
-
-	/* obtain a matching sainfo section */
-	iph2->sainfo = getsainfo(idsrc, iddst, iph2->ph1->id_p, client, iph2->ph1->rmconf->ph1id);
+	iph2->sainfo = getsainfo(idsrc, iddst, iph2->ph1->id_p, remoteid);
 	if (iph2->sainfo == NULL) {
 		plog(LLV_ERROR, LOCATION, NULL,
 			"failed to get sainfo.\n");
@@ -2181,8 +1888,6 @@
 		vfree(idsrc);
 	if (iddst)
 		vfree(iddst);
-	if (client)
-		vfree(client);
 
 	return error;
 }
@@ -2334,13 +2039,8 @@
 				    "buffer allocation failed.\n");
 				return ISAKMP_INTERNAL_ERROR;
 			}
-		} else {
-			plog(LLV_DEBUG, LOCATION, NULL,
-			     "Family (%d - %d) or types (%d - %d) of ID"
-			     "from initiator differ.\n",
-			     spidx.src.ss_family, spidx.dst.ss_family,
-			     _XIDT(iph2->id_p),idi2type);
 		}
+
 	} else {
 		plog(LLV_DEBUG, LOCATION, NULL,
 			"get a source address of SP index "
@@ -2485,71 +2185,3 @@
 	return 0;
 }
 
-/*
- * handle a notification payload inside phase2 exchange.
- * phase2 is always encrypted, so it does not need to be checked
- * for explicitely.
- */
-static int
-ph2_recv_n(iph2, gen)
-	struct ph2handle *iph2;
-	struct isakmp_gen *gen;
-{
-	struct ph1handle *iph1 = iph2->ph1;
-	struct isakmp_pl_n *notify = (struct isakmp_pl_n *) gen;
-	u_int type;
-	int check_level;
-
-	type = ntohs(notify->type);
-	switch (type) {
-	case ISAKMP_NTYPE_CONNECTED:
-		break;
-	case ISAKMP_NTYPE_INITIAL_CONTACT:
-		return isakmp_info_recv_initialcontact(iph1, iph2);
-	case ISAKMP_NTYPE_RESPONDER_LIFETIME:
-		ipsecdoi_parse_responder_lifetime(notify,
-			&iph2->lifetime_secs, &iph2->lifetime_kb);
-
-		if (iph1 != NULL && iph1->rmconf != NULL) {
-			check_level = iph1->rmconf->pcheck_level;
-		} else {
-			if (iph1 != NULL)
-				plog(LLV_DEBUG, LOCATION, NULL,
-					"No phase1 rmconf found !\n");
-			else
-				plog(LLV_DEBUG, LOCATION, NULL,
-					"No phase1 found !\n");
-			check_level = PROP_CHECK_EXACT;
-		}
-
-		switch (check_level) {
-		case PROP_CHECK_OBEY:
-			break;
-		case PROP_CHECK_STRICT:
-		case PROP_CHECK_CLAIM:
-			if (iph2->sainfo == NULL
-			 || iph2->sainfo->lifetime <= iph2->lifetime_secs) {
-				plog(LLV_WARNING, LOCATION, NULL,
-					"RESPONDER-LIFETIME: lifetime mismatch\n");
-				iph2->lifetime_secs = 0;
-			}
-			break;
-		case PROP_CHECK_EXACT:
-			if (iph2->sainfo == NULL
-			 || iph2->sainfo->lifetime != iph2->lifetime_secs) {
-				plog(LLV_WARNING, LOCATION, NULL,
-					"RESPONDER-LIFETIME: lifetime mismatch\n");
-				iph2->lifetime_secs = 0;
-			}
-			break;
-		}
-		break;
-	default:
-		isakmp_log_notify(iph2->ph1, notify, "phase2 exchange");
-		isakmp_info_send_n2(iph2, ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE,
-			NULL);
-		break;
-	}
-	return 0;
-}
-
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_unity.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_unity.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_unity.c,v 1.9 2007/10/19 03:37:19 manu Exp $	*/
+/*	$NetBSD: isakmp_unity.c,v 1.9.12.1 2009/02/08 18:42:17 snj Exp $	*/
 
 /* Id: isakmp_unity.c,v 1.10 2006/07/31 04:49:23 manubsd Exp */
 
@@ -305,41 +305,32 @@
 	struct unity_network * network;
 	int *count;
 {
-	struct unity_netentry * nentry;
-
-	/*
-	 * search for network in current list
-	 * to avoid adding duplicates
-	 */
-	for (nentry = *list; nentry != NULL; nentry = nentry->next)
-		if (memcmp(&nentry->network, network,
-			   sizeof(struct unity_network)) == 0)
-			return 0;	/* it's a dupe */
+	struct unity_netentry * newentry;
 
 	/*
 	 * allocate new netentry and copy
-	 * new splitnet network data
+         * new splitnet network data
 	 */
-	nentry = (struct unity_netentry *)
+	newentry = (struct unity_netentry *)
 		racoon_malloc(sizeof(struct unity_netentry));
-	if (nentry == NULL)
+	if (newentry == NULL)
 		return -1;
 
-	memcpy(&nentry->network,network,
+	memcpy(&newentry->network,network,
 		sizeof(struct unity_network));
-	nentry->next = NULL;
+	newentry->next = NULL;
 
 	/*
 	 * locate the last netentry in our
 	 * splitnet list and add our entry
 	 */
 	if (*list == NULL)
-		*list = nentry;
+		*list = newentry;
 	else {
 		struct unity_netentry * tmpentry = *list;
 		while (tmpentry->next != NULL)
 			tmpentry = tmpentry->next;
-		tmpentry->next = nentry;
+		tmpentry->next = newentry;
 	}
 
 	(*count)++;
@@ -363,9 +354,8 @@
 	}
 }
 
-char * splitnet_list_2str(list, splitnet_ipaddr)
+char * splitnet_list_2str(list)
 	struct unity_netentry * list;
-	enum splinet_ipaddr splitnet_ipaddr;
 {
 	struct unity_netentry * netentry;
 	char tmp1[40];
@@ -399,17 +389,8 @@
 
 		inet_ntop(AF_INET, &netentry->network.addr4, tmp1, 40);
 		inet_ntop(AF_INET, &netentry->network.mask4, tmp2, 40);
-		if (splitnet_ipaddr == CIDR) {
-			uint32_t tmp3;
-			int cidrmask;
 
-			tmp3 = ntohl(netentry->network.mask4.s_addr);
-			for (cidrmask = 0; tmp3 != 0; cidrmask++)
-				tmp3 <<= 1;
-			len += sprintf(str+len, "%s/%d ", tmp1, cidrmask);
-		} else {
-			len += sprintf(str+len, "%s/%s ", tmp1, tmp2);
-		}
+		len += sprintf(str+len, "%s/%s ", tmp1, tmp2);
 
 		netentry = netentry->next;
 	}
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_unity.h	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_unity.h	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_unity.h,v 1.5 2007/10/19 03:37:19 manu Exp $	*/
+/*	$NetBSD: isakmp_unity.h,v 1.5.12.1 2009/02/08 18:42:17 snj Exp $	*/
 
 /*	$KAME$ */
 
@@ -31,8 +31,6 @@
  * SUCH DAMAGE.
  */
 
-enum splinet_ipaddr { NETMASK, CIDR }; 
-
 /* ISAKMP notifies specific to the Unity vendor Id */
 /* Sent during xauth if the user types his password too slowly */
 #define ISAKMP_NTYPE_UNITY_HEARTBEAT	40500
@@ -68,7 +66,7 @@
 
 int	splitnet_list_add(struct unity_netentry **, struct unity_network *, int *);
 void	splitnet_list_free(struct unity_netentry *, int *);
-char *	splitnet_list_2str(struct unity_netentry *, enum splinet_ipaddr);
+char *	splitnet_list_2str(struct unity_netentry *);
 
 vchar_t *isakmp_unity_req(struct ph1handle *, struct isakmp_data *);
 void isakmp_unity_reply(struct ph1handle *, struct isakmp_data *);
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_var.h,v 1.12 2008/10/27 06:14:04 tteras Exp $	*/
+/*	$NetBSD: isakmp_var.h,v 1.12.2.1 2009/02/08 18:42:17 snj Exp $	*/
 
 /* Id: isakmp_var.h,v 1.12 2005/05/07 14:45:31 manubsd Exp */
 
@@ -35,7 +35,6 @@
 #define _ISAKMP_VAR_H
 
 #include "vmbuf.h"
-#include "policy.h"
 
 #define PORT_ISAKMP 500
 #define PORT_ISAKMP_NATT 4500
@@ -57,13 +56,14 @@
 struct ph1handle;
 struct ph2handle;
 struct remoteconf;
+struct isakmp_gen;
 struct ipsecdoi_pl_id;	/* XXX */
 struct isakmp_pl_ke;	/* XXX */
 struct isakmp_pl_nonce;	/* XXX */
 
 extern int isakmp_handler __P((int));
-extern struct ph1handle *isakmp_ph1begin_i __P((struct remoteconf *,
-	struct sockaddr *, struct sockaddr *));
+extern int isakmp_ph1begin_i __P((struct remoteconf *, struct sockaddr *,
+	struct sockaddr *));
 
 extern vchar_t *isakmp_parsewoh __P((int, struct isakmp_gen *, int));
 extern vchar_t *isakmp_parse __P((vchar_t *));
@@ -74,25 +74,22 @@
 extern void isakmp_close __P((void));
 extern int isakmp_send __P((struct ph1handle *, vchar_t *));
 
-extern void isakmp_ph1resend_stub __P((struct sched *));
+extern void isakmp_ph1resend_stub __P((void *));
 extern int isakmp_ph1resend __P((struct ph1handle *));
-extern void isakmp_ph2resend_stub __P((struct sched *));
+extern void isakmp_ph2resend_stub __P((void *));
 extern int isakmp_ph2resend __P((struct ph2handle *));
-extern void isakmp_ph1dying_stub __P((struct sched *));
-extern void isakmp_ph1dying __P((struct ph1handle *));
-extern void isakmp_ph1expire_stub __P((struct sched *));
+extern void isakmp_ph1expire_stub __P((void *));
 extern void isakmp_ph1expire __P((struct ph1handle *));
-extern void isakmp_ph1delete_stub __P((struct sched *));
+extern void isakmp_ph1delete_stub __P((void *));
 extern void isakmp_ph1delete __P((struct ph1handle *));
-extern void isakmp_ph2expire_stub __P((struct sched *));
+extern void isakmp_ph2expire_stub __P((void *));
 extern void isakmp_ph2expire __P((struct ph2handle *));
-extern void isakmp_ph2delete_stub __P((struct sched *));
+extern void isakmp_ph2delete_stub __P((void *));
 extern void isakmp_ph2delete __P((struct ph2handle *));
 
-extern int isakmp_get_sainfo __P((struct ph2handle *, struct secpolicy *, struct secpolicy *));
 extern int isakmp_post_acquire __P((struct ph2handle *));
 extern int isakmp_post_getspi __P((struct ph2handle *));
-extern void isakmp_chkph1there_stub __P((struct sched *));
+extern void isakmp_chkph1there_stub __P((void *));
 extern void isakmp_chkph1there __P((struct ph2handle *));
 
 extern caddr_t isakmp_set_attr_v __P((caddr_t, int, caddr_t, int));
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_xauth.c,v 1.17 2008/09/19 11:14:49 tteras Exp $	*/
+/*	$NetBSD: isakmp_xauth.c,v 1.17.4.1 2009/02/08 18:42:17 snj Exp $	*/
 
 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
 
@@ -40,7 +40,6 @@
 
 #include <netinet/in.h>
 
-#include <assert.h>
 #include <stdlib.h>
 #include <stdio.h>
 #include <string.h>
@@ -96,9 +95,9 @@
 
 #ifdef HAVE_LIBRADIUS
 #include <radlib.h>
+
 struct rad_handle *radius_auth_state = NULL;
 struct rad_handle *radius_acct_state = NULL;
-struct xauth_rad_config xauth_rad_config;
 #endif
 
 #ifdef HAVE_LIBPAM
@@ -130,7 +129,7 @@
 	size_t tlen;
 
 	/* Status checks */
-	if (iph1->status < PHASE1ST_ESTABLISHED) {
+	if (iph1->status != PHASE1ST_ESTABLISHED) {
 		plog(LLV_ERROR, LOCATION, NULL, 
 		    "Xauth request while phase 1 is not completed\n");
 		return;
@@ -330,7 +329,7 @@
 		if (throttle_delay != 0) {
 			struct xauth_reply_arg *xra;
 
-			if ((xra = racoon_calloc(1, sizeof(*xra))) == NULL) {
+			if ((xra = racoon_malloc(sizeof(*xra))) == NULL) {
 				plog(LLV_ERROR, LOCATION, NULL, 
 				    "malloc failed, bypass throttling\n");
 				return xauth_reply(iph1, port, id, res);
@@ -345,8 +344,7 @@
 			xra->port = port;
 			xra->id = id;
 			xra->res = res;
-			sched_schedule(&xra->sc, throttle_delay,
-				       xauth_reply_stub);
+			sched_new(throttle_delay, xauth_reply_stub, xra);
 		} else {
 			return xauth_reply(iph1, port, id, res);
 		}
@@ -356,10 +354,10 @@
 }
 
 void 
-xauth_reply_stub(sc)
-	struct sched *sc;
+xauth_reply_stub(args)
+	void *args;
 {
-	struct xauth_reply_arg *xra = container_of(sc, struct xauth_reply_arg, sc);
+	struct xauth_reply_arg *xra = (struct xauth_reply_arg *)args;
 	struct ph1handle *iph1;
 
 	if ((iph1 = getph1byindex(&xra->index)) != NULL)
@@ -369,6 +367,7 @@
 		    "Delayed Xauth reply: phase 1 no longer exists.\n"); 
 
 	racoon_free(xra);
+	return;
 }
 
 int
@@ -391,7 +390,7 @@
 		xst->status = XAUTHST_NOTYET;
 
 		/* Delete Phase 1 SA */
-		if (iph1->status >= PHASE1ST_ESTABLISHED)
+		if (iph1->status == PHASE1ST_ESTABLISHED)
 			isakmp_info_send_d1(iph1);
 		remph1(iph1);
 		delph1(iph1);
@@ -448,31 +447,6 @@
 
 #ifdef HAVE_LIBRADIUS
 int
-xauth_radius_init_conf(int free)
-{
-	/* free radius config resources */
-	if (free) {
-		int i;
-		for (i = 0; i < xauth_rad_config.auth_server_count; i++) {
-			vfree(xauth_rad_config.auth_server_list[i].host);
-			vfree(xauth_rad_config.auth_server_list[i].secret);
-		}
-		for (i = 0; i < xauth_rad_config.acct_server_count; i++) {
-			vfree(xauth_rad_config.acct_server_list[i].host);
-			vfree(xauth_rad_config.acct_server_list[i].secret);
-		}
-		if (radius_auth_state != NULL)
-			rad_close(radius_auth_state);
-		if (radius_acct_state != NULL)
-			rad_close(radius_acct_state);
-	}
-
-	/* initialize radius config */
-	memset(&xauth_rad_config, 0, sizeof(xauth_rad_config));
-	return 0;
-}
-
-int
 xauth_radius_init(void)
 {
 	/* For first time use, initialize Radius */
@@ -484,35 +458,13 @@
 			return -1;
 		}
 
-		int auth_count = xauth_rad_config.auth_server_count;
-		int auth_added = 0;
-		if (auth_count) {
-			int i;
-			for (i = 0; i < auth_count; i++) {
-				if(!rad_add_server(
-					radius_auth_state,
-					xauth_rad_config.auth_server_list[i].host->v,
-					xauth_rad_config.auth_server_list[i].port,
-					xauth_rad_config.auth_server_list[i].secret->v,
-					xauth_rad_config.timeout,
-					xauth_rad_config.retries ))
-					auth_added++;
-				else
-					plog(LLV_WARNING, LOCATION, NULL,
-						"could not add radius auth server %s\n",
-						xauth_rad_config.auth_server_list[i].host->v);
-			}
-		}
-
-		if (!auth_added) {
-			if (rad_config(radius_auth_state, NULL) != 0) {
-				plog(LLV_ERROR, LOCATION, NULL, 
-				    "Cannot open librarius config file: %s\n", 
-				    rad_strerror(radius_auth_state));
-				rad_close(radius_auth_state);
-				radius_auth_state = NULL;
-				return -1;
-			}
+		if (rad_config(radius_auth_state, NULL) != 0) {
+			plog(LLV_ERROR, LOCATION, NULL, 
+			    "Cannot open librarius config file: %s\n", 
+			    rad_strerror(radius_auth_state));
+			rad_close(radius_auth_state);
+			radius_auth_state = NULL;
+			return -1;
 		}
 	}
 
@@ -524,35 +476,13 @@
 			return -1;
 		}
 
-		int acct_count = xauth_rad_config.acct_server_count;
-		int acct_added = 0;
-		if (acct_count) {
-			int i;
-			for (i = 0; i < acct_count; i++) {
-				if(!rad_add_server(
-					radius_acct_state,
-					xauth_rad_config.acct_server_list[i].host->v,
-					xauth_rad_config.acct_server_list[i].port,
-					xauth_rad_config.acct_server_list[i].secret->v,
-					xauth_rad_config.timeout,
-					xauth_rad_config.retries ))
-					acct_added++;
-				else
-					plog(LLV_WARNING, LOCATION, NULL,
-						"could not add radius account server %s\n",
-						xauth_rad_config.acct_server_list[i].host->v);
-			}
-		}
-
-		if (!acct_added) {
-			if (rad_config(radius_acct_state, NULL) != 0) {
-				plog(LLV_ERROR, LOCATION, NULL, 
-				    "Cannot open librarius config file: %s\n", 
-				    rad_strerror(radius_acct_state));
-				rad_close(radius_acct_state);
-				radius_acct_state = NULL;
-				return -1;
-			}
+		if (rad_config(radius_acct_state, NULL) != 0) {
+			plog(LLV_ERROR, LOCATION, NULL, 
+			    "Cannot open librarius config file: %s\n", 
+			    rad_strerror(radius_acct_state));
+			rad_close(radius_acct_state);
+			radius_acct_state = NULL;
+			return -1;
 		}
 	}
 
@@ -740,7 +670,7 @@
 		    "cannot allocate memory: %s\n", strerror(errno)); 
 		goto out;
 	}
-
+	
 	if ((error = pam_set_item(pam, PAM_RHOST, remote)) != 0) {
 		plog(LLV_ERROR, LOCATION, NULL, 
 		    "pam_set_item failed: %s\n", 
@@ -748,13 +678,6 @@
 		goto out;
 	}
 
-	if ((error = pam_set_item(pam, PAM_RUSER, usr)) != 0) {
-		plog(LLV_ERROR, LOCATION, NULL, 
-		    "pam_set_item failed: %s\n", 
-		    pam_strerror(pam, error));
-		goto out;
-	}
-
 	PAM_usr = usr;
 	PAM_pwd = pwd;
 	error = pam_authenticate(pam, 0);
@@ -797,7 +720,7 @@
 
 #ifdef HAVE_LIBLDAP
 int 
-xauth_ldap_init_conf(void)
+xauth_ldap_init(void)
 {
 	int tmplen;
 	int error = -1;
@@ -1647,11 +1570,13 @@
 			plog(LLV_ERROR, LOCATION, NULL, 
 			    "Xauth authentication failed\n");
 
-			evt_phase1(iph1, EVT_PHASE1_XAUTH_FAILED, NULL);
+			EVT_PUSH(iph1->local, iph1->remote, 
+			    EVTT_XAUTH_FAILED, NULL);
 
 			iph1->mode_cfg->flags |= ISAKMP_CFG_DELETE_PH1;
 		} else {
-			evt_phase1(iph1, EVT_PHASE1_XAUTH_SUCCESS, NULL);
+			EVT_PUSH(iph1->local, iph1->remote, 
+			    EVTT_XAUTH_SUCCESS, NULL);
 		}
 
 
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_xauth.h,v 1.6 2008/09/19 11:01:08 tteras Exp $	*/
+/*	$NetBSD: isakmp_xauth.h,v 1.6.4.1 2009/02/08 18:42:17 snj Exp $	*/
 
 /*	$KAME$ */
 
@@ -34,8 +34,6 @@
 #ifndef _ISAKMP_XAUTH_H
 #define _ISAKMP_XAUTH_H
 
-#include "schedule.h"
-
 /* ISAKMP mode config attribute types specific to the Xauth vendor ID */
 #define	XAUTH_TYPE                16520
 #define	XAUTH_USER_NAME           16521
@@ -92,7 +90,6 @@
 #define XAUTHST_OK	2
 
 struct xauth_reply_arg {
-	struct sched sc;
 	isakmp_index index;
 	int port;
 	int id;
@@ -110,40 +107,18 @@
 vchar_t *isakmp_xauth_req(struct ph1handle *, struct isakmp_data *);
 vchar_t *isakmp_xauth_set(struct ph1handle *, struct isakmp_data *);
 void xauth_rmstate(struct xauth_state *);
-void xauth_reply_stub(struct sched *);
+void xauth_reply_stub(void *);
 int xauth_reply(struct ph1handle *, int, int, int);
 int xauth_rmconf_used(struct xauth_rmconf **);
 void xauth_rmconf_delete(struct xauth_rmconf **);
 
-#ifdef HAVE_LIBPAM
-int xauth_login_pam(int, struct sockaddr *, char *, char *);
+#ifdef HAVE_LIBRADIUS
+int xauth_login_radius(struct ph1handle *, char *, char *);
+int xauth_radius_init(void);
 #endif
 
-#ifdef HAVE_LIBRADIUS
-
-#define RADIUS_MAX_SERVERS 5
-
-struct rad_serv {
-	vchar_t		*host;
-	int		port;
-	vchar_t		*secret;
-};
-
-struct xauth_rad_config {
-	struct rad_serv	auth_server_list[RADIUS_MAX_SERVERS];
-	int		auth_server_count;
-	struct rad_serv	acct_server_list[RADIUS_MAX_SERVERS];
-	int		acct_server_count;
-	int		timeout;
-	int		retries;
-};
-
-extern struct xauth_rad_config xauth_rad_config;
-
-int xauth_radius_init_conf(int free);
-int xauth_radius_init(void);
-int xauth_login_radius(struct ph1handle *, char *, char *);
-
+#ifdef HAVE_LIBPAM
+int xauth_login_pam(int, struct sockaddr *, char *, char *);
 #endif
 
 #ifdef HAVE_LIBLDAP
@@ -173,9 +148,8 @@
 
 extern struct xauth_ldap_config xauth_ldap_config;
 
-int xauth_ldap_init_conf(void);
+int xauth_ldap_init(void);
 int xauth_login_ldap(struct ph1handle *, char *, char *);
-
 #endif
 
 #endif /* _ISAKMP_XAUTH_H */
--- a/crypto/dist/ipsec-tools/src/racoon/kmpstat.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/kmpstat.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: kmpstat.c,v 1.6 2007/10/02 09:47:45 vanhu Exp $	*/
+/*	$NetBSD: kmpstat.c,v 1.6.12.1 2009/02/08 18:42:17 snj Exp $	*/
 
 /*	$KAME: kmpstat.c,v 1.33 2004/08/16 08:20:28 itojun Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/racoon/main.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/main.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: main.c,v 1.8 2008/07/22 01:30:02 mgrooms Exp $	*/
+/*	$NetBSD: main.c,v 1.8.4.1 2009/02/08 18:42:17 snj Exp $	*/
 
 /* Id: main.c,v 1.25 2006/06/20 20:31:34 manubsd Exp */
 
@@ -198,15 +198,8 @@
 #endif
 
 #ifdef HAVE_LIBLDAP
-	if (xauth_ldap_init_conf() != 0)
-		errx(1, "could not initialize ldap config");
-#endif
-
-#ifdef HAVE_LIBRADIUS
-	if (xauth_radius_init_conf(0) != 0) {
-		errx(1, "could not initialize radius config");
-		/* NOTREACHED*/
-	}
+	if (xauth_ldap_init() != 0)
+		errx(1, "could not initialize libldap");
 #endif
 
 	/*
--- a/crypto/dist/ipsec-tools/src/racoon/misc.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/misc.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: misc.c,v 1.6 2008/07/15 00:47:09 mgrooms Exp $	*/
+/*	$NetBSD: misc.c,v 1.6.4.1 2009/02/08 18:42:17 snj Exp $	*/
 
 /*	$KAME: misc.c,v 1.23 2001/08/16 14:37:29 itojun Exp $	*/
 
@@ -44,7 +44,6 @@
 #include <errno.h>
 #include <syslog.h>
 #include <ctype.h>
-#include <fcntl.h>
 
 #include "var.h"
 #include "misc.h"
@@ -155,16 +154,6 @@
 }
 
 /*
- * set the close-on-exec flag for file descriptor fd.
- */
-void
-close_on_exec(fd)
-	int fd;
-{
-	fcntl(fd, F_SETFD, FD_CLOEXEC);
-}
-
-/*
  * calculate the difference between two times.
  * t1: start
  * t2: end
--- a/crypto/dist/ipsec-tools/src/racoon/misc.h	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/misc.h	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: misc.h,v 1.6 2008/07/15 00:47:09 mgrooms Exp $	*/
+/*	$NetBSD: misc.h,v 1.6.4.1 2009/02/08 18:42:17 snj Exp $	*/
 
 /* Id: misc.h,v 1.9 2006/04/06 14:00:06 manubsd Exp */
 
@@ -50,7 +50,6 @@
 struct timeval;
 extern double timedelta __P((struct timeval *, struct timeval *));
 char *strdup __P((const char *));
-extern void close_on_exec __P((int fd));
 
 #if defined(__APPLE__) && defined(__MACH__)
 #define RACOON_TAILQ_FOREACH_REVERSE(var, head, headname ,field)	\
--- a/crypto/dist/ipsec-tools/src/racoon/nattraversal.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/nattraversal.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: nattraversal.c,v 1.7 2008/09/19 11:01:08 tteras Exp $	*/
+/*	$NetBSD: nattraversal.c,v 1.7.4.1 2009/02/08 18:42:17 snj Exp $	*/
 
 /*
  * Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany.
@@ -77,7 +77,6 @@
 };
 
 static TAILQ_HEAD(_natt_ka_addrs, natt_ka_addrs) ka_tree;
-static struct sched sc_natt = SCHED_INITIALIZER();
 
 /*
  * check if the given vid is NAT-T.
@@ -322,7 +321,7 @@
 
 /* NAT keepalive functions */
 static void
-natt_keepalive_send (struct sched *param)
+natt_keepalive_send (void *param)
 {
   struct natt_ka_addrs	*ka, *next = NULL;
   char keepalive_packet[] = { 0xff };
@@ -347,7 +346,7 @@
 	   strerror (errno));
   }
   
-  sched_schedule (&sc_natt, lcconf->natt_ka_interval, natt_keepalive_send);
+  sched_new (lcconf->natt_ka_interval, natt_keepalive_send, NULL);
 }
 
 void
@@ -357,7 +356,7 @@
 
   /* To disable sending KAs set natt_ka_interval=0 */
   if (lcconf->natt_ka_interval > 0)
-    sched_schedule (&sc_natt, lcconf->natt_ka_interval, natt_keepalive_send);
+    sched_new (lcconf->natt_ka_interval, natt_keepalive_send, NULL);
 }
 
 int
--- a/crypto/dist/ipsec-tools/src/racoon/oakley.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/oakley.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: oakley.c,v 1.12 2008/03/06 17:00:03 vanhu Exp $	*/
+/*	$NetBSD: oakley.c,v 1.12.8.1 2009/02/08 18:42:17 snj Exp $	*/
 
 /* Id: oakley.c,v 1.32 2006/05/26 12:19:46 manubsd Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/pfkey.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/pfkey.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: pfkey.c,v 1.35 2008/10/27 06:27:05 tteras Exp $	*/
-
-/* $Id: pfkey.c,v 1.35 2008/10/27 06:27:05 tteras Exp $ */
+/*	$NetBSD: pfkey.c,v 1.35.2.1 2009/02/08 18:42:18 snj Exp $	*/
+
+/* $Id: pfkey.c,v 1.35.2.1 2009/02/08 18:42:18 snj Exp $ */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -92,7 +92,6 @@
 #include "algorithm.h"
 #include "sainfo.h"
 #include "admin.h"
-#include "evt.h"
 #include "privsep.h"
 #include "strnames.h"
 #include "backupsa.h"
@@ -270,7 +269,7 @@
 	if ((pkrecvf[msg->sadb_msg_type])(mhp) < 0)
 		goto end;
 
-	error = 1;
+	error = 0;
 end:
 	if (msg)
 		racoon_free(msg);
@@ -449,24 +448,6 @@
 	return 0;
 }
 
-int
-pfkey_reload()
-{
-	flushsp();
-
-	if (pfkey_send_spddump(lcconf->sock_pfkey) < 0) {
-		plog(LLV_ERROR, LOCATION, NULL,
-			"libipsec sending spddump failed: %s\n",
-			ipsec_strerror());
-		return -1;
-	}
-
-	while (pfkey_handler() > 0)
-		continue;
-
-	return 0;
-}
-
 /* %%% for conversion */
 /* IPSECDOI_ATTR_AUTH -> SADB_AALG */
 static u_int
@@ -815,6 +796,35 @@
 	return -1;
 }
 
+/* called from scheduler */
+void
+pfkey_timeover_stub(p)
+	void *p;
+{
+
+	pfkey_timeover((struct ph2handle *)p);
+}
+
+void
+pfkey_timeover(iph2)
+	struct ph2handle *iph2;
+{
+	plog(LLV_ERROR, LOCATION, NULL,
+		"%s give up to get IPsec-SA due to time up to wait.\n",
+		saddrwop2str(iph2->dst));
+	SCHED_KILL(iph2->sce);
+
+	/* If initiator side, send error to kernel by SADB_ACQUIRE. */
+	if (iph2->side == INITIATOR)
+		pk_sendeacquire(iph2);
+
+	unbindph12(iph2);
+	remph2(iph2);
+	delph2(iph2);
+
+	return;
+}
+
 /*%%%*/
 /* send getspi message per ipsec protocol per remote address */
 /*
@@ -845,19 +855,13 @@
 	/* for mobile IPv6 */
 	if (proxy && iph2->src_id && iph2->dst_id &&
 	    ipsecdoi_transportmode(pp)) {
-		src = dupsaddr(iph2->src_id);
-		dst = dupsaddr(iph2->dst_id);
+		src = iph2->src_id;
+		dst = iph2->dst_id;
 	} else {
-		src = dupsaddr(iph2->src);
-		dst = dupsaddr(iph2->dst);
+		src = iph2->src;
+		dst = iph2->dst;
 	}
-	
-	if (src == NULL || dst == NULL) {
-		racoon_free(src);
-		racoon_free(dst);
-		return -1;
-	}
-	
+
 	for (pr = pp->head; pr != NULL; pr = pr->next) {
 
 		/* validity check */
@@ -865,8 +869,6 @@
 		if (satype == ~0) {
 			plog(LLV_ERROR, LOCATION, NULL,
 				"invalid proto_id %d\n", pr->proto_id);
-			racoon_free(src);
-			racoon_free(dst);
 			return -1;
 		}
 		/* this works around a bug in Linux kernel where it allocates 4 byte
@@ -883,16 +885,16 @@
 		if (mode == ~0) {
 			plog(LLV_ERROR, LOCATION, NULL,
 				"invalid encmode %d\n", pr->encmode);
-			racoon_free(src);
-			racoon_free(dst);
 			return -1;
 		}
 
 #ifdef ENABLE_NATT
+		/* XXX should we do a copy of src/dst for each pr ?
+		 */
 		if (! pr->udp_encap) {
 			/* Remove port information, that SA doesn't use it */
-			set_port(iph2->src, 0);
-			set_port(iph2->dst, 0);
+			set_port(src, 0);
+			set_port(dst, 0);
 		}
 #endif
 		plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_getspi\n");
@@ -907,8 +909,6 @@
 			plog(LLV_ERROR, LOCATION, NULL,
 				"ipseclib failed send getspi (%s)\n",
 				ipsec_strerror());
-			racoon_free(src);
-			racoon_free(dst);
 			return -1;
 		}
 		plog(LLV_DEBUG, LOCATION, NULL,
@@ -916,8 +916,6 @@
 			sadbsecas2str(dst, src, satype, 0, mode));
 	}
 
-	racoon_free(src);
-	racoon_free(dst);
 	return 0;
 }
 
@@ -1008,6 +1006,7 @@
 		if (isakmp_post_getspi(iph2) < 0) {
 			plog(LLV_ERROR, LOCATION, NULL,
 				"failed to start post getspi.\n");
+			unbindph12(iph2);
 			remph2(iph2);
 			delph2(iph2);
 			iph2 = NULL;
@@ -1033,7 +1032,6 @@
 	if (iph2->approval == NULL) {
 		plog(LLV_ERROR, LOCATION, NULL,
 			"no approvaled SAs found.\n");
-		return -1;
 	}
 
 	if (iph2->side == INITIATOR)
@@ -1044,27 +1042,18 @@
 	/* fill in some needed for pfkey_send_update2 */
 	memset (&sa_args, 0, sizeof (sa_args));
 	sa_args.so = lcconf->sock_pfkey;
-	if (iph2->lifetime_secs)
-		sa_args.l_addtime = iph2->lifetime_secs;
-	else
-		sa_args.l_addtime = iph2->approval->lifetime;
+	sa_args.l_addtime = iph2->approval->lifetime;
 	sa_args.seq = iph2->seq; 
 	sa_args.wsize = 4;
 
 	/* for mobile IPv6 */
 	if (proxy && iph2->src_id && iph2->dst_id &&
 	    ipsecdoi_transportmode(iph2->approval)) {
-		sa_args.dst = dupsaddr(iph2->src_id);
-		sa_args.src = dupsaddr(iph2->dst_id);
+		sa_args.dst = iph2->src_id;
+		sa_args.src = iph2->dst_id;
 	} else {
-		sa_args.dst = dupsaddr(iph2->src);
-		sa_args.src = dupsaddr(iph2->dst);
-	}
-
-	if (sa_args.src == NULL || sa_args.dst == NULL) {
-		racoon_free(sa_args.src);
-		racoon_free(sa_args.dst);
-		return -1;
+		sa_args.dst = iph2->src;
+		sa_args.src = iph2->dst;
 	}
 
 	for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
@@ -1073,8 +1062,6 @@
 		if (sa_args.satype == ~0) {
 			plog(LLV_ERROR, LOCATION, NULL,
 				"invalid proto_id %d\n", pr->proto_id);
-			racoon_free(sa_args.src);
-			racoon_free(sa_args.dst);
 			return -1;
 		}
 		else if (sa_args.satype == SADB_X_SATYPE_IPCOMP) {
@@ -1088,8 +1075,6 @@
 		if (sa_args.mode == ~0) {
 			plog(LLV_ERROR, LOCATION, NULL,
 				"invalid encmode %d\n", pr->encmode);
-			racoon_free(sa_args.src);
-			racoon_free(sa_args.dst);
 			return -1;
 		}
 #endif
@@ -1101,11 +1086,8 @@
 				pr->head->authtype,
 				&sa_args.e_type, &sa_args.e_keylen,
 				&sa_args.a_type, &sa_args.a_keylen, 
-				&sa_args.flags) < 0){
-			racoon_free(sa_args.src);
-			racoon_free(sa_args.dst);
+				&sa_args.flags) < 0)
 			return -1;
-		}
 
 #if 0
 		sa_args.l_bytes = iph2->approval->lifebyte * 1024,
@@ -1127,7 +1109,7 @@
 			sa_args.l_natt_type = iph2->ph1->natt_options->encaps_type;
 			sa_args.l_natt_sport = extract_port (iph2->ph1->remote);
 			sa_args.l_natt_dport = extract_port (iph2->ph1->local);
-			sa_args.l_natt_oa = iph2->natoa_src;
+			sa_args.l_natt_oa = NULL;  // FIXME: Here comes OA!!!
 #ifdef SADB_X_EXT_NAT_T_FRAG
 			sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag;
 #endif
@@ -1148,8 +1130,6 @@
 			plog(LLV_ERROR, LOCATION, NULL,
 				"libipsec failed send update (%s)\n",
 				ipsec_strerror());
-			racoon_free(sa_args.src);
-			racoon_free(sa_args.dst);
 			return -1;
 		}
 
@@ -1179,8 +1159,6 @@
 			sa_args.satype, sa_args.spi, sa_args.mode));
 	}
 
-	racoon_free(sa_args.src);
-	racoon_free(sa_args.dst);
 	return 0;
 }
 
@@ -1284,11 +1262,10 @@
 		return 0;
 
 	/* turn off the timer for calling pfkey_timeover() */
-	sched_cancel(&iph2->sce);
-
+	SCHED_KILL(iph2->sce);
+	
 	/* update status */
 	iph2->status = PHASE2ST_ESTABLISHED;
-	evt_phase2(iph2, EVT_PHASE2_UP, NULL);
 
 #ifdef ENABLE_STATS
 	gettimeofday(&iph2->end, NULL);
@@ -1296,8 +1273,11 @@
 		"phase2", "quick", timedelta(&iph2->start, &iph2->end));
 #endif
 
+	/* count up */
+	iph2->ph1->ph2cnt++;
+
 	/* turn off schedule */
-	sched_cancel(&iph2->scr);
+	SCHED_KILL(iph2->scr);
 
 	/* Force the update of ph2's ports, as there is at least one
 	 * situation where they'll mismatch with ph1's values
@@ -1312,8 +1292,10 @@
 	 * since we are going to reuse the phase2 handler, we need to
 	 * remain it and refresh all the references between ph1 and ph2 to use.
 	 */
-	sched_schedule(&iph2->sce, iph2->approval->lifetime,
-		       isakmp_ph2expire_stub);
+	unbindph12(iph2);
+
+	iph2->sce = sched_new(iph2->approval->lifetime,
+	    isakmp_ph2expire_stub, iph2);
 
 	plog(LLV_DEBUG, LOCATION, NULL, "===\n");
 	return 0;
@@ -1345,37 +1327,26 @@
 	/* fill in some needed for pfkey_send_update2 */
 	memset (&sa_args, 0, sizeof (sa_args));
 	sa_args.so = lcconf->sock_pfkey;
-	if (iph2->lifetime_secs)
-		sa_args.l_addtime = iph2->lifetime_secs;
-	else
-		sa_args.l_addtime = iph2->approval->lifetime;
+	sa_args.l_addtime = iph2->approval->lifetime;
 	sa_args.seq = iph2->seq;
 	sa_args.wsize = 4;
 
 	/* for mobile IPv6 */
 	if (proxy && iph2->src_id && iph2->dst_id &&
 	    ipsecdoi_transportmode(iph2->approval)) {
-		sa_args.src = dupsaddr(iph2->src_id);
-		sa_args.dst = dupsaddr(iph2->dst_id);
+		sa_args.src = iph2->src_id;
+		sa_args.dst = iph2->dst_id;
 	} else {
-		sa_args.src = dupsaddr(iph2->src);
-		sa_args.dst = dupsaddr(iph2->dst);
+		sa_args.src = iph2->src;
+		sa_args.dst = iph2->dst;
 	}
 
-	if (sa_args.src == NULL || sa_args.dst == NULL) {
-		racoon_free(sa_args.src);
-		racoon_free(sa_args.dst);
-		return -1;
- 	}
-
 	for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
 		/* validity check */
 		sa_args.satype = ipsecdoi2pfkey_proto(pr->proto_id);
 		if (sa_args.satype == ~0) {
 			plog(LLV_ERROR, LOCATION, NULL,
 				"invalid proto_id %d\n", pr->proto_id);
-			racoon_free(sa_args.src);
-			racoon_free(sa_args.dst);
 			return -1;
 		}
 		else if (sa_args.satype == SADB_X_SATYPE_IPCOMP) {
@@ -1389,8 +1360,6 @@
 		if (sa_args.mode == ~0) {
 			plog(LLV_ERROR, LOCATION, NULL,
 				"invalid encmode %d\n", pr->encmode);
-			racoon_free(sa_args.src);
-			racoon_free(sa_args.dst);
 			return -1;
 		}
 #endif
@@ -1403,11 +1372,8 @@
 				pr->head->authtype,
 				&sa_args.e_type, &sa_args.e_keylen,
 				&sa_args.a_type, &sa_args.a_keylen, 
-				&sa_args.flags) < 0){
-			racoon_free(sa_args.src);
-			racoon_free(sa_args.dst);
+				&sa_args.flags) < 0)
 			return -1;
-		}
 
 #if 0
 		sa_args.l_bytes = iph2->approval->lifebyte * 1024,
@@ -1432,7 +1398,7 @@
 			sa_args.l_natt_type = UDP_ENCAP_ESPINUDP;
 			sa_args.l_natt_sport = extract_port(iph2->ph1->local);
 			sa_args.l_natt_dport = extract_port(iph2->ph1->remote);
-			sa_args.l_natt_oa = iph2->natoa_dst;
+			sa_args.l_natt_oa = NULL; // FIXME: Here comes OA!!!
 #ifdef SADB_X_EXT_NAT_T_FRAG
 			sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag;
 #endif
@@ -1458,8 +1424,6 @@
 			plog(LLV_ERROR, LOCATION, NULL,
 				"libipsec failed send add (%s)\n",
 				ipsec_strerror());
-			racoon_free(sa_args.src);
-			racoon_free(sa_args.dst);
 			return -1;
 		}
 
@@ -1483,8 +1447,6 @@
 			sadbsecas2str(sa_args.src, sa_args.dst,
 			sa_args.satype, sa_args.spi, sa_args.mode));
 	}
-	racoon_free(sa_args.src);
-	racoon_free(sa_args.dst);
 	return 0;
 }
 
@@ -1625,7 +1587,7 @@
 	}
 
 	/* turn off the timer for calling isakmp_ph2expire() */ 
-	sched_cancel(&iph2->sce);
+	SCHED_KILL(iph2->sce);
 
 	iph2->status = PHASE2ST_EXPIRED;
 
@@ -1643,6 +1605,7 @@
 			plog(LLV_ERROR, LOCATION, iph2->dst,
 				"failed to begin ipsec sa "
 				"re-negotication.\n");
+			unbindph12(iph2);
 			remph2(iph2);
 			delph2(iph2);
 			return -1;
@@ -1655,6 +1618,7 @@
 	/* If not received SADB_EXPIRE, INITIATOR delete ph2handle. */
 	/* RESPONDER always delete ph2handle, keep silent.  RESPONDER doesn't
 	 * manage IPsec SA, so delete the list */
+	unbindph12(iph2);
 	remph2(iph2);
 	delph2(iph2);
 
@@ -1672,6 +1636,7 @@
 	struct ph2handle *iph2[MAXNESTEDSA];
 	struct sockaddr *src, *dst;
 	int n;	/* # of phase 2 handler */
+	int remoteid=0;
 #ifdef HAVE_SECCTX
 	struct sadb_x_sec_ctx *m_sec_ctx;
 #endif /* HAVE_SECCTX */
@@ -1860,12 +1825,63 @@
 		return -1;
 	}
 
-	if (isakmp_get_sainfo(iph2[n], sp_out, sp_in) < 0) {
+	plog(LLV_DEBUG, LOCATION, NULL,
+		"new acquire %s\n", spidx2str(&sp_out->spidx));
+
+	/* get sainfo */
+    {
+	vchar_t *idsrc, *iddst;
+
+	idsrc = ipsecdoi_sockaddr2id((struct sockaddr *)&sp_out->spidx.src,
+				sp_out->spidx.prefs, sp_out->spidx.ul_proto);
+	if (idsrc == NULL) {
+		plog(LLV_ERROR, LOCATION, NULL,
+			"failed to get ID for %s\n",
+			spidx2str(&sp_out->spidx));
+		delph2(iph2[n]);
+		return -1;
+	}
+	iddst = ipsecdoi_sockaddr2id((struct sockaddr *)&sp_out->spidx.dst,
+				sp_out->spidx.prefd, sp_out->spidx.ul_proto);
+	if (iddst == NULL) {
+		plog(LLV_ERROR, LOCATION, NULL,
+			"failed to get ID for %s\n",
+			spidx2str(&sp_out->spidx));
+		vfree(idsrc);
 		delph2(iph2[n]);
 		return -1;
 	}
-
-
+	{
+		struct remoteconf *conf;
+		conf = getrmconf(iph2[n]->dst);
+		if (conf != NULL)
+			remoteid=conf->ph1id;
+		else{
+			plog(LLV_DEBUG, LOCATION, NULL, "Warning: no valid rmconf !\n");
+			remoteid=0;
+		}
+	}
+	iph2[n]->sainfo = getsainfo(idsrc, iddst, NULL, remoteid);
+	vfree(idsrc);
+	vfree(iddst);
+	if (iph2[n]->sainfo == NULL) {
+		plog(LLV_ERROR, LOCATION, NULL,
+			"failed to get sainfo.\n");
+		delph2(iph2[n]);
+		return -1;
+		/* XXX should use the algorithm list from register message */
+	}
+
+	plog(LLV_DEBUG, LOCATION, NULL,
+		"selected sainfo: %s\n", sainfo2str(iph2[n]->sainfo));
+    }
+
+	if (set_proposal_from_policy(iph2[n], sp_out, sp_in) < 0) {
+		plog(LLV_ERROR, LOCATION, NULL,
+			"failed to create saprop.\n");
+		delph2(iph2[n]);
+		return -1;
+	}
 #ifdef HAVE_SECCTX
 	if (m_sec_ctx) {
 		set_secctx_in_proposal(iph2[n], spidx);
@@ -1886,6 +1902,7 @@
 
 err:
 	while (n >= 0) {
+		unbindph12(iph2[n]);
 		remph2(iph2[n]);
 		delph2(iph2[n]);
 		iph2[n] = NULL;
@@ -1957,6 +1974,7 @@
 	if (iph2->status == PHASE2ST_ESTABLISHED)
 		isakmp_info_send_d2(iph2);
 
+	unbindph12(iph2);
 	remph2(iph2);
 	delph2(iph2);
 
@@ -2813,11 +2831,6 @@
 		return NULL;
 
 	reallen = PFKEY_UNUNIT64(buf.sadb_msg_len);
-	if (reallen < sizeof(buf)) {
-		*lenp = -1;
-		errno = EIO;
-		return NULL;    /*fatal*/
-	}
 	if ((newmsg = racoon_calloc(1, reallen)) == NULL)
 		return NULL;
 
--- a/crypto/dist/ipsec-tools/src/racoon/pfkey.h	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/pfkey.h	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: pfkey.h,v 1.6 2008/09/19 11:01:08 tteras Exp $	*/
+/*	$NetBSD: pfkey.h,v 1.6.4.1 2009/02/08 18:42:18 snj Exp $	*/
 
 /* Id: pfkey.h,v 1.3 2004/06/11 16:00:17 ludvigm Exp */
 
@@ -46,7 +46,6 @@
 extern vchar_t *pfkey_dump_sadb __P((int));
 extern void pfkey_flush_sadb __P((u_int));
 extern int pfkey_init __P((void));
-extern int pfkey_reload __P((void));
 
 extern struct pfkey_st *pfkey_getpst __P((caddr_t *, int, int));
 
@@ -61,6 +60,9 @@
 extern int pk_sendspdadd2 __P((struct ph2handle *));
 extern int pk_sendspddelete __P((struct ph2handle *));
 
+extern void pfkey_timeover_stub __P((void *));
+extern void pfkey_timeover __P((struct ph2handle *));
+
 extern u_int pfkey2ipsecdoi_proto __P((u_int));
 extern u_int ipsecdoi2pfkey_proto __P((u_int));
 extern u_int pfkey2ipsecdoi_mode __P((u_int));
--- a/crypto/dist/ipsec-tools/src/racoon/plog.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/plog.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: plog.c,v 1.5 2007/10/02 09:47:40 vanhu Exp $	*/
+/*	$NetBSD: plog.c,v 1.5.12.1 2009/02/08 18:42:18 snj Exp $	*/
 
 /* Id: plog.c,v 1.11 2006/06/20 09:57:31 vanhu Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/plog.h	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/plog.h	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: plog.h,v 1.5 2007/10/02 09:47:40 vanhu Exp $	*/
+/*	$NetBSD: plog.h,v 1.5.12.1 2009/02/08 18:42:18 snj Exp $	*/
 
 /* Id: plog.h,v 1.7 2006/06/20 09:57:31 vanhu Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/policy.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/policy.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: policy.c,v 1.9 2007/12/31 01:42:07 mgrooms Exp $	*/
+/*	$NetBSD: policy.c,v 1.9.10.1 2009/02/08 18:42:18 snj Exp $	*/
 
 /*	$KAME: policy.c,v 1.46 2001/11/16 04:08:10 sakane Exp $	*/
 
@@ -91,17 +91,13 @@
 	struct policyindex *spidx;
 {
 	struct secpolicy *p;
-	struct secpolicy *found = NULL;
 
 	for (p = TAILQ_FIRST(&sptree); p; p = TAILQ_NEXT(p, chain)) {
-		if (!cmpspidxstrict(spidx, &p->spidx))
+		if (!cmpspidxwild(spidx, &p->spidx))
 			return p;
-
-		if (!found && !cmpspidxwild(spidx, &p->spidx))
-			found = p;
 	}
 
-	return found;
+	return NULL;
 }
 #else
 struct secpolicy *
@@ -232,7 +228,8 @@
 	if (!(b->dir == IPSEC_DIR_ANY || a->dir == b->dir))
 		return 1;
 
-	if (!(b->ul_proto == IPSEC_ULPROTO_ANY ||
+	if (!(a->ul_proto == IPSEC_ULPROTO_ANY ||
+	      b->ul_proto == IPSEC_ULPROTO_ANY ||
 	      a->ul_proto == b->ul_proto))
 		return 1;
 
--- a/crypto/dist/ipsec-tools/src/racoon/policy.h	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/policy.h	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: policy.h,v 1.7 2007/05/31 19:54:55 manu Exp $	*/
+/*	$NetBSD: policy.h,v 1.7.18.1 2009/02/08 18:42:18 snj Exp $	*/
 
 /* Id: policy.h,v 1.5 2004/06/11 16:00:17 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/privsep.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/privsep.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: privsep.c,v 1.15 2008/10/23 10:56:10 tteras Exp $	*/
+/*	$NetBSD: privsep.c,v 1.15.2.1 2009/02/08 18:42:18 snj Exp $	*/
 
 /* Id: privsep.c,v 1.15 2005/08/08 11:23:44 vanhu Exp */
 
@@ -42,12 +42,9 @@
 #include <signal.h>
 #include <pwd.h>
 
-#include <sys/types.h>
 #include <sys/socket.h>
 #include <sys/param.h>
 
-#include <netinet/in.h>
-
 #include "gcmalloc.h"
 #include "vmbuf.h"
 #include "misc.h"
@@ -78,28 +75,6 @@
 static int unsafe_env(char *const *);
 static int unknown_name(int);
 static int unsafe_path(char *, int);
-static int rec_fd(int);
-static int send_fd(int, int);
-
-struct socket_args {
-	int domain;
-	int type;
-	int protocol;
-};
-
-struct sockopt_args {
-	int s;
-	int level;
-	int optname;
-	const void *optval;
-	socklen_t optlen;
-};
-
-struct bind_args {
-	int s;
-	const struct sockaddr *addr;
-	socklen_t addrlen;
-};
 
 static int
 privsep_send(sock, buf, len)
@@ -141,19 +116,13 @@
 	    sizeof(com), MSG_PEEK, NULL, NULL)) == -1) {
 		if (errno == EINTR)
 			continue;
-		if (errno == ECONNRESET)
-		    return -1;
 
 		plog(LLV_ERROR, LOCATION, NULL,
 		    "privsep_recv failed: %s\n",
 		    strerror(errno));
 		return -1;
 	}
-
-	/* EOF, other side has closed. */
-	if (len == 0)
-	    return -1;
-
+	
 	/* Check for short packets */
 	if (len < sizeof(com)) {
 		plog(LLV_ERROR, LOCATION, NULL,
@@ -173,8 +142,6 @@
 	    com.ac_len, 0, NULL, NULL)) == -1) {
 		if (errno == EINTR)
 			continue;
-		if (errno == ECONNRESET)
-		    return -1;
 		plog(LLV_ERROR, LOCATION, NULL,
 		    "failed to recv privsep command: %s\n", 
 		    strerror(errno));
@@ -207,7 +174,7 @@
 	/* 
 	 * When running privsep, certificate and script paths 
 	 * are mandatory, as they enable us to check path safety
-	 * in the privileged instance
+	 * in the privilegied instance
 	 */
 	if ((lcconf->pathinfo[LC_PATHTYPE_CERT] == NULL) ||
 	    (lcconf->pathinfo[LC_PATHTYPE_SCRIPT] == NULL)) {
@@ -216,7 +183,7 @@
 		return -1;
 	}
 
-	if (socketpair(PF_LOCAL, SOCK_STREAM, 0, privsep_sock) != 0) {
+	if (socketpair(PF_LOCAL, SOCK_DGRAM, 0, privsep_sock) != 0) {
 		plog(LLV_ERROR, LOCATION, NULL, 
 		    "Cannot allocate privsep_sock: %s\n", strerror(errno));
 		return -1;
@@ -230,8 +197,6 @@
 		break;
 
 	case 0: /* Child: drop privileges */
-		(void)close(privsep_sock[0]);
-
 		if (lcconf->chroot != NULL) {
 			if (chdir(lcconf->chroot) != 0) {
 				plog(LLV_ERROR, LOCATION, NULL, 
@@ -278,7 +243,7 @@
 		return 0;
 		break;
 
-	default: /* Parent: privileged process */
+	default: /* Parent: privilegied process */
 		break;
 	}
 
@@ -289,6 +254,8 @@
 	for (i = sysconf(_SC_OPEN_MAX); i > 0; i--) {
 		if (i == privsep_sock[0])
 			continue;
+		if (i == privsep_sock[1])
+			continue;
 		if ((f_foreground) && (i == 1))
 			continue;
 		(void)close(i);
@@ -298,17 +265,14 @@
 	ploginit();
 
 	plog(LLV_INFO, LOCATION, NULL, 
-	    "racoon privileged process running with PID %d\n", getpid());
+	    "racoon privilegied process running with PID %d\n", getpid());
 
-	plog(LLV_INFO, LOCATION, NULL,
-	    "racoon unprivileged process running with PID %d\n", child_pid);
-
-#if defined(__NetBSD__) || defined(__FreeBSD__)
+#ifdef __NetBSD__
 	setproctitle("[priv]");
 #endif
 	
-	/*
-	 * Don't catch any signal
+	/* 
+	 * Don't catch any signal 
 	 * This duplicate session:signals[], which is static...
 	 */
 	signal(SIGHUP, SIG_DFL);
@@ -367,7 +331,7 @@
 		/* 
 		 * XXX Improvement: instead of returning the key, 
 		 * stuff eay_get_pkcs1privkey and eay_get_x509sign
-		 * together and sign the hash in the privileged 
+		 * together and sign the hash in the privilegied 
 		 * instance? 
 		 * pro: the key remains inaccessible to unpriv
 		 * con: a compromised unpriv racoon can still sign anything
@@ -539,154 +503,6 @@
 			break;
 		}
 
-		case PRIVSEP_SOCKET: {
-			struct socket_args socket_args;
-			int s;
-
-			/* Make sure the string is NULL terminated */
-			if (safety_check(combuf, 0) != 0)
-				break;
-
-			if (combuf->bufs.buflen[0] !=
-			    sizeof(struct socket_args)) {
-				plog(LLV_ERROR, LOCATION, NULL, 
-				    "privsep_socket: corrupted message\n");
-				goto out;
-			}
-			memcpy(&socket_args, bufs[0],
-			       sizeof(struct socket_args));
-
-			if (socket_args.domain != PF_INET &&
-			    socket_args.domain != PF_INET6) {
-				plog(LLV_ERROR, LOCATION, NULL, 
-				    "privsep_socket: "
-				     "unauthorized domain (%d)\n",
-				     socket_args.domain);
-				goto out;
-			}
-
-			if ((s = socket(socket_args.domain, socket_args.type,
-					socket_args.protocol)) == -1) {
-				reply->hdr.ac_errno = errno;
-				break;
-			}
-
-			if (send_fd(privsep_sock[0], s) < 0) {
-				plog(LLV_ERROR, LOCATION, NULL, 
-				     "privsep_socket: send_fd failed\n");
-				close(s);
-				goto out;
-			}
-
-			close(s);
-			break;
-		}
-
-		case PRIVSEP_BIND: {
-			struct bind_args bind_args;
-			int err, port = 0;
-
-			/* Make sure the string is NULL terminated */
-			if (safety_check(combuf, 0) != 0)
-				break;
-
-			if (combuf->bufs.buflen[0] !=
-			    sizeof(struct bind_args)) {
-				plog(LLV_ERROR, LOCATION, NULL, 
-				    "privsep_bind: corrupted message\n");
-				goto out;
-			}
-			memcpy(&bind_args, bufs[0], sizeof(struct bind_args));
-
-			if (combuf->bufs.buflen[1] != bind_args.addrlen) {
-				plog(LLV_ERROR, LOCATION, NULL, 
-				    "privsep_bind: corrupted message\n");
-				goto out;
-			}
-			bind_args.addr = (const struct sockaddr *)bufs[1];
-
-			if ((bind_args.s = rec_fd(privsep_sock[0])) < 0) {
-				plog(LLV_ERROR, LOCATION, NULL, 
-				     "privsep_bind: rec_fd failed\n");
-				goto out;
-			}
-
-			port = extract_port(bind_args.addr);
-			if (port != PORT_ISAKMP && port != PORT_ISAKMP_NATT &&
-			    port != lcconf->port_isakmp &&
-			    port != lcconf->port_isakmp_natt) {
-				plog(LLV_ERROR, LOCATION, NULL,
-				     "privsep_bind: "
-				     "unauthorized port (%d)\n",
-				     port);
-				close(bind_args.s);
-				goto out;
-			}
-
-			err = bind(bind_args.s, bind_args.addr,
-				   bind_args.addrlen);
-
-			if (err)
-				reply->hdr.ac_errno = errno;
-
-			close(bind_args.s);
-			break;
-		}
-
-		case PRIVSEP_SETSOCKOPTS: {
-			struct sockopt_args sockopt_args;
-			int err;
-
-			/* Make sure the string is NULL terminated */
-			if (safety_check(combuf, 0) != 0)
-				break;
-
-			if (combuf->bufs.buflen[0] !=
-			    sizeof(struct sockopt_args)) {
-				plog(LLV_ERROR, LOCATION, NULL, 
-				    "privsep_setsockopt: "
-				     "corrupted message\n");
-				goto out;
-			}
-			memcpy(&sockopt_args, bufs[0],
-			       sizeof(struct sockopt_args));
-
-			if (combuf->bufs.buflen[1] != sockopt_args.optlen) {
-				plog(LLV_ERROR, LOCATION, NULL, 
-				    "privsep_setsockopt: corrupted message\n");
-				goto out;
-			}
-			sockopt_args.optval = bufs[1];
-
-			if (sockopt_args.optname != 
-			    (sockopt_args.level == 
-			     IPPROTO_IP ? IP_IPSEC_POLICY :
-			     IPV6_IPSEC_POLICY)) {
-				plog(LLV_ERROR, LOCATION, NULL, 
-				    "privsep_setsockopt: "
-				     "unauthorized option (%d)\n",
-				     sockopt_args.optname);
-				goto out;
-			}
-
-			if ((sockopt_args.s = rec_fd(privsep_sock[0])) < 0) {
-				plog(LLV_ERROR, LOCATION, NULL, 
-				     "privsep_setsockopt: rec_fd failed\n");
-				goto out;
-			}
-
-			err = setsockopt(sockopt_args.s,
-					 sockopt_args.level,
-					 sockopt_args.optname,
-					 sockopt_args.optval,
-					 sockopt_args.optlen);
-			if (err)
-				reply->hdr.ac_errno = errno;
-
-			close(sockopt_args.s);
-			break;
-		}
-
 #ifdef ENABLE_HYBRID
 		case PRIVSEP_ACCOUNTING_SYSTEM: {
 			int pool_size;
@@ -871,17 +687,14 @@
 
 		/* This frees reply */
 		if (privsep_send(privsep_sock[0], 
-		    reply, reply->hdr.ac_len) != 0) {
-			racoon_free(reply);
+		    reply, reply->hdr.ac_len) != 0)
 			goto out;
-		}
 
 		racoon_free(combuf);
 	}
 
 out:
-	plog(LLV_INFO, LOCATION, NULL, 
-	    "racoon privileged process %d terminated\n", getpid());
+	plog(LLV_INFO, LOCATION, NULL, "privsep exit\n");
 	_exit(0);
 }
 
@@ -1128,225 +941,6 @@
 	return NULL;
 }
 
-/*
- * Create a privileged socket.  On BSD systems a socket obtains special
- * capabilities if it is created by root; setsockopt(IP_IPSEC_POLICY) will
- * succeed but will be ineffective if performed on an unprivileged socket.
- */
-int
-privsep_socket(domain, type, protocol)
-	int domain;
-	int type;
-	int protocol;
-{
-	struct privsep_com_msg *msg;
-	size_t len;
-	char *data;
-	struct socket_args socket_args;
-	int s, saved_errno = 0;
-
-	if (geteuid() == 0)
-		return socket(domain, type, protocol);
-
-	len = sizeof(*msg) + sizeof(socket_args);
-
-	if ((msg = racoon_malloc(len)) == NULL) {
-		plog(LLV_ERROR, LOCATION, NULL, 
-		    "Cannot allocate memory: %s\n", strerror(errno));
-		return -1;
-	}
-	bzero(msg, len);
-	msg->hdr.ac_cmd = PRIVSEP_SOCKET;
-	msg->hdr.ac_len = len;
-
-	socket_args.domain = domain;
-	socket_args.type = type;
-	socket_args.protocol = protocol;
-
-	data = (char *)(msg + 1);
-	msg->bufs.buflen[0] = sizeof(socket_args);
-	memcpy(data, &socket_args, msg->bufs.buflen[0]);
-
-	/* frees msg */
-	if (privsep_send(privsep_sock[1], msg, len) != 0)
-		goto out;
-
-	/* Get the privileged socket descriptor from the privileged process. */
-	if ((s = rec_fd(privsep_sock[1])) == -1)
-		return -1;
-
-	if (privsep_recv(privsep_sock[1], &msg, &len) != 0)
-		goto out;
-
-	if (msg->hdr.ac_errno != 0) {
-		errno = msg->hdr.ac_errno;
-		goto out;
-	}
-
-	racoon_free(msg);
-	return s;
-
-out:
-	racoon_free(msg);
-	return -1;
-}
-
-/*
- * Bind() a socket to a port.  This works just like regular bind(), except that
- * if you want to bind to the designated isakmp ports and you don't have the
- * privilege to do so, it will ask a privileged process to do it.
- */
-int
-privsep_bind(s, addr, addrlen)
-	int s;
-	const struct sockaddr *addr;
-	socklen_t addrlen;
-{
-	struct privsep_com_msg *msg;
-	size_t len;
-	char *data;
-	struct bind_args bind_args;
-	int err, saved_errno = 0;
-
-	if ((err = bind(s, addr, addrlen) == 0) || 
-	    (saved_errno = errno) != EACCES ||
-	    geteuid() == 0) {
-		if (saved_errno)
-			plog(LLV_ERROR, LOCATION, NULL,
-			     "privsep_bind (%s)\n", strerror(saved_errno));
-		errno = saved_errno;
-		return err;
-	}
-
-	len = sizeof(*msg) + sizeof(bind_args) + addrlen;
-
-	if ((msg = racoon_malloc(len)) == NULL) {
-		plog(LLV_ERROR, LOCATION, NULL, 
-		    "Cannot allocate memory: %s\n", strerror(errno));
-		return -1;
-	}
-	bzero(msg, len);
-	msg->hdr.ac_cmd = PRIVSEP_BIND;
-	msg->hdr.ac_len = len;
-
-	bind_args.s = -1;
-	bind_args.addr = NULL;
-	bind_args.addrlen = addrlen;
-
-	data = (char *)(msg + 1);
-	msg->bufs.buflen[0] = sizeof(bind_args);
-	memcpy(data, &bind_args, msg->bufs.buflen[0]);
-
-	data += msg->bufs.buflen[0];
-	msg->bufs.buflen[1] = addrlen;
-	memcpy(data, addr, addrlen);
-
-	/* frees msg */
-	if (privsep_send(privsep_sock[1], msg, len) != 0)
-		goto out;
-
-	/* Send the socket descriptor to the privileged process. */
-	if (send_fd(privsep_sock[1], s) < 0)
-		return -1;
-
-	if (privsep_recv(privsep_sock[1], &msg, &len) != 0)
-		goto out;
-
-	if (msg->hdr.ac_errno != 0) {
-		errno = msg->hdr.ac_errno;
-		goto out;
-	}
-
-	racoon_free(msg);
-	return 0;
-
-out:
-	racoon_free(msg);
-	return -1;
-}
-
-/*
- * Set socket options.  This works just like regular setsockopt(), except that
- * if you want to change IP_IPSEC_POLICY or IPV6_IPSEC_POLICY and you don't
- * have the privilege to do so, it will ask a privileged process to do it.
- */
-int
-privsep_setsockopt(s, level, optname, optval, optlen)
-	int s;
-	int level;
-	int optname;
-	const void *optval;
-	socklen_t optlen;
-{
-	struct privsep_com_msg *msg;
-	size_t len;
-	char *data;
-	struct sockopt_args sockopt_args;
-	int err, saved_errno = 0;
-
-	if ((err = setsockopt(s, level, optname, optval, optlen) == 0) || 
-	    (saved_errno = errno) != EACCES ||
-	    geteuid() == 0) {
-		if (saved_errno)
-			plog(LLV_ERROR, LOCATION, NULL,
-			     "privsep_setsockopt (%s)\n",
-			     strerror(saved_errno));
-
-		errno = saved_errno;
-		return err;
-	}
-
-	len = sizeof(*msg) + sizeof(sockopt_args) + optlen;
-
-	if ((msg = racoon_malloc(len)) == NULL) {
-		plog(LLV_ERROR, LOCATION, NULL, 
-		    "Cannot allocate memory: %s\n", strerror(errno));
-		return -1;
-	}
-	bzero(msg, len);
-	msg->hdr.ac_cmd = PRIVSEP_SETSOCKOPTS;
-	msg->hdr.ac_len = len;
-
-	sockopt_args.s = -1;
-	sockopt_args.level = level;
-	sockopt_args.optname = optname;
-	sockopt_args.optval = NULL;
-	sockopt_args.optlen = optlen;
-
-	data = (char *)(msg + 1);
-	msg->bufs.buflen[0] = sizeof(sockopt_args);
-	memcpy(data, &sockopt_args, msg->bufs.buflen[0]);
-
-	data += msg->bufs.buflen[0];
-	msg->bufs.buflen[1] = optlen;
-	memcpy(data, optval, optlen);
-
-	/* frees msg */
-	if (privsep_send(privsep_sock[1], msg, len) != 0)
-		goto out;
-
-	if (send_fd(privsep_sock[1], s) < 0)
-		return -1;
-
-	if (privsep_recv(privsep_sock[1], &msg, &len) != 0) {
-	    plog(LLV_ERROR, LOCATION, NULL,
-		 "privsep_recv failed\n");
-		goto out;
-	}
-
-	if (msg->hdr.ac_errno != 0) {
-		errno = msg->hdr.ac_errno;
-		goto out;
-	}
-
-	racoon_free(msg);
-	return 0;
-
-out:
-	racoon_free(msg);
-	return -1;
-}
-
 #ifdef ENABLE_HYBRID
 int
 privsep_xauth_login_system(usr, pwd)
@@ -1378,7 +972,6 @@
 	msg->bufs.buflen[1] = strlen(pwd) + 1;
 	memcpy(data, pwd, msg->bufs.buflen[1]);
 	
-	/* frees msg */
 	if (privsep_send(privsep_sock[1], msg, len) != 0)
 		return -1;
 
@@ -1441,7 +1034,6 @@
 	data += msg->bufs.buflen[2];
 	memcpy(data, &inout, msg->bufs.buflen[3]);
 
-	/* frees msg */
 	if (privsep_send(privsep_sock[1], msg, len) != 0)
 		return -1;
 
@@ -1569,82 +1161,6 @@
 	return 0;
 }
 
-/* Receive a file descriptor through the argument socket */
-static int
-rec_fd(s)
-	int s;
-{
-	struct msghdr msg;
-	struct cmsghdr *cmsg;
-	int fd;
-	char cmsbuf[1024];
-	struct iovec iov;
-	char iobuf[1];
-
-	iov.iov_base = iobuf;
-	iov.iov_len = 1;
-
-	if (sizeof(cmsbuf) < CMSG_SPACE(sizeof(fd))) {
-		plog(LLV_ERROR, LOCATION, NULL, 
-		    "send_fd: buffer size too small\n");
-		return -1;
-	}
-	bzero(&msg, sizeof(msg));
-	msg.msg_name = NULL;
-	msg.msg_namelen = 0;
-	msg.msg_iov = &iov;
-	msg.msg_iovlen = 1;
-	msg.msg_control = cmsbuf;
-	msg.msg_controllen = CMSG_SPACE(sizeof(fd));
-
-	if (recvmsg(s, &msg, MSG_WAITALL) == -1)
-		return -1;
-
-	cmsg = CMSG_FIRSTHDR(&msg);
-	return *(int *)CMSG_DATA(cmsg);
-}
-
-/* Send the file descriptor fd through the argument socket s */
-static int
-send_fd(s, fd)
-	int s;
-	int fd;
-{
-	struct msghdr msg;
-	struct cmsghdr *cmsg;
-	char cmsbuf[1024];
-	struct iovec iov;
-
-	iov.iov_base = " ";
-	iov.iov_len = 1;
-
-	if (sizeof(cmsbuf) < CMSG_SPACE(sizeof(fd))) {
-		plog(LLV_ERROR, LOCATION, NULL, 
-		    "send_fd: buffer size too small\n");
-		return -1;
-	}
-	bzero(&msg, sizeof(msg));
-	msg.msg_name = NULL;
-	msg.msg_namelen = 0;
-	msg.msg_iov = &iov;
-	msg.msg_iovlen = 1;
-	msg.msg_control = cmsbuf;
-	msg.msg_controllen = CMSG_SPACE(sizeof(fd));
-	msg.msg_flags = 0;
-
-	cmsg = CMSG_FIRSTHDR(&msg);
-	cmsg->cmsg_level = SOL_SOCKET;
-	cmsg->cmsg_type = SCM_RIGHTS;
-	cmsg->cmsg_len = CMSG_LEN(sizeof(fd));
-	*(int *)CMSG_DATA(cmsg) = fd;
-	msg.msg_controllen = cmsg->cmsg_len;
-
-	if (sendmsg(s, &msg, 0) == -1)
-		return -1;
-
-	return 0;
-}
-
 #ifdef HAVE_LIBPAM
 int 
 privsep_accounting_pam(port, inout)
@@ -1686,7 +1202,6 @@
 	*inout_data = inout;
 	*pool_size_data = isakmp_cfg_config.pool_size;
 
-	/* frees msg */
 	if (privsep_send(privsep_sock[1], msg, len) != 0)
 		return -1;
 
@@ -1757,7 +1272,6 @@
 	data += msg->bufs.buflen[3];
 	memcpy(data, pwd, msg->bufs.buflen[4]);
 
-	/* frees msg */
 	if (privsep_send(privsep_sock[1], msg, len) != 0)
 		return -1;
 
@@ -1810,7 +1324,6 @@
 	data += msg->bufs.buflen[0];
 	memcpy(data, &isakmp_cfg_config.pool_size, msg->bufs.buflen[1]);
 
-	/* frees msg */
 	if (privsep_send(privsep_sock[1], msg, len) != 0)
 		return;
 
--- a/crypto/dist/ipsec-tools/src/racoon/privsep.h	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/privsep.h	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: privsep.h,v 1.5 2008/03/28 04:18:52 manu Exp $	*/
+/*	$NetBSD: privsep.h,v 1.5.8.1 2009/02/08 18:42:18 snj Exp $	*/
 
 /* Id: privsep.h,v 1.5 2005/06/07 12:22:11 fredsen Exp */
 
@@ -42,9 +42,6 @@
 #define PRIVSEP_XAUTH_LOGIN_PAM		0x0807	/* admin_com_bufs follows */
 #define PRIVSEP_CLEANUP_PAM		0x0808	/* admin_com_bufs follows */
 #define PRIVSEP_ACCOUNTING_SYSTEM	0x0809	/* admin_com_bufs follows */
-#define PRIVSEP_SETSOCKOPTS		0x080A	/* admin_com_bufs follows */
-#define PRIVSEP_BIND			0x080B	/* admin_com_bufs follows */
-#define PRIVSEP_SOCKET			0x080C	/* admin_com_bufs follows */
 
 #define PRIVSEP_NBUF_MAX 24
 #define PRIVSEP_BUFLEN_MAX 4096
@@ -64,9 +61,6 @@
 int privsep_pfkey_open __P((void));
 void privsep_pfkey_close __P((int));
 int privsep_script_exec __P((char *, int, char * const *));
-int privsep_setsockopt __P((int, int, int, const void *, socklen_t));
-int privsep_socket __P((int, int, int));
-int privsep_bind __P((int, const struct sockaddr *, socklen_t));
 vchar_t *privsep_getpsk __P((const char *, const int));
 int privsep_xauth_login_system __P((char *, char *));
 #ifdef HAVE_LIBPAM
--- a/crypto/dist/ipsec-tools/src/racoon/proposal.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/proposal.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,6 +1,6 @@
-/*	$NetBSD: proposal.c,v 1.17 2008/09/19 11:14:49 tteras Exp $	*/
+/*	$NetBSD: proposal.c,v 1.17.4.1 2009/02/08 18:42:18 snj Exp $	*/
 
-/* $Id: proposal.c,v 1.17 2008/09/19 11:14:49 tteras Exp $ */
+/* $Id: proposal.c,v 1.17.4.1 2009/02/08 18:42:18 snj Exp $ */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -1186,10 +1186,10 @@
 	 * make my proposal according as the client proposal.
 	 * XXX assumed there is only one proposal even if it's the SA bundle.
 	 */
-	for (i = 0; i < MAXPROPPAIRLEN; i++) {
-		if (pair[i] == NULL)
-			continue;
-		
+        for (i = 0; i < MAXPROPPAIRLEN; i++) {
+                if (pair[i] == NULL)
+                        continue;
+
 		if (pp_peer != NULL)
 			flushsaprop(pp_peer);
 
@@ -1226,6 +1226,8 @@
 
 		for (pr = pp_peer->head; pr; pr = pr->next)
 		{
+			struct remoteconf *conf;
+
 			newpr = newsaproto();
 			if (newpr == NULL)
 			{
@@ -1242,7 +1244,9 @@
 			newpr->reqid_in = 0;
 			newpr->reqid_out = 0;
 
-			if (iph2->ph1->rmconf->gen_policy == GENERATE_POLICY_UNIQUE){
+			conf = getrmconf(iph2->dst);
+			if (conf != NULL &&
+				conf->gen_policy == GENERATE_POLICY_UNIQUE){
 				newpr->reqid_in = g_nextreqid ;
 				newpr->reqid_out = g_nextreqid ++;
 				/* 
--- a/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-.\"	$NetBSD: racoon.conf.5,v 1.46 2008/09/19 17:33:24 wiz Exp $
+.\"	$NetBSD: racoon.conf.5,v 1.46.4.1 2009/02/08 18:42:18 snj Exp $
 .\"
 .\"	Id: racoon.conf.5,v 1.54 2006/08/22 18:17:17 manubsd Exp
 .\"
@@ -29,7 +29,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd December 9, 2006
+.Dd September 19, 2006
 .Dt RACOON.CONF 5
 .Os
 .\"
@@ -152,7 +152,7 @@
 should switch.
 This can be a quoted user name or a numeric UID.
 .It Ic group Ar group ;
-The group the unprivileged instance of
+The group the unprivilegied instance of
 .Xr racoon 8 ,
 should switch.
 This can be a quoted group name or a numeric GID.
@@ -184,8 +184,7 @@
 .Ic certificate
 and
 .Ic script
-paths are mandatory.
-A
+paths are mandatory. A
 .Xr racoon 8
 restart is required if you want path changes to be taken into account.
 .Bl -tag -width Ds -compact
@@ -224,8 +223,7 @@
 Specifies file where to store PID of process.
 If path starts with
 .Pa /
-it is treated as an absolute path.
-Otherwise, it is treated as a relative
+it is treated as an absolute path. Otherwise, it is treated as a relative 
 path to the VARRUN directory specified at compilation time.
 Default is
 .Pa racoon.pid .
@@ -321,14 +319,12 @@
 .Ar owner ,
 and
 .Ar group
-values specify the socket path, owner, and group.
-They must be quoted.
+values specify the socket path, owner, and group. They must be quoted.
 The defaults are
 .Pa /var/racoon/racoon.sock ,
 UID 0, and GID 0.
 .Ar mode
-is the access mode in octal.
-The default is 0600.
+is the access mode in octal. The default is 0600.
 .It Ic adminsock disabled ;
 This directive tells racoon to not listen on the admin socket.
 .El
@@ -413,8 +409,7 @@
 You can omit this statement.
 .\"
 .It Ic identifier Ar idtype ;
-This statement is obsolete.
-Instead, use
+This statment is obsolete. Instead, use
 .Ic my_identifier .
 .\"
 .It Xo
@@ -514,9 +509,7 @@
 .Bl -tag -width Ds -compact
 .It Ic plain_rsa Ar privkeyfile ;
 .Ar privkeyfile
-means a file name of a private key generated by
-.Xr plainrsa-gen 8 .
-Required
+means a file name of a private key generated by plainrsa-gen(8).  Required
 for RSA authentication.
 .El
 .It Ic ca_type Ar cacertspec ;
@@ -560,8 +553,8 @@
 .Xr racoon 8
 will expect
 .Ar pubkeyfile
-to be the peer's public key that was generated by
-.Xr plainrsa-gen 8 .
+to be the peer's public key that was generated
+by plainrsa-gen(8).
 .\"
 .It Ic script Ar script Ic phase1_up
 .It Ic script Ar script Ic phase1_down
@@ -611,10 +604,6 @@
 The space separated list of IPv4 addresses and masks (address slash mask)
 that define the networks to be considered local, and thus excluded from the
 tunnels ; obtained by ISAKMP mode config.
-.It SPLIT_INCLUDE_CIDR
-Same as SPLIT_INCLUDE, with netmasks in CIDR notation.
-.It SPLIT_LOCAL_CIDR
-Same as SPLIT_LOCAL, with netmasks in CIDR notation.
 .It DEFAULT_DOMAIN
 The DNS default domain name obtained by ISAKMP mode config.
 .El
@@ -703,7 +692,7 @@
 It is useful for a server.
 .\"
 .It Ic proposal_check Ar level ;
-Specifies the action of lifetime length, key length, and PFS of the phase 2
+Specifies the action of lifetime length, key length and PFS of the phase 2
 selection on the responder side, and the action of lifetime check in
 phase 1.
 The default level is
@@ -823,22 +812,6 @@
 The default value is
 .Ic 5 .
 .\"
-.It Ic rekey (on | off | force) ;
-Enable automatic renegotiation of expired phase1 when there are non-dying
-phase2 SAs.
-Possible values are:
-.Bl -tag -width Ds -compact
-.It Ic force
-Rekeying is done unconditionally.
-.It Ic on
-Rekeying is done only if DPD monitoring is active.
-This is the default.
-.It Ic off
-No automatic rekeying.
-Do note that turning off automatic rekeying will
-result in inaccurate DPD monitoring.
-.El
-.\"
 .It Ic nonce_size Ar number ;
 define the byte size of nonce value.
 Racoon can send any value although
@@ -846,7 +819,7 @@
 The default size is 16 bytes.
 .\"
 .It Ic ph1id Ar number ;
-An optional number to identify the remote proposal and to link it
+An optionnal number to identify the remote proposal and to link it
 only with sainfos who have the same number.
 Defaults to 0.
 .\"
@@ -931,16 +904,14 @@
 .Ss Sainfo Specifications
 .Bl -tag -width Ds -compact
 .It Xo
-.Ic sainfo ( Ar local_id | Ic anonymous ) ( Ar remote_id | Ic clientaddr | Ic anonymous ) [ from Ar idtype [ Ar string ] ] [ Ic group Ar string ]
+.Ic sainfo ( Ar source_id destination_id | Ar source_id Ic anonymous | Ic anonymous Ar destination_id | Ic anonymous ) [ from Ar idtype [ Ar string ] ] [ Ic group Ar string ]
 .Ic { Ar statements Ic }
 .Xc
-Defines the parameters of the IKE phase 2 (IPsec-SA establishment).
-.Pp
-The
-.Ar local_id
+defines the parameters of the IKE phase 2 (IPsec-SA establishment).
+.Ar source_id
 and
-.Ar remote_id
-strings are constructed like:
+.Ar destination_id
+are constructed like:
 .Pp
 .Ic address Ar address
 .Bq Ic / Ar prefix
@@ -954,11 +925,17 @@
 .Bq Ic [ Ar port ]
 .Ar ul_proto
 .Pp
-An id string should be expressed to match the exact value of an ID payload.
+or
+.Pp
+.Ar idtype Ar string
+.Pp
+An id string should be expressed to match the exact value of an ID payload
+(source is the local end, destination is the remote end).
 This is not like a filter rule.
 For example, if you define 3ffe:501:4819::/48 as
-.Ar local_id .
+.Ar source_id .
 3ffe:501:4819:1000:/64 will not match.
+.Pp
 In the case of a longest prefix (selecting a single host),
 .Ar address
 instructs to send ID type of ADDRESS while
@@ -966,24 +943,7 @@
 instructs to send ID type of SUBNET.
 Otherwise, these instructions are identical.
 .Pp
-The
-.Ic anonymous
-keyword can be used to match any id.
-The
-.Ic clientaddr
-keyword can be used to match a remote id that is equal to either the peer
-ip address or the mode_cfg ip address ( if assigned ).
-This can be useful
-to restrict policy generation when racoon is acting as a client gateway
-for peers with dynamic ip addresses.
-.Pp
-The
-.Ic from
-keyword allows an sainfo to only match for peers that use a specific phase1
-id value during authentication.
-The
-.Ic group
-keyword allows an XAuth group membership check to be performed
+The group keyword allows an XAuth group membership check to be performed
 for this sainfo section.
 When the mode_cfg auth source is set to
 .Ic system
@@ -1131,10 +1091,8 @@
 means to use a RADIUS server.
 It works only if
 .Xr racoon 8
-was built with libradius support.
-Radius configuration is handled by statements in the
-.Ic radiuscfg
-section.
+was built with libradius support. Radius configuration is hanlded by
+.Xr radius.conf 5 .
 .Ar pam
 means to use PAM.
 It works only if
@@ -1144,8 +1102,8 @@
 means to use LDAP.
 It works only if
 .Xr racoon 8
-was built with libldap support.
-LDAP configuration is handled by statements in the
+was built with libldap support. LDAP configuration is handled by
+statements in the
 .Ic ldapcfg
 section.
 .It Ic auth_groups Ar "group1", ... ;
@@ -1153,7 +1111,7 @@
 When defined, the authenticating user must be a member of at least one
 group for Xauth to succeed.
 .It Ic group_source (system | ldap) ;
-Specifies the source for group validation of users through Xauth.
+Specifies the source for group validataion of users through Xauth.
 .Ar system
 means to use the Unix user database.
 This is the default.
@@ -1179,10 +1137,9 @@
 means to use a RADIUS server.
 It works only if
 .Xr racoon 8
-was built with libradius support and requires RADIUS authentication.
-RADIUS configuration is handled by statements in the
-.Ic radiuscfg
-section.
+was built with libradius support and requires RADIUS authentiation.
+RADIUS configuration is handled by
+.Xr radius.conf 5 .
 .Ar ldap
 means to use an LDAP server.
 It works only if
@@ -1207,9 +1164,8 @@
 It works only if
 .Xr racoon 8
 was built with libradius support and requires RADIUS authentication.
-RADIUS configuration is handled by statements in the
-.Ic radiuscfg
-section.
+RADIUS configuration is handled by
+.Xr radius.conf 5 .
 Specifying
 .Ar pam
 enables PAM accounting.
@@ -1242,13 +1198,12 @@
 .Ic dns4
 lines.
 .It Ic wins4 Ar addresses ;
-A list of IPv4 address for WINS servers.
-The keyword
+A list of IPv4 address for WINS servers. The keyword
 .It nbns4
 can also be used as an alias for
 .It wins4 .
 .It Ic split_network (include | local_lan) Ar network/mask, ...
-The network configuration to send, in CIDR notation (e.g. 192.168.1.0/24).
+The network configuration to send, in cidr notation (e.g. 192.168.1.0/24).
 If
 .Ic include
 is specified, the tunnel should be only used to encrypt the indicated
@@ -1312,8 +1267,8 @@
 Otherwise, use the one level search scope.
 The default is
 .Ic off .
-.It Ic bind_dn Ar distinguished name;
-The user dn used to optionally bind as before performing ldap search operations.
+.It Ic bind_dn Ar distinguised name;
+The user dn used to optionaly bind as before performing ldap search operations.
 If this option is not specified, anonymous binds are used.
 .It Ic bind_pw Ar string;
 The password used when binding as
@@ -1346,42 +1301,6 @@
 .Ic member .
 .El
 .El
-.Ss Radius configuration settings
-.Bl -tag -width Ds -compact
-.It Ic radiuscfg { Ar statements Ic }
-Defines the parameters that will be used to communicate with radius
-servers for
-.Ic xauth
-authentication.
-If radius is selected as the xauth authentication or accounting
-source and no servers are defined in this section, settings from
-the system
-.Xr radius.conf 5
-configuration file will be used instead.
-.Pp
-The following are valid statements:
-.Bl -tag -width Ds -compact
-.It Ic auth Ar (hostname | address) [port] sharedsecret;
-The host name or ip address, optional port value and shared secret value
-of a radius authentication server.
-Up to 5 radius authentication servers
-may be specified using multiple lines.
-.It Ic acct Ar (hostname | address) [port] sharedsecret;
-The host name or ip address, optional port value and shared secret value
-of a radius accounting server.
-Up to 5 radius accounting servers may be
-specified using multiple lines.
-.It Ic timeout Ar seconds ;
-The timeout for receiving replies from radius servers.
-The default is
-.Ic 3 .
-.It Ic retries Ar count ;
-The maximum number of repeated requests to make before giving up
-on a radius server.
-The default is
-.Ic 3 .
-.El
-.El
 .Ss Special directives
 .Bl -tag -width Ds -compact
 .It Ic complex_bundle (on | off) ;
--- a/crypto/dist/ipsec-tools/src/racoon/racoonctl.8	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/racoonctl.8	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-.\"	$NetBSD: racoonctl.8,v 1.18 2008/06/18 07:40:16 wiz Exp $
+.\"	$NetBSD: racoonctl.8,v 1.18.4.1 2009/02/08 18:42:18 snj Exp $
 .\"
 .\" Id: racoonctl.8,v 1.6 2006/05/07 21:32:59 manubsd Exp
 .\"
@@ -29,7 +29,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd June 18, 2008
+.Dd November 16, 2004
 .Dt RACOONCTL 8
 .Os
 .\"
@@ -47,10 +47,6 @@
 show-sa
 .Op isakmp|esp|ah|ipsec
 .Nm
-get-sa-cert
-.Op inet|inet6
-.Ar src dst
-.Nm
 flush-sa
 .Op isakmp|esp|ah|ipsec
 .Nm
@@ -59,17 +55,17 @@
 .Nm
 establish-sa
 .Op Fl u Ar identity
-.Op Fl w
 .Ar saopts
 .Nm
 vpn-connect
-.Op Fl u Ar identity
+.Op Fl u identity
 .Ar vpn_gateway
 .Nm
 vpn-disconnect
 .Ar vpn_gateway
 .Nm
 show-event
+.Op Fl l
 .Nm
 logout-user
 .Ar login
@@ -103,22 +99,11 @@
 Use
 .Fl l
 to increase verbosity.
-.It Xo get-sa-cert
-.Oo inet|inet6
-.Oc Ar src dst
-.Xc
-Output the raw certificate that was used to authenticate the phase 1
-matching
-.Ar src
-and
-.Ar dst .
 .It flush-sa Op isakmp|esp|ah|ipsec
 is used to flush all SAs if no SA class is provided, or a class of SAs,
 either ISAKMP SAs, IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs.
 .It Xo establish-sa
 .Oo Fl u Ar username
-.Oc
-.Oo Fl w
 .Oc Ar saopts
 .Xc
 Establish an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA.
@@ -130,17 +115,12 @@
 .Ar username
 and these credentials will be used in the Xauth exchange.
 .Pp
-Specifying
-.Fl w
-will make racoonctl wait until the SA is actually established or
-an error occurs.
-.Pp
 .Ar saopts
 has the following format:
 .Bl -tag -width Bl
 .It isakmp {inet|inet6} Ar src Ar dst
 .It {esp|ah} {inet|inet6} Ar src/prefixlen/port Ar dst/prefixlen/port
-{icmp|tcp|udp|gre|any}
+{icmp|tcp|udp|any}
 .El
 .It Xo vpn-connect
 .Oo Fl u Ar username
@@ -155,9 +135,16 @@
 This is a particular case of the previous command.
 It will kill all SAs associated with
 .Ar vpn_gateway .
-.It show-event
-Listen for all events reported by
-.Xr racoon 8 .
+.It show-event Op Fl l
+Dump all events reported by
+.Xr racoon 8 ,
+then quit.
+The
+.Fl l
+flag causes
+.Nm
+to not stop once all the events have been read, but rather to loop
+awaiting and reporting new events.
 .It logout-user Ar login
 Delete all SA established on behalf of the Xauth user
 .Ar login .
--- a/crypto/dist/ipsec-tools/src/racoon/racoonctl.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/racoonctl.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,10 +1,9 @@
-/*	$NetBSD: racoonctl.c,v 1.13 2008/07/15 00:47:09 mgrooms Exp $	*/
+/*	$NetBSD: racoonctl.c,v 1.13.4.1 2009/02/08 18:42:18 snj Exp $	*/
 
 /*	Id: racoonctl.c,v 1.11 2006/04/06 17:06:25 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * Copyright (C) 2008 Timo Teras.
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without
@@ -93,7 +92,6 @@
 static vchar_t *f_reload __P((int, char **));
 static vchar_t *f_getsched __P((int, char **));
 static vchar_t *f_getsa __P((int, char **));
-static vchar_t *f_getsacert __P((int, char **));
 static vchar_t *f_flushsa __P((int, char **));
 static vchar_t *f_deletesa __P((int, char **));
 static vchar_t *f_exchangesa __P((int, char **));
@@ -106,59 +104,59 @@
 
 struct cmd_tag {
 	vchar_t *(*func) __P((int, char **));
+	int cmd;
 	char *str;
 } cmdtab[] = {
-	{ f_reload,	"reload-config" },
-	{ f_reload,	"rc" },
-	{ f_getsched,	"show-schedule" },
-	{ f_getsched,	"sc" },
-	{ f_getsa,	"show-sa" },
-	{ f_getsa,	"ss" },
-	{ f_getsacert,	"get-cert" },
-	{ f_getsacert,	"gc" },
-	{ f_flushsa,	"flush-sa" },
-	{ f_flushsa,	"fs" },
-	{ f_deletesa,	"delete-sa" },
-	{ f_deletesa,	"ds" },
-	{ f_exchangesa,	"establish-sa" },
-	{ f_exchangesa,	"es" },
-	{ f_vpnc,	"vpn-connect" },
-	{ f_vpnc,	"vc" },
-	{ f_vpnd,	"vpn-disconnect" },
-	{ f_vpnd,	"vd" },
-	{ f_getevt,	"show-event" },
-	{ f_getevt,	"se" },
+	{ f_reload,	ADMIN_RELOAD_CONF,	"reload-config" },
+	{ f_reload,	ADMIN_RELOAD_CONF,	"rc" },
+	{ f_getsched,	ADMIN_SHOW_SCHED,	"show-schedule" },
+	{ f_getsched,	ADMIN_SHOW_SCHED,	"sc" },
+	{ f_getsa,	ADMIN_SHOW_SA,		"show-sa" },
+	{ f_getsa,	ADMIN_SHOW_SA,		"ss" },
+	{ f_flushsa,	ADMIN_FLUSH_SA,		"flush-sa" },
+	{ f_flushsa,	ADMIN_FLUSH_SA,		"fs" },
+	{ f_deletesa,	ADMIN_DELETE_SA,	"delete-sa" },
+	{ f_deletesa,	ADMIN_DELETE_SA,	"ds" },
+	{ f_exchangesa,	ADMIN_ESTABLISH_SA,	"establish-sa" },
+	{ f_exchangesa,	ADMIN_ESTABLISH_SA,	"es" },
+	{ f_vpnc,	ADMIN_ESTABLISH_SA,	"vpn-connect" },
+	{ f_vpnc,	ADMIN_ESTABLISH_SA,	"vc" },
+	{ f_vpnd,	ADMIN_DELETE_ALL_SA_DST,"vpn-disconnect" },
+	{ f_vpnd,	ADMIN_DELETE_ALL_SA_DST,"vd" },
+	{ f_getevt,	ADMIN_SHOW_EVT,		"show-event" },
+	{ f_getevt,	ADMIN_SHOW_EVT,		"se" },
 #ifdef ENABLE_HYBRID
-	{ f_logoutusr,	"logout-user" },
-	{ f_logoutusr,	"lu" },
+	{ f_logoutusr,	ADMIN_LOGOUT_USER,	"logout-user" },
+	{ f_logoutusr,	ADMIN_LOGOUT_USER,	"lu" },
 #endif
-	{ NULL, NULL },
+	{ NULL, 0, NULL },
 };
 
 struct evtmsg {
 	int type;
 	char *msg;
+	enum { UNSPEC, ERROR, INFO } level;
 } evtmsg[] = {
-	{ EVT_RACOON_QUIT,		"Racoon terminated" },
-
-	{ EVT_PHASE1_UP,		"Phase 1 established" },
-	{ EVT_PHASE1_DOWN,		"Phase 1 deleted" },
-	{ EVT_PHASE1_NO_RESPONSE,	"Phase 1 error: peer not responding" },
-	{ EVT_PHASE1_NO_PROPOSAL,	"Phase 1 error: no proposal chosen" },
-	{ EVT_PHASE1_AUTH_FAILED,
-	  "Phase 1 error: authentication failed (bad certificate?)" },
-	{ EVT_PHASE1_DPD_TIMEOUT,	"Phase 1 error: dead peer detected" },
-	{ EVT_PHASE1_MODE_CFG,		"Phase 1 mode configuration done" },
-	{ EVT_PHASE1_XAUTH_SUCCESS,	"Phase 1 Xauth succeeded" },
-	{ EVT_PHASE1_XAUTH_FAILED,	"Phase 1 Xauth failed" },
-
-	{ EVT_PHASE2_NO_PHASE1,		"Phase 2 error: no suitable phase 1" },
-	{ EVT_PHASE2_UP,		"Phase 2 established" },
-	{ EVT_PHASE2_DOWN,		"Phase 2 deleted" },
-	{ EVT_PHASE2_NO_RESPONSE,	"Phase 2 error: no response" },
+	{ EVTT_PHASE1_UP, "Phase 1 established", INFO },
+	{ EVTT_PHASE1_DOWN, "Phase 1 deleted", INFO },
+	{ EVTT_XAUTH_SUCCESS, "Xauth exchange passed", INFO },
+	{ EVTT_ISAKMP_CFG_DONE, "ISAKMP mode config done", INFO },
+	{ EVTT_PHASE2_UP, "Phase 2 established", INFO },
+	{ EVTT_PHASE2_DOWN, "Phase 2 deleted", INFO },
+	{ EVTT_DPD_TIMEOUT, "Peer not reachable anymore", ERROR },
+	{ EVTT_PEER_NO_RESPONSE, "Peer not responding", ERROR },
+	{ EVTT_PEER_DELETE, "Peer terminated security association", ERROR },
+	{ EVTT_RACOON_QUIT, "Raccon terminated", ERROR },
+	{ EVTT_OVERFLOW, "Event queue overflow", ERROR },
+	{ EVTT_XAUTH_FAILED, "Xauth exchange failed", ERROR },
+	{ EVTT_PEERPH1AUTH_FAILED, "Peer failed phase 1 authentication "
+	    "(certificate problem?)", ERROR },
+	{ EVTT_PEERPH1_NOPROP, "Peer failed phase 1 initiation "
+	    "(proposal problem?)", ERROR },
+	{ 0, NULL, UNSPEC },
+	{ EVTT_NO_ISAKMP_CFG, "No need for ISAKMP mode config ", INFO },
 };
 
-static vchar_t *get_proto_and_index __P((int, char **, u_int16_t *));
 static int get_proto __P((char *));
 static vchar_t *get_index __P((int, char **));
 static int get_family __P((char *));
@@ -186,7 +184,6 @@
 	{ IPPROTO_ICMP,	"icmp" },
 	{ IPPROTO_TCP,	"tcp" },
 	{ IPPROTO_UDP,	"udp" },
-	{ IPPROTO_GRE,	"gre" },
 	{ 0, NULL },
 };
 
@@ -196,13 +193,31 @@
 
 char *pname;
 int long_format = 0;
-int evt_quit_event = 0;
+
+#define EVTF_NONE		0x0000	/* Ignore any events */
+#define EVTF_LOOP		0x0001	/* Loop awaiting for new events */
+#define EVTF_CFG_STOP		0x0002	/* Stop after ISAKMP mode config */
+#define EVTF_CFG		0x0004	/* Print ISAKMP mode config info */
+#define EVTF_ALL		0x0008	/* Print any events */
+#define EVTF_PURGE		0x0010	/* Print all available events */
+#define EVTF_PH1DOWN_STOP	0x0020	/* Stop when phase 1 SA gets down */
+#define EVTF_PH1DOWN		0x0040	/* Print that phase 1 SA got down */
+#define EVTF_ERR		0x0080	/* Print any error */
+#define EVTF_ERR_STOP		0x0100	/* Stop on any error */
+
+int evt_filter = EVTF_NONE;
+time_t evt_start;
 
 void dump_isakmp_sa __P((char *, int));
 void dump_internal __P((char *, int));
 char *pindex_isakmp __P((isakmp_index *));
 void print_schedule __P((caddr_t, int));
-void print_evt __P((struct evt_async *));
+void print_evt __P((caddr_t, int));
+void print_cfg __P((caddr_t, int));
+void print_err __P((caddr_t, int));
+void print_ph1down __P((caddr_t, int));
+void print_ph1up __P((caddr_t, int));
+int evt_poll __P((void));
 char * fixed_addr __P((char *, char *, int));
 
 static void
@@ -211,15 +226,12 @@
 	printf(
 "Usage:\n"
 "  %s reload-config\n"
-"  %s show-schedule\n"
 "  %s [-l [-l]] show-sa [protocol]\n"
 "  %s flush-sa [protocol]\n"
 "  %s delete-sa <saopts>\n"
-"  %s establish-sa [-u identity] [-w] <saopts>\n"
+"  %s establish-sa [-u identity] <saopts>\n"
 "  %s vpn-connect [-u identity] vpn_gateway\n"
 "  %s vpn-disconnect vpn_gateway\n"
-"  %s show-event\n"
-"  %s logout-user login\n"
 "\n"
 "    <protocol>: \"isakmp\", \"esp\" or \"ah\".\n"
 "        In the case of \"show-sa\" or \"flush-sa\", you can use \"ipsec\".\n"
@@ -228,8 +240,8 @@
 "            : {\"esp\",\"ah\"} <family> <src/prefixlen/port> <dst/prefixlen/port>\n"
 "                              <ul_proto>\n"
 "    <family>: \"inet\" or \"inet6\"\n"
-"    <ul_proto>: \"icmp\", \"tcp\", \"udp\", \"gre\" or \"any\"\n",
-	pname, pname, pname, pname, pname, pname, pname, pname, pname, pname);
+"    <ul_proto>: \"icmp\", \"tcp\", \"udp\" or \"any\"\n",
+	pname, pname, pname, pname, pname, pname, pname);
 }
 
 /*
@@ -300,24 +312,54 @@
 
 	vfree(combuf);
 
-	do {
-		if (com_recv(&combuf) != 0)
-			goto bad;
-		if (handle_recv(combuf) != 0)
-			goto bad;
-		vfree(combuf);
-	} while (evt_quit_event != 0);
+	if (com_recv(&combuf) != 0)
+		goto bad;
+	if (handle_recv(combuf) != 0)
+		goto bad;
 
-	close(so);
+	vfree(combuf);
+
+	if (evt_filter != EVTF_NONE)
+		if (evt_poll() != 0)
+			goto bad;	
+	
 	exit(0);
 
-bad:
-	close(so);
-	if (errno == EEXIST)
-		exit(0);
+    bad:
 	exit(1);
 }
 
+int
+evt_poll(void) {
+	struct timeval tv;
+	vchar_t *recvbuf;
+	vchar_t *sendbuf;
+
+	if ((sendbuf = f_getevt(0, NULL)) == NULL)
+		errx(1, "Cannot make combuf");
+
+
+	while (evt_filter & (EVTF_LOOP|EVTF_PURGE)) {
+		/* handle_recv closes the socket time, so open it each time */
+		com_init();
+
+		if (com_send(sendbuf) != 0)
+			errx(1, "Cannot send combuf");
+
+		if (com_recv(&recvbuf) == 0) {
+			handle_recv(recvbuf);
+			vfree(recvbuf);
+		}
+
+		tv.tv_sec = 0;
+		tv.tv_usec = 10;
+		(void)select(0, NULL, NULL, NULL, &tv);
+	}
+
+	vfree(sendbuf);
+	return 0;
+}
+
 /* %%% */
 /*
  * return command buffer.
@@ -352,42 +394,61 @@
 }
 
 static vchar_t *
-make_request(u_int16_t cmd, u_int16_t proto, size_t len)
+f_reload(ac, av)
+	int ac;
+	char **av;
 {
 	vchar_t *buf;
 	struct admin_com *head;
 
-	buf = vmalloc(sizeof(struct admin_com) + len);
+	buf = vmalloc(sizeof(*head));
 	if (buf == NULL)
 		errx(1, "not enough core");
 
-	head = (struct admin_com *) buf->v;
+	head = (struct admin_com *)buf->v;
 	head->ac_len = buf->l;
-	head->ac_cmd = ADMIN_FLAG_VERSION | cmd;
-	head->ac_version = 1;
-	head->ac_proto = proto;
+	head->ac_cmd = ADMIN_RELOAD_CONF;
+	head->ac_errno = 0;
+	head->ac_proto = 0;
 
 	return buf;
 }
 
 static vchar_t *
-f_reload(ac, av)
-	int ac;
-	char **av;
-{
-	return make_request(ADMIN_RELOAD_CONF, 0, 0);
-}
-
-static vchar_t *
 f_getevt(ac, av)
 	int ac;
 	char **av;
 {
-	evt_quit_event = -1;
-	if (ac >= 1)
+	vchar_t *buf;
+	struct admin_com *head;
+
+	/*
+	 * There are 3 ways of getting here
+	 * 1) racoonctl vc => evt_filter = (EVTF_LOOP|EVTF_CFG| ... )
+	 * 2) racoonctl es => evt_filter = EVTF_NONE
+	 * 3) racoonctl es -l => evt_filter = EVTF_LOOP
+	 * Catch the second case: show-event is here to purge all
+	 */
+	if (evt_filter == EVTF_NONE)
+		evt_filter = (EVTF_ALL|EVTF_PURGE);
+
+	if ((ac >= 1) && (strcmp(av[0], "-l") == 0))
+		evt_filter |= EVTF_LOOP;
+
+	if (ac >= 2)
 		errx(1, "too many arguments");
 
-	return make_request(ADMIN_SHOW_EVT, 0, 0);
+	buf = vmalloc(sizeof(*head));
+	if (buf == NULL)
+		errx(1, "not enough core");
+
+	head = (struct admin_com *)buf->v;
+	head->ac_len = buf->l;
+	head->ac_cmd = ADMIN_SHOW_EVT;
+	head->ac_errno = 0;
+	head->ac_proto = 0;
+
+	return buf;
 }
 
 static vchar_t *
@@ -395,7 +456,20 @@
 	int ac;
 	char **av;
 {
-	return make_request(ADMIN_SHOW_SCHED, 0, 0);
+	vchar_t *buf;
+	struct admin_com *head;
+
+	buf = vmalloc(sizeof(*head));
+	if (buf == NULL)
+		errx(1, "not enough core");
+
+	head = (struct admin_com *)buf->v;
+	head->ac_len = buf->l;
+	head->ac_cmd = ADMIN_SHOW_SCHED;
+	head->ac_errno = 0;
+	head->ac_proto = 0;
+
+	return buf;
 }
 
 static vchar_t *
@@ -403,6 +477,8 @@
 	int ac;
 	char **av;
 {
+	vchar_t *buf;
+	struct admin_com *head;
 	int proto;
 
 	/* need protocol */
@@ -412,29 +488,15 @@
 	if (proto == -1)
 		errx(1, "unknown protocol %s", *av);
 
-	return make_request(ADMIN_SHOW_SA, proto, 0);
-}
-
-static vchar_t *
-f_getsacert(ac, av)
-	int ac;
-	char **av;
-{
-	vchar_t *buf, *index;
-	struct admin_com_indexes *com;
+	buf = vmalloc(sizeof(*head));
+	if (buf == NULL)
+		errx(1, "not enough core");
 
-	index = get_index(ac, av);
-	if (index == NULL)
-		return NULL;
-
-	com = (struct admin_com_indexes *) index->v;
-	buf = make_request(ADMIN_GET_SA_CERT, ADMIN_PROTO_ISAKMP, index->l);
-	if (buf == NULL)
-		errx(1, "Cannot allocate buffer");
-
-	memcpy(buf->v+sizeof(struct admin_com), index->v, index->l);
-
-	vfree(index);
+	head = (struct admin_com *)buf->v;
+	head->ac_len = buf->l;
+	head->ac_cmd = ADMIN_SHOW_SA;
+	head->ac_errno = 0;
+	head->ac_proto = proto;
 
 	return buf;
 }
@@ -455,7 +517,17 @@
 	if (proto == -1)
 		errx(1, "unknown protocol %s", *av);
 
-	return make_request(ADMIN_FLUSH_SA, proto, 0);
+	buf = vmalloc(sizeof(*head));
+	if (buf == NULL)
+		errx(1, "not enough core");
+
+	head = (struct admin_com *)buf->v;
+	head->ac_len = buf->l;
+	head->ac_cmd = ADMIN_FLUSH_SA;
+	head->ac_errno = 0;
+	head->ac_proto = proto;
+
+	return buf;
 }
 
 static vchar_t *
@@ -464,6 +536,7 @@
 	char **av;
 {
 	vchar_t *buf, *index;
+	struct admin_com *head;
 	int proto;
 
 	/* need protocol */
@@ -493,11 +566,17 @@
 		return NULL;
 	}
 
-	buf = make_request(ADMIN_DELETE_SA, proto, index->l);
+	buf = vmalloc(sizeof(*head) + index->l);
 	if (buf == NULL)
 		goto out;
 
-	memcpy(buf->v + sizeof(struct admin_com), index->v, index->l);
+	head = (struct admin_com *)buf->v;
+	head->ac_len = buf->l + index->l;
+	head->ac_cmd = ADMIN_DELETE_SA;
+	head->ac_errno = 0;
+	head->ac_proto = proto;
+
+	memcpy(buf->v+sizeof(*head), index->v, index->l);
 
 out:
 	if (index != NULL)
@@ -512,17 +591,47 @@
 	char **av;
 {
 	vchar_t *buf, *index;
-	u_int16_t proto;
+	struct admin_com *head;
+	int proto;
+
+	/* need protocol */
+	if (ac < 1)
+		errx(1, "insufficient arguments");
+	proto = get_proto(*av);
+	if (proto == -1)
+		errx(1, "unknown protocol %s", *av);
 
-	index = get_proto_and_index(ac, av, &proto);
-	if (index == NULL)
+	/* get index(es) */
+	av++;
+	ac--;
+	switch (proto) {
+	case ADMIN_PROTO_ISAKMP:
+		index = get_index(ac, av);
+		if (index == NULL)
+			return NULL;
+		break;
+	case ADMIN_PROTO_AH:
+	case ADMIN_PROTO_ESP:
+		index = get_index(ac, av);
+		if (index == NULL)
+			return NULL;
+		break;
+	default:
+		errno = EPROTONOSUPPORT;
 		return NULL;
+	}
 
-	buf = make_request(ADMIN_DELETE_ALL_SA_DST, proto, index->l);
+	buf = vmalloc(sizeof(*head) + index->l);
 	if (buf == NULL)
 		goto out;
 
-	memcpy(buf->v+sizeof(struct admin_com), index->v, index->l);
+	head = (struct admin_com *)buf->v;
+	head->ac_len = buf->l + index->l;
+	head->ac_cmd = ADMIN_DELETE_ALL_SA_DST;
+	head->ac_errno = 0;
+	head->ac_proto = proto;
+
+	memcpy(buf->v+sizeof(*head), index->v, index->l);
 
 out:
 	if (index != NULL)
@@ -537,13 +646,13 @@
 	char **av;
 {
 	vchar_t *buf, *index;
-	u_int16_t proto;
+	struct admin_com *head;
+	int proto;
 	int cmd = ADMIN_ESTABLISH_SA;
 	size_t com_len = 0;
 	char *id = NULL;
 	char *key = NULL;
 	struct admin_com_psk *acp;
-	int wait = 0;
 
 	if (ac < 1)
 		errx(1, "insufficient arguments");
@@ -564,42 +673,48 @@
 		ac -= 2;
 	}
 
-	if (ac >= 1 && strcmp(av[0], "-w") == 0) {
-		wait = 1;
-		av++;
-		ac--;
+	/* need protocol */
+	if (ac < 1)
+		errx(1, "insufficient arguments");
+	if ((proto = get_proto(*av)) == -1)
+		errx(1, "unknown protocol %s", *av);
+
+	/* get index(es) */
+	av++;
+	ac--;
+	switch (proto) {
+	case ADMIN_PROTO_ISAKMP:
+		index = get_index(ac, av);
+		if (index == NULL)
+			return NULL;
+		break;
+	case ADMIN_PROTO_AH:
+	case ADMIN_PROTO_ESP:
+		index = get_index(ac, av);
+		if (index == NULL)
+			return NULL;
+		break;
+	default:
+		errno = EPROTONOSUPPORT;
+		return NULL;
 	}
 
-	index = get_proto_and_index(ac, av, &proto);
-	if (index == NULL)
-		return NULL;
-
-	if (wait) {
-		switch (proto) {
-		case ADMIN_PROTO_ISAKMP:
-			evt_quit_event = EVT_PHASE1_MODE_CFG;
-			break;
-		case ADMIN_PROTO_AH:
-		case ADMIN_PROTO_ESP:
-			evt_quit_event = EVT_PHASE2_UP;
-			break;
-		default:
-			errno = EPROTONOSUPPORT;
-			return NULL;
-		}
-	}
-
-	com_len += index->l;
-	buf = make_request(cmd, proto, com_len);
-	if (buf == NULL)
+	com_len += sizeof(*head) + index->l;
+	if ((buf = vmalloc(com_len)) == NULL)
 		errx(1, "Cannot allocate buffer");
 
-	memcpy(buf->v+sizeof(struct admin_com), index->v, index->l);
+	head = (struct admin_com *)buf->v;
+	head->ac_len = buf->l;
+	head->ac_cmd = cmd;
+	head->ac_errno = 0;
+	head->ac_proto = proto;
+
+	memcpy(buf->v+sizeof(*head), index->v, index->l);
 
 	if (id && key) {
 		char *data;
 		acp = (struct admin_com_psk *)
-		    (buf->v + sizeof(struct admin_com) + index->l);
+		    (buf->v + sizeof(*head) + index->l);
 
 		acp->id_type = IDTYPE_USERFQDN;
 		acp->id_len = strlen(id) + 1;
@@ -634,7 +749,8 @@
 	if (ac < 1)
 		errx(1, "insufficient arguments");
 
-	evt_quit_event = EVT_PHASE1_MODE_CFG;
+	evt_filter = (EVTF_LOOP|EVTF_CFG|EVTF_CFG_STOP|EVTF_ERR|EVTF_ERR_STOP);
+	time(&evt_start);
 	
 	/* Optional -u identity */
 	if (strcmp(av[0], "-u") == 0) {
@@ -649,7 +765,7 @@
 	}
 
 	if (ac < 1)
-		errx(1, "VPN gateway required");
+		errx(1, "VPN gateway required");	
 	if (ac > 1)
 		warnx("Extra arguments");
 
@@ -694,11 +810,12 @@
 	char *idx;
 
 	if (ac < 1)
-		errx(1, "VPN gateway required");
+		errx(1, "VPN gateway required");	
 	if (ac > 1)
 		warnx("Extra arguments");
 
-	evt_quit_event = EVT_PHASE1_DOWN;
+	evt_filter = 
+	    (EVTF_PH1DOWN|EVTF_PH1DOWN_STOP|EVTF_LOOP|EVTF_ERR|EVTF_ERR_STOP);
 
 	nav[nac++] = isakmp;
 	nav[nac++] = inet;
@@ -715,6 +832,7 @@
 	char **av;
 {
 	vchar_t *buf;
+	struct admin_com *head;
 	char *user;
 
 	/* need username */
@@ -724,46 +842,22 @@
 	if ((user == NULL) || (strlen(user) > LOGINLEN))
 		errx(1, "bad login (too long?)");
 
-	buf = make_request(ADMIN_LOGOUT_USER, 0, 0);
+	buf = vmalloc(sizeof(*head) + strlen(user) + 1);
 	if (buf == NULL)
 		return NULL;
 
-	strncpy(buf->v + sizeof(struct admin_com), user, LOGINLEN);
+	head = (struct admin_com *)buf->v;
+	head->ac_len = buf->l;
+	head->ac_cmd = ADMIN_LOGOUT_USER;
+	head->ac_errno = 0;
+	head->ac_proto = 0;
+
+	strncpy((char *)(head + 1), user, LOGINLEN);
 
 	return buf;
 }
 #endif /* ENABLE_HYBRID */
 
-static vchar_t *
-get_proto_and_index(ac, av, proto)
-	int ac;
-	char **av;
-	u_int16_t *proto;
-{
-	vchar_t *index = NULL;
-
-	/* need protocol */
-	if (ac < 1)
-		errx(1, "insufficient arguments");
-	*proto = get_proto(*av);
-	if (*proto == (u_int16_t) -1)
-		errx(1, "unknown protocol %s", *av);
-
-	/* get index(es) */
-	av++;
-	ac--;
-	switch (*proto) {
-	case ADMIN_PROTO_ISAKMP:
-	case ADMIN_PROTO_AH:
-	case ADMIN_PROTO_ESP:
-		index = get_index(ac, av);
-		break;
-	default:
-		errno = EPROTONOSUPPORT;
-		break;
-	}
-	return index;
-}
 
 static int
 get_proto(str)
@@ -1241,32 +1335,84 @@
 
 
 void
-print_evt(evtdump)
-	struct evt_async *evtdump;
+print_evt(buf, len)
+	caddr_t buf;
+	int len;
 {
+	struct evtdump *evtdump = (struct evtdump *)buf;
 	int i;
 	char *srcstr;
 	char *dststr;
 	
-	for (i = 0; i < sizeof(evtmsg) / sizeof(evtmsg[0]); i++)
-		if (evtmsg[i].type == evtdump->ec_type)
-			break;
-
-	if (evtmsg[i].msg == NULL)
-		printf("Event %d: ", evtdump->ec_type);
+	for (i = 0; evtmsg[i].msg; i++)
+		if (evtmsg[i].type == evtdump->type)
+			break;				
+	
+	if (evtmsg[i].msg == NULL) 
+		printf("Event %d: ", evtdump->type);
 	else
 		printf("%s : ", evtmsg[i].msg);
 
-	if ((srcstr = saddr2str((struct sockaddr *)&evtdump->ec_ph1src)) == NULL)
+	if ((srcstr = saddr2str((struct sockaddr *)&evtdump->src)) == NULL)
 		printf("unknown");
-	else
+	else 
 		printf("%s", srcstr);
 	printf(" -> ");
-	if ((dststr = saddr2str((struct sockaddr *)&evtdump->ec_ph1dst)) == NULL)
+	if ((dststr = saddr2str((struct sockaddr *)&evtdump->dst)) == NULL)
 		printf("unknown");
-	else
+	else 
 		printf("%s", dststr);
 	printf("\n");
+
+	return;
+}
+
+void
+print_err(buf, len)
+	caddr_t buf;
+	int len;
+{
+	struct evtdump *evtdump = (struct evtdump *)buf;
+	int i;
+	
+	
+	for (i = 0; evtmsg[i].msg; i++)
+		if (evtmsg[i].type == evtdump->type)
+			break;				
+
+	if (evtmsg[i].level != ERROR)
+		return;
+	
+	if (evtmsg[i].msg == NULL) 
+		printf("Error: Event %d\n", evtdump->type);
+	else
+		printf("Error: %s\n", evtmsg[i].msg);
+
+	if (evt_filter & EVTF_ERR_STOP)
+		evt_filter &= ~EVTF_LOOP;
+
+	return;
+}
+
+/*
+ * Print a message when phase 1 SA goes down
+ */
+void
+print_ph1down(buf, len)
+	caddr_t buf;
+	int len;
+{
+	struct evtdump *evtdump = (struct evtdump *)buf;
+	
+	if (evtdump->type != EVTT_PHASE1_DOWN)
+		return;
+
+	printf("VPN connexion terminated\n");
+
+	if (evt_filter & EVTF_PH1DOWN_STOP)
+		evt_filter &= ~EVTF_LOOP;
+	
+	return;
 }
 
 /*
@@ -1277,14 +1423,15 @@
 	caddr_t buf;
 	int len;
 {
-	struct evt_async *evtdump = (struct evt_async *)buf;
+	struct evtdump *evtdump = (struct evtdump *)buf;
 	struct isakmp_data *attr;
 	char *banner = NULL;
 	struct in_addr addr4;
 	
 	memset(&addr4, 0, sizeof(addr4));
 
-	if (evtdump->ec_type != EVT_PHASE1_MODE_CFG)
+	if (evtdump->type != EVTT_ISAKMP_CFG_DONE && 
+	    evtdump->type != EVTT_NO_ISAKMP_CFG)
 		return;
 
 	len -= sizeof(*evtdump);
@@ -1337,12 +1484,12 @@
 			    (n + sizeof(*attr) + ntohs(attr->lorv));
 		}
 	}
-
-	if (len > 0)
+	
+	if (evtdump->type == EVTT_ISAKMP_CFG_DONE)
 		printf("Bound to address %s\n", inet_ntoa(addr4));
 	else
 		printf("VPN connexion established\n");
-
+	
 	if (banner) {
 		struct winsize win;
 		int col = 0;
@@ -1359,8 +1506,13 @@
 		printf("\n");
 		racoon_free(banner);
 	}
+	
+	if (evt_filter & EVTF_CFG_STOP)
+		evt_filter &= ~EVTF_LOOP;
+	
+	return;
 }
-
+	
 
 char *
 fixed_addr(addr, port, len)
@@ -1395,7 +1547,7 @@
 handle_recv(combuf)
 	vchar_t *combuf;
 {
-        struct admin_com *com;
+        struct admin_com h, *com;
         caddr_t buf;
         int len;
 
@@ -1409,36 +1561,35 @@
 		break;
 
 	case ADMIN_SHOW_EVT: {
-		struct evt_async *ec;
+		struct evtdump *evtdump;
 
-		/* We got no event? */
-		if (len == 0)
+		/* We got no event */
+		if (len == 0) {
+			/* If we were purging the queue, it is now done */
+			if (evt_filter & EVTF_PURGE)
+				evt_filter &= ~EVTF_PURGE;
+			break;
+		}
+
+		if (len < sizeof(struct evtdump))
+			errx(1, "Short buffer\n");		
+
+		/* Toss outdated events */
+		evtdump = (struct evtdump *)buf;
+		if (evtdump->timestamp < evt_start)
 			break;
 
-		if (len < sizeof(struct evt_async))
-			errx(1, "Short buffer\n");
-
-		ec = (struct evt_async *) buf;
-		if (evt_quit_event <= 0)
-			print_evt(ec);
-		else if (evt_quit_event == ec->ec_type) {
-			switch (ec->ec_type) {
-			case EVT_PHASE1_MODE_CFG:
-				print_cfg(ec, len);
-				break;
-			default:
-				print_evt(ec);
-				break;
-			}
-			evt_quit_event = 0;
-		}
+		if (evt_filter & EVTF_ALL)
+			print_evt(buf, len);
+		if (evt_filter & EVTF_ERR)
+			print_err(buf, len);
+		if (evt_filter & EVTF_CFG)
+			print_cfg(buf, len);
+		if (evt_filter & EVTF_PH1DOWN)
+			print_ph1down(buf, len);
 		break;
 	}
 
-	case ADMIN_GET_SA_CERT:
-		fwrite(buf, len, 1, stdout);
-		break;
-
 	case ADMIN_SHOW_SA:
 	   {
 		switch (com->ac_proto) {
@@ -1492,8 +1643,10 @@
 		break;
 	}
 
+	close(so);
 	return 0;
 
-bad:
+    bad:
+	close(so);
 	return -1;
 }
--- a/crypto/dist/ipsec-tools/src/racoon/remoteconf.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/remoteconf.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: remoteconf.c,v 1.12 2008/09/19 11:14:49 tteras Exp $	*/
+/*	$NetBSD: remoteconf.c,v 1.12.4.1 2009/02/08 18:42:19 snj Exp $	*/
 
 /* Id: remoteconf.c,v 1.38 2006/05/06 15:52:44 manubsd Exp */
 
@@ -215,8 +215,6 @@
 	new->dpd_retry = 5;
 	new->dpd_maxfails = 5;
 
-	new->rekey = REKEY_ON;
-
 	new->weak_phase1_check = 0;
 
 #ifdef ENABLE_HYBRID
--- a/crypto/dist/ipsec-tools/src/racoon/remoteconf.h	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/remoteconf.h	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: remoteconf.h,v 1.8 2008/09/19 11:14:49 tteras Exp $	*/
+/*	$NetBSD: remoteconf.h,v 1.8.4.1 2009/02/08 18:42:19 snj Exp $	*/
 
 /* Id: remoteconf.h,v 1.26 2006/05/06 15:52:44 manubsd Exp */
 
@@ -108,12 +108,7 @@
 	int dpd;				/* Negociate DPD support ? */
 	int dpd_retry;			/* in seconds */
 	int dpd_interval;		/* in seconds */
-	int dpd_maxfails;
-
-	int rekey;			/* rekey ph1 when active ph2s? */
-#define REKEY_OFF		FALSE
-#define REKEY_ON		TRUE
-#define REKEY_FORCE		2
+	int dpd_maxfails; 
 
 	int ph1id; /* ph1id to be matched with sainfo sections */
 
--- a/crypto/dist/ipsec-tools/src/racoon/sainfo.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/sainfo.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: sainfo.c,v 1.10 2007/09/12 23:39:51 mgrooms Exp $	*/
+/*	$NetBSD: sainfo.c,v 1.10.12.1 2009/02/08 18:42:19 snj Exp $	*/
 
 /*	$KAME: sainfo.c,v 1.16 2003/06/27 07:32:39 sakane Exp $	*/
 
@@ -76,111 +76,88 @@
  * First pass is for sainfo from a specified peer, second for others.
  */
 struct sainfo *
-getsainfo(loc, rmt, peer, client, remoteid)
-	const vchar_t *loc, *rmt, *peer, *client;
+getsainfo(loc, rmt, peer, remoteid)
+	const vchar_t *loc, *rmt, *peer;
 	int remoteid;
 {
 	struct sainfo *s = NULL;
+	struct sainfo *anonymous = NULL;
+	int pass = 1;
+
+	if (peer == NULL)
+		pass = 2;
 
 	/* debug level output */
 	if(loglevel >= LLV_DEBUG) {
 		char *dloc, *drmt, *dpeer, *dclient;
-
+ 
 		if (loc == NULL)
 			dloc = strdup("ANONYMOUS");
 		else
 			dloc = ipsecdoi_id2str(loc);
-
-		if (rmt == SAINFO_ANONYMOUS)
+ 
+		if (rmt == NULL)
 			drmt = strdup("ANONYMOUS");
-		else if (rmt == SAINFO_CLIENTADDR)
-			drmt = strdup("CLIENTADDR");
 		else
 			drmt = ipsecdoi_id2str(rmt);
-
+ 
 		if (peer == NULL)
 			dpeer = strdup("NULL");
 		else
 			dpeer = ipsecdoi_id2str(peer);
-
-		if (client == NULL)
-			dclient = strdup("NULL");
-		else
-			dclient = ipsecdoi_id2str(client);
-
+ 
 		plog(LLV_DEBUG, LOCATION, NULL,
-			"getsainfo params: loc=\'%s\' rmt=\'%s\' peer=\'%s\' client=\'%s\' id=%i\n",
-			dloc, drmt, dpeer, dclient, remoteid );
+			"getsainfo params: loc=\'%s\', rmt=\'%s\', peer=\'%s\', id=%i\n",
+			dloc, drmt, dpeer, remoteid );
  
                 racoon_free(dloc);
                 racoon_free(drmt);
                 racoon_free(dpeer);
 	}
 
+    again:
+	plog(LLV_DEBUG, LOCATION, NULL,
+		"getsainfo pass #%i\n", pass);
+ 
 	LIST_FOREACH(s, &sitree, chain) {
 		const char *sainfostr = sainfo2str(s);
 		plog(LLV_DEBUG, LOCATION, NULL,
 			"evaluating sainfo: %s\n", sainfostr);
 
-		if(s->remoteid != remoteid) {
-			plog(LLV_DEBUG, LOCATION, NULL,
-				"remoteid mismatch: %i != %i\n",
-				s->remoteid, remoteid);
+		if(s->remoteid != remoteid)
+			continue;
+
+		if (s->id_i != NULL) {
+			if (pass == 2)
 				continue;
-		}
-
-		/* compare 'from' id value */
-		if (s->id_i != NULL)
 			if (ipsecdoi_chkcmpids(peer, s->id_i, 0))
 				continue;
-
-		/* compare ids - client */
-		if( s->iddst == SAINFO_CLIENTADDR ) {
-			/*
-			 * This sainfo section enforces client address
-			 * checking. Prevent match if the client value
-			 * ( modecfg or tunnel address ) is NULL.
-			 */
-
-			if (client == NULL)
-				continue;
-
-			if( rmt == SAINFO_CLIENTADDR ) {
-				/*
-				 * In the case where a supplied rmt value is
-				 * also SAINFO_CLIENTADDR, we are comparing
-				 * with another sainfo to check for duplicate.
-				 * Only compare the local values to determine
-				 * a match.
-				 */
-
-				 if (!ipsecdoi_chkcmpids(loc, s->idsrc, 0))
-					return s;
-			}
-			else {
-				/*
-				 * In the case where a supplied rmt value is
-				 * not SAINFO_CLIENTADDR, do a standard match
-				 * for local values and enforce that the rmt
-				 * id matches the client address value.
-				 */
-
-				if (!ipsecdoi_chkcmpids(loc, s->idsrc, 0) &&
-				    !ipsecdoi_chkcmpids(rmt, client, 0))
-					return s;
-			}
-
+		} else if (pass == 1)
+			continue;
+		if (s->idsrc == NULL && s->iddst == NULL) {
+			anonymous = s;
 			continue;
 		}
 
+		/* anonymous ? */
+		if (loc == NULL) {
+			if (anonymous != NULL)
+				break;
+			continue;
+		}
 
-		/* compare ids - standard */
+		/* compare the ids */
 		if (!ipsecdoi_chkcmpids(loc, s->idsrc, 0) &&
 		    !ipsecdoi_chkcmpids(rmt, s->iddst, 0))
 			return s;
 	}
 
-	return NULL;
+	if ((anonymous == NULL) && (pass == 1)) {
+		pass++;
+		goto again;
+	}
+
+	return anonymous;
 }
 
 struct sainfo *
@@ -220,75 +197,11 @@
 	racoon_free(si);
 }
 
-int prisainfo(s)
-	struct sainfo *s;
-{
-	/*
-	 * determine the matching priority
-	 * of an sainfo section
-	 */
-
-	int pri = 0;
-
-	if(s->remoteid)
-		pri += 3;
-
-	if(s->id_i)
-		pri += 3;
-
-	if(s->idsrc)
-		pri++;
-
-	if(s->iddst)
-		pri++;
-
-	return pri;
-}
-
 void
 inssainfo(new)
 	struct sainfo *new;
 {
-	if(LIST_EMPTY(&sitree)) {
-
-		/* first in list */
-		LIST_INSERT_HEAD(&sitree, new, chain);
-	}
-	else {
-		int npri, spri;
-		struct sainfo *s, *n;
-
-		/*
-		 * insert our new sainfo section
-		 * into our list which is sorted
-		 * based on the match priority
-		 */
-
-		npri = prisainfo(new);
-
-		s = LIST_FIRST(&sitree);
-		while (1) {
-
-			spri = prisainfo(s);
-			n = LIST_NEXT(s, chain);
-
-			if(npri > spri)
-			{
-				/* higher priority */
-				LIST_INSERT_BEFORE(s, new, chain);
-				return;
-			}
-
-			if(n == NULL)
-			{
-				/* last in list */
-				LIST_INSERT_AFTER(s, new, chain);
-				return;
-			}
-
-			s = n;
-		}
-	}
+	LIST_INSERT_HEAD(&sitree, new, chain);
 }
 
 void
@@ -363,15 +276,13 @@
 
         char *idloc = NULL, *idrmt = NULL, *id_i;
  
-        if (si->idsrc == SAINFO_ANONYMOUS)
+        if (si->idsrc == NULL)
                 idloc = strdup("ANONYMOUS");
         else
                 idloc = ipsecdoi_id2str(si->idsrc);
  
-        if (si->iddst == SAINFO_ANONYMOUS)
+        if (si->iddst == NULL)
                 idrmt = strdup("ANONYMOUS");
-	else if (si->iddst == SAINFO_CLIENTADDR)
-                idrmt = strdup("CLIENTADDR");
         else
                 idrmt = ipsecdoi_id2str(si->iddst);
  
--- a/crypto/dist/ipsec-tools/src/racoon/sainfo.h	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/sainfo.h	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: sainfo.h,v 1.6 2007/09/12 23:39:51 mgrooms Exp $	*/
+/*	$NetBSD: sainfo.h,v 1.6.12.1 2009/02/08 18:42:19 snj Exp $	*/
 
 /* Id: sainfo.h,v 1.5 2006/07/09 17:19:38 manubsd Exp */
 
@@ -36,9 +36,6 @@
 
 #include <sys/queue.h>
 
-#define SAINFO_ANONYMOUS	((void *)NULL)
-#define	SAINFO_CLIENTADDR	((void *)~0)
-
 /* SA info */
 struct sainfo {
 	vchar_t *idsrc;
@@ -47,7 +44,6 @@
 		 * idsrc and iddst are constructed body of ID payload.
 		 * that is (struct ipsecdoi_id_b) + ID value.
 		 * If idsrc == NULL, that is anonymous entry.
-		 * If idsrc == ~0, that is client address entry.
 		 */
 
 #ifdef ENABLE_HYBRID
@@ -73,7 +69,7 @@
 };
 
 extern struct sainfo *getsainfo __P((const vchar_t *,
-	const vchar_t *, const vchar_t *, const vchar_t *, int));
+	const vchar_t *, const vchar_t *, int));
 extern struct sainfo *newsainfo __P((void));
 extern void delsainfo __P((struct sainfo *));
 extern void inssainfo __P((struct sainfo *));
--- a/crypto/dist/ipsec-tools/src/racoon/schedule.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/schedule.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,10 +1,9 @@
-/*	$NetBSD: schedule.c,v 1.5 2008/09/19 11:01:08 tteras Exp $	*/
+/*	$NetBSD: schedule.c,v 1.5.4.1 2009/02/08 18:42:19 snj Exp $	*/
 
 /*	$KAME: schedule.c,v 1.19 2001/11/05 10:53:19 sakane Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * Copyright (C) 2008 Timo Teras.
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without
@@ -69,6 +68,7 @@
 
 static TAILQ_HEAD(_schedtree, sched) sctree;
 
+static void sched_add __P((struct sched *));
 static time_t current_time __P((void));
 
 /*
@@ -81,16 +81,30 @@
 schedular()
 {
 	time_t now, delta;
-	struct sched *p;
+	struct sched *p, *next = NULL;
 
 	now = current_time();
-	while (!TAILQ_EMPTY(&sctree) && TAILQ_FIRST(&sctree)->xtime <= now) {
-		void (*func)(struct sched *);
+
+        for (p = TAILQ_FIRST(&sctree); p; p = next) {
+		/* if the entry has been daed, remove it */
+		if (p->dead)
+			goto next_schedule;
 
-		p = TAILQ_FIRST(&sctree);
-		func = p->func;
-		sched_cancel(p);
-		func(p);
+		/* if the time hasn't come, proceed to the next entry */
+		if (now < p->xtime) {
+			next = TAILQ_NEXT(p, chain);
+			continue;
+		}
+
+		/* mark it with dead. and call the function. */
+		p->dead = 1;
+		if (p->func != NULL)
+			(p->func)(p->param);
+
+	   next_schedule:
+		next = TAILQ_NEXT(p, chain);
+		TAILQ_REMOVE(&sctree, p, chain);
+		racoon_free(p);
 	}
 
 	p = TAILQ_FIRST(&sctree);
@@ -98,6 +112,7 @@
 		return NULL;
 
 	now = current_time();
+
 	delta = p->xtime - now;
 	timeout.tv_sec = delta < 0 ? 0 : delta;
 	timeout.tv_usec = 0;
@@ -108,47 +123,55 @@
 /*
  * add new schedule to schedule table.
  */
-void
-sched_schedule(sc, tick, func)
-	struct sched *sc;
+struct sched *
+sched_new(tick, func, param)
 	time_t tick;
-	void (*func) __P((struct sched *));
+	void (*func) __P((void *));
+	void *param;
 {
 	static long id = 1;
+	struct sched *new;
+
+	new = (struct sched *)racoon_malloc(sizeof(*new));
+	if (new == NULL)
+		return NULL;
+
+	memset(new, 0, sizeof(*new));
+	new->func = func;
+	new->param = param;
+
+	new->id = id++;
+	time(&new->created);
+	new->tick = tick;
+
+	new->xtime = current_time() + tick;
+	new->dead = 0;
+
+	/* add to schedule table */
+	sched_add(new);
+
+	return(new);
+}
+
+/* add new schedule to schedule table */
+static void
+sched_add(sc)
+	struct sched *sc;
+{
 	struct sched *p;
 
-	sched_cancel(sc);
-	sc->func = func;
-	sc->id = id++;
-	time(&sc->created);
-	sc->tick = tick;
-	sc->xtime = current_time() + tick;
-
-	/* add to schedule table */
 	TAILQ_FOREACH(p, &sctree, chain) {
-		if (sc->xtime < p->xtime)
-			break;
+		if (sc->xtime < p->xtime) {
+			TAILQ_INSERT_BEFORE(p, sc, chain);
+			return;
+		}
 	}
 	if (p == NULL)
 		TAILQ_INSERT_TAIL(&sctree, sc, chain);
-	else
-		TAILQ_INSERT_BEFORE(p, sc, chain);
+
+	return;
 }
 
-/*
- * cancel scheduled callback
- */
-void
-sched_cancel(sc)
-	struct sched *sc;
-{
-	if (sc->func != NULL) {
-		TAILQ_REMOVE(&sctree, sc, chain);
-		sc->func = NULL;
-	}
-}
-
-
 /* get current time.
  * if defined FIXY2038PROBLEM, base time is the time when called sched_init().
  * Otherwise, conform to time(3).
@@ -171,6 +194,33 @@
 #endif
 }
 
+void
+sched_kill(sc)
+	struct sched *sc;
+{
+	sc->dead = 1;
+
+	return;
+}
+
+/* XXX this function is probably unnecessary. */
+void
+sched_scrub_param(param)
+	void *param;
+{
+	struct sched *sc;
+
+	TAILQ_FOREACH(sc, &sctree, chain) {
+		if (sc->param == param) {
+			if (!sc->dead) {
+				plog(LLV_DEBUG, LOCATION, NULL,
+				    "an undead schedule has been deleted.\n");
+			}
+			sched_kill(sc);
+		}
+	}
+}
+
 /*
  * for debug
  */
@@ -231,6 +281,8 @@
 #endif
 
 	TAILQ_INIT(&sctree);
+
+	return;
 }
 
 #ifdef STEST
--- a/crypto/dist/ipsec-tools/src/racoon/schedule.h	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/schedule.h	Sun Feb 08 18:42:14 2009 +0000
@@ -1,10 +1,9 @@
-/*	$NetBSD: schedule.h,v 1.6 2008/09/19 11:01:08 tteras Exp $	*/
+/*	$NetBSD: schedule.h,v 1.6.4.1 2009/02/08 18:42:19 snj Exp $	*/
 
 /* Id: schedule.h,v 1.5 2006/05/03 21:53:42 vanhu Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * Copyright (C) 2008 Timo Teras.
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without
@@ -38,21 +37,6 @@
 #include <sys/queue.h>
 #include "gnuc.h"
 
-#ifndef offsetof
-#ifdef __compiler_offsetof
-#define offsetof(TYPE,MEMBER) __compiler_offsetof(TYPE,MEMBER)
-#else
-#define offsetof(TYPE, MEMBER) ((size_t) &((TYPE *)0)->MEMBER)
-#endif
-#endif
-
-#ifndef container_of
-#define container_of(ptr, type, member) ({                      \
-        const typeof( ((type *)0)->member ) *__mptr = (ptr);    \
-        (type *)( (char *)__mptr - offsetof(type,member) );})
-#endif
-
-
 /* scheduling table */
 /* the head is the nearest event. */
 struct sched {
@@ -61,8 +45,10 @@
 				 * if defined FIXY2038PROBLEM, this time
 				 * is from the time when called sched_init().
 				 */
-	void (*func) __P((struct sched *)); /* call this function when timeout. */
+	void (*func) __P((void *)); /* call this function when timeout. */
+	void *param;		/* pointer to parameter */
 
+	int dead;		/* dead or alive */
 	long id;		/* for debug */
 	time_t created;		/* for debug */
 	time_t tick;		/* for debug */
@@ -70,7 +56,17 @@
 	TAILQ_ENTRY(sched) chain;
 };
 
-#define SCHED_INITIALIZER() { 0, NULL, }
+/* cancel schedule */
+#define SCHED_KILL(s)                                                          \
+do {                                                                           \
+	if(s != NULL){	   														\
+		sched_kill(s);                                                         \
+		s = NULL;                                                              \
+	}\
+} while(0)
+
+/* must be called after it's called from scheduler. */
+#define SCHED_INIT(s)	(s) = NULL
 
 struct scheddump {
 	time_t xtime;
@@ -80,11 +76,10 @@
 };
 
 struct timeval *schedular __P((void));
-void sched_schedule __P((struct sched *, time_t,
-			 void (*func) __P((struct sched *))));
-void sched_cancel __P((struct sched *));
-
+struct sched *sched_new __P((time_t, void (*func) __P((void *)), void *));
+void sched_kill __P((struct sched *));
 int sched_dump __P((caddr_t *, int *));
 void sched_init __P((void));
+void sched_scrub_param __P((void *));
 
 #endif /* _SCHEDULE_H */
--- a/crypto/dist/ipsec-tools/src/racoon/session.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/session.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: session.c,v 1.18 2008/10/27 06:18:09 tteras Exp $	*/
+/*	$NetBSD: session.c,v 1.18.2.1 2009/02/08 18:42:19 snj Exp $	*/
 
 /*	$KAME: session.c,v 1.32 2003/09/24 02:01:17 jinmei Exp $	*/
 
@@ -78,7 +78,6 @@
 #include "cfparse_proto.h"
 #include "isakmp_var.h"
 #include "isakmp_xauth.h"
-#include "isakmp_xauth.h"
 #include "isakmp_cfg.h"
 #include "admin_var.h"
 #include "admin.h"
@@ -104,7 +103,7 @@
 static void init_signal __P((void));
 static int set_signal __P((int sig, RETSIGTYPE (*func) __P((int))));
 static void check_sigreq __P((void));
-static void check_flushsa_stub __P((struct sched *));
+static void check_flushsa_stub __P((void *));
 static void check_flushsa __P((void));
 static int close_sockets __P((void));
 
@@ -113,7 +112,6 @@
 static int nfds = 0;
 static volatile sig_atomic_t sigreq[NSIG + 1];
 static int dying = 0;
-static struct sched scflushsa = SCHED_INITIALIZER();
 
 int
 session(void)
@@ -148,7 +146,14 @@
 	natt_keepalive_init ();
 #endif
 
+	if (privsep_init() != 0)
+		exit(1);
+
+	for (i = 0; i <= NSIG; i++)
+		sigreq[i] = 0;
+
 	/* write .pid file */
+	racoon_pid = getpid();
 	if (lcconf->pathinfo[LC_PATHTYPE_PIDFILE] == NULL) 
 		strlcpy(pid_file, _PATH_VARRUN "racoon.pid", MAXPATHLEN);
 	else if (lcconf->pathinfo[LC_PATHTYPE_PIDFILE][0] == '/') 
@@ -165,25 +170,13 @@
 			fclose(fp);
 			exit(1);
 		}
+		fprintf(fp, "%ld\n", (long)racoon_pid);
+		fclose(fp);
 	} else {
 		plog(LLV_ERROR, LOCATION, NULL,
 			"cannot open %s", pid_file);
 	}
 
-	if (privsep_init() != 0)
-		exit(1);
-
-	/*
-	 * The fork()'ed privileged side will close its copy of fp.  We wait
-	 * until here to get the correct child pid.
-	 */
-	racoon_pid = getpid();
-	fprintf(fp, "%ld\n", (long)racoon_pid);
-	fclose(fp);
-
-	for (i = 0; i <= NSIG; i++)
-		sigreq[i] = 0;
-
 	while (1) {
 		if (dying)
 			rfds = maskdying;
@@ -199,7 +192,6 @@
 		/* scheduling */
 		timeout = schedular();
 
-		nfds = evt_get_fdmask(nfds, &rfds);
 		error = select(nfds, &rfds, (fd_set *)0, (fd_set *)0, timeout);
 		if (error < 0) {
 			switch (errno) {
@@ -219,7 +211,6 @@
 		    (FD_ISSET(lcconf->sock_admin, &rfds)))
 			admin_handler();
 #endif
-		evt_handle_fdmask(&rfds);
 
 		for (p = lcconf->myaddrs; p; p = p->next) {
 			if (!p->addr)
@@ -234,6 +225,8 @@
 		if (lcconf->rtsock >= 0 && FD_ISSET(lcconf->rtsock, &rfds)) {
 			if (update_myaddrs() && lcconf->autograbaddr)
 				check_rtsock(NULL);
+			else
+				initfds();
 		}
 	}
 }
@@ -249,8 +242,7 @@
 	close_sockets();
 	backupsa_clean();
 
-	plog(LLV_INFO, LOCATION, NULL, "racoon process %d shutdown\n", getpid());
-
+	plog(LLV_INFO, LOCATION, NULL, "racoon shutdown\n");
 	exit(0);
 }
 
@@ -369,13 +361,10 @@
 	save_rmconf();
 	initrmconf();
 
-#ifdef HAVE_LIBRADIUS
-	/* free and init radius configuration */
-	xauth_radius_init_conf(1);
-#endif
-
-	pfkey_reload();
-
+	/* Do a part of pfkey_init() ?
+	 * SPD reload ?
+	 */
+	
 	save_params();
 	error = cfparse();
 	if (error != 0){
@@ -390,11 +379,6 @@
 		dumprmconf ();
 #endif
 
-#ifdef HAVE_LIBRADIUS
-	/* re-initialize radius state */
-	xauth_radius_init();
-#endif
-
 	/* 
 	 * init_myaddr() ?
 	 * If running in privilege separation, do not reinitialize
@@ -467,13 +451,13 @@
 		case SIGTERM:			
 			plog(LLV_INFO, LOCATION, NULL, 
 			    "caught signal %d\n", sig);
-			evt_generic(EVT_RACOON_QUIT, NULL);
+			EVT_PUSH(NULL, NULL, EVTT_RACOON_QUIT, NULL);
 			pfkey_send_flush(lcconf->sock_pfkey, 
 			    SADB_SATYPE_UNSPEC);
 #ifdef ENABLE_FASTQUIT
 			close_session();
 #else
-			sched_schedule(&scflushsa, 1, check_flushsa_stub);
+			sched_new(1, check_flushsa_stub, NULL);
 #endif
 			dying = 1;
 			break;
@@ -492,7 +476,7 @@
  */
 static void
 check_flushsa_stub(p)
-	struct sched *p;
+	void *p;
 {
 
 	check_flushsa();
@@ -554,7 +538,7 @@
 		vfree(buf);
 
 	if (n) {
-		sched_schedule(&scflushsa, 1, check_flushsa_stub);
+		sched_new(1, check_flushsa_stub, NULL);
 		return;
 	}
 
--- a/crypto/dist/ipsec-tools/src/racoon/session.h	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/session.h	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: session.h,v 1.6 2008/10/23 10:56:10 tteras Exp $	*/
+/*	$NetBSD: session.h,v 1.6.2.1 2009/02/08 18:42:19 snj Exp $	*/
 
 /* Id: session.h,v 1.3 2004/06/11 16:00:17 ludvigm Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/sockmisc.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/sockmisc.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: sockmisc.c,v 1.12 2008/09/03 09:57:28 tteras Exp $	*/
+/*	$NetBSD: sockmisc.c,v 1.12.4.1 2009/02/08 18:42:19 snj Exp $	*/
 
 /* Id: sockmisc.c,v 1.24 2006/05/07 21:32:59 manubsd Exp */
 
@@ -56,7 +56,6 @@
 
 #include "var.h"
 #include "misc.h"
-#include "vmbuf.h"
 #include "plog.h"
 #include "sockmisc.h"
 #include "debug.h"
@@ -64,16 +63,13 @@
 #include "debugrm.h"
 #include "libpfkey.h"
 
-#ifdef NOUSE_PRIVSEP
-#define BIND bind
-#define SOCKET socket
-#define SETSOCKOPT setsockopt
-#else
-#include "admin.h"
-#include "privsep.h"
-#define BIND privsep_bind
-#define SOCKET privsep_socket
-#define SETSOCKOPT privsep_setsockopt
+#ifndef IP_IPSEC_POLICY
+#define IP_IPSEC_POLICY 16	/* XXX: from linux/in.h */
+#endif
+
+#ifndef IPV6_IPSEC_POLICY
+#define IPV6_IPSEC_POLICY 34	/* XXX: from linux/???.h per
+				   "Tom Lendacky" <toml@us.ibm.com> */
 #endif
 
 const int niflags = 0;
@@ -274,7 +270,7 @@
 	}
 	
 	/* get real interface received packet */
-	if ((s = SOCKET(remote->sa_family, SOCK_DGRAM, 0)) < 0) {
+	if ((s = socket(remote->sa_family, SOCK_DGRAM, 0)) < 0) {
 		plog(LLV_ERROR, LOCATION, NULL,
 			"socket (%s)\n", strerror(errno));
 		goto err;
@@ -640,7 +636,7 @@
 			 * Better approach is to prepare bind'ed udp sockets for
 			 * each of the interface addresses.
 			 */
-			sendsock = SOCKET(src->sa_family, SOCK_DGRAM, 0);
+			sendsock = socket(src->sa_family, SOCK_DGRAM, 0);
 			if (sendsock < 0) {
 				plog(LLV_ERROR, LOCATION, NULL,
 					"socket (%s)\n", strerror(errno));
@@ -675,8 +671,7 @@
 				return -1;
 			}
 
-			if (BIND(sendsock, (struct sockaddr *)src,
-				 sysdep_sa_len(src)) < 0) {
+			if (bind(sendsock, (struct sockaddr *)src, sysdep_sa_len(src)) < 0) {
 				plog(LLV_ERROR, LOCATION, NULL,
 					"bind 1 (%s)\n", strerror(errno));
 				close(sendsock);
@@ -740,7 +735,7 @@
 			ipsec_strerror());
 		return -1;
 	}
-	if (SETSOCKOPT(so, level,
+	if (setsockopt(so, level,
 	               (level == IPPROTO_IP ?
 	                         IP_IPSEC_POLICY : IPV6_IPSEC_POLICY),
 	               buf, ipsec_get_policylen(buf)) < 0) {
@@ -759,7 +754,7 @@
 			ipsec_strerror());
 		return -1;
 	}
-	if (SETSOCKOPT(so, level,
+	if (setsockopt(so, level,
 	               (level == IPPROTO_IP ?
 	                         IP_IPSEC_POLICY : IPV6_IPSEC_POLICY),
 	               buf, ipsec_get_policylen(buf)) < 0) {
@@ -1068,8 +1063,6 @@
     return port;
 
   switch (addr->sa_family) {
-    case AF_UNSPEC:
-      break;
     case AF_INET:
       port = ((struct sockaddr_in *)addr)->sin_port;
       break;
--- a/crypto/dist/ipsec-tools/src/racoon/sockmisc.h	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/sockmisc.h	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: sockmisc.h,v 1.8 2008/04/02 19:02:50 manu Exp $	*/
+/*	$NetBSD: sockmisc.h,v 1.8.8.1 2009/02/08 18:42:19 snj Exp $	*/
 
 /* Id: sockmisc.h,v 1.9 2005/10/05 16:55:41 manubsd Exp */
 
@@ -34,15 +34,6 @@
 #ifndef _SOCKMISC_H
 #define _SOCKMISC_H
 
-#ifndef IP_IPSEC_POLICY
-#define IP_IPSEC_POLICY 16	/* XXX: from linux/in.h */
-#endif
-
-#ifndef IPV6_IPSEC_POLICY
-#define IPV6_IPSEC_POLICY 34	/* XXX: from linux/???.h per
-				   "Tom Lendacky" <toml@us.ibm.com> */
-#endif
-
 struct netaddr {
 	union {
 		struct sockaddr sa;
--- a/crypto/dist/ipsec-tools/src/racoon/strnames.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/strnames.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: strnames.c,v 1.9 2008/07/14 05:40:13 tteras Exp $	*/
+/*	$NetBSD: strnames.c,v 1.9.4.1 2009/02/08 18:42:19 snj Exp $	*/
 
 /*	$KAME: strnames.c,v 1.25 2003/11/13 10:53:26 itojun Exp $	*/
 
@@ -276,8 +276,6 @@
 { ISAKMP_NTYPE_RESPONDER_LIFETIME,	"RESPONDER-LIFETIME",		NULL },
 { ISAKMP_NTYPE_REPLAY_STATUS,		"REPLAY-STATUS",		NULL },
 { ISAKMP_NTYPE_INITIAL_CONTACT,		"INITIAL-CONTACT",		NULL },
-{ ISAKMP_NTYPE_R_U_THERE,		"R-U-THERE",			NULL },
-{ ISAKMP_NTYPE_R_U_THERE_ACK,		"R-U-THERE-ACK",		NULL },
 #ifdef ENABLE_HYBRID
 { ISAKMP_NTYPE_UNITY_HEARTBEAT,		"HEARTBEAT (Unity)",		NULL },
 #endif
--- a/crypto/dist/ipsec-tools/src/racoon/var.h	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/var.h	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: var.h,v 1.5 2007/06/06 15:37:15 vanhu Exp $	*/
+/*	$NetBSD: var.h,v 1.5.18.1 2009/02/08 18:42:19 snj Exp $	*/
 
 /* Id: var.h,v 1.6 2004/11/20 16:16:59 monas Exp */
 
--- a/crypto/dist/ipsec-tools/src/racoon/vendorid.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/vendorid.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: vendorid.c,v 1.5 2008/07/21 06:26:06 tteras Exp $	*/
+/*	$NetBSD: vendorid.c,v 1.5.4.1 2009/02/08 18:42:19 snj Exp $	*/
 
 /* Id: vendorid.c,v 1.10 2006/02/22 16:10:21 vanhu Exp */
 
@@ -53,16 +53,6 @@
 #include "isakmp.h"
 #include "vendorid.h"
 #include "crypto_openssl.h"
-#include "handler.h"
-#include "remoteconf.h"
-#ifdef ENABLE_NATT
-#include "nattraversal.h"
-#endif
-#ifdef ENABLE_HYBRID
-#include <resolv.h>
-#include "isakmp_xauth.h"
-#include "isakmp_cfg.h"
-#endif
 
 static struct vendor_id all_vendor_ids[] = {
 { VENDORID_IPSEC_TOOLS, "IPSec-Tools" },
@@ -248,33 +238,6 @@
 	return (VENDORID_UNKNOWN);
 }
 
-void
-handle_vendorid(struct ph1handle *iph1, int vid_numeric)
-{
-#ifdef ENABLE_NATT
-	if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric))
-		natt_handle_vendorid(iph1, vid_numeric);
-#endif
-#ifdef ENABLE_HYBRID
-	switch (vid_numeric) {
-	case VENDORID_XAUTH:
-		iph1->mode_cfg->flags |= ISAKMP_CFG_VENDORID_XAUTH;
-		break;
-	case VENDORID_UNITY:
-		iph1->mode_cfg->flags |= ISAKMP_CFG_VENDORID_UNITY;
-		break;
-	default:
-		break;
-	}
-#endif
-#ifdef ENABLE_DPD
-	if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd) {
-		iph1->dpd_support = 1;
-		plog(LLV_DEBUG, LOCATION, NULL, "remote supports DPD\n");
-	}
-#endif
-}
-
 static vchar_t * 
 vendorid_fixup(vendorid, vidhash)
 	int vendorid;		 
--- a/crypto/dist/ipsec-tools/src/racoon/vendorid.h	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/vendorid.h	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: vendorid.h,v 1.5 2008/07/21 06:26:06 tteras Exp $	*/
+/*	$NetBSD: vendorid.h,v 1.5.4.1 2009/02/08 18:42:19 snj Exp $	*/
 
 /* Id: vendorid.h,v 1.11 2006/02/17 14:09:10 vanhu Exp */
 
@@ -99,7 +99,6 @@
 
 vchar_t *set_vendorid __P((int));
 int check_vendorid __P((struct isakmp_gen *));
-void handle_vendorid __P((struct ph1handle *, int vid_numeric));
 
 void compute_vendorids __P((void));
 const char *vid_string_by_id __P((int id));
--- a/crypto/dist/ipsec-tools/src/setkey/parse.y	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/setkey/parse.y	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: parse.y,v 1.10.18.1 2009/01/06 23:16:11 snj Exp $	*/
+/*	$NetBSD: parse.y,v 1.10.18.2 2009/02/08 18:42:19 snj Exp $	*/
 
 /*	$KAME: parse.y,v 1.81 2003/07/01 04:01:48 itojun Exp $	*/
 
@@ -565,11 +565,10 @@
 			last_msg_type = SADB_X_SPDADD;
 #endif
 
-			/* fixed port fields if ulp is icmp */
+			/* fixed port fields if ulp is icmpv6 */
 			if ($10.buf != NULL) {
-				if (($9 != IPPROTO_ICMPV6) &&
-					($9 != IPPROTO_ICMP) &&
-					($9 != IPPROTO_MH))
+				if ( ($9 != IPPROTO_ICMPV6) &&
+					 ($9 != IPPROTO_MH))
 					return -1;
 				free($5.buf);
 				free($8.buf);
@@ -614,10 +613,9 @@
 			int status;
 			struct addrinfo *src, *dst;
 
-			/* fixed port fields if ulp is icmp */
+			/* fixed port fields if ulp is icmpv6 */
 			if ($10.buf != NULL) {
 				if (($9 != IPPROTO_ICMPV6) &&
-					($9 != IPPROTO_ICMP) &&
 					($9 != IPPROTO_MH))
 					return -1;
 				free($5.buf);
--- a/crypto/dist/ipsec-tools/src/setkey/setkey.c	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/setkey/setkey.c	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: setkey.c,v 1.12 2007/07/18 12:07:52 vanhu Exp $	*/
+/*	$NetBSD: setkey.c,v 1.12.18.1 2009/02/08 18:42:19 snj Exp $	*/
 
 /*	$KAME: setkey.c,v 1.36 2003/09/24 23:52:51 itojun Exp $	*/
 
--- a/crypto/dist/ipsec-tools/src/setkey/token.l	Sat Feb 07 02:35:43 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/setkey/token.l	Sun Feb 08 18:42:14 2009 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: token.l,v 1.12 2007/07/18 12:07:53 vanhu Exp $	*/
+/*	$NetBSD: token.l,v 1.12.18.1 2009/02/08 18:42:19 snj Exp $	*/
 
 /*	$KAME: token.l,v 1.44 2003/10/21 07:20:58 itojun Exp $	*/
 
--- a/lib/libipsec/package_version.h	Sat Feb 07 02:35:43 2009 +0000
+++ b/lib/libipsec/package_version.h	Sun Feb 08 18:42:14 2009 +0000
@@ -1,5 +1,5 @@
 #define TOP_PACKAGE "ipsec-tools"
 #define TOP_PACKAGE_NAME "ipsec-tools"
-#define TOP_PACKAGE_VERSION  "cvs"
-#define TOP_PACKAGE_STRING  "ipsec-tools cvs"
+#define TOP_PACKAGE_VERSION  "0.7.1nb1"
+#define TOP_PACKAGE_STRING  "ipsec-tools 0.7.1nb1"
 #define TOP_PACKAGE_URL "http://ipsec-tools.sourceforge.net"