main/ipsec-tools: update to 0.8.0 RC, and include additional patches

 * improve handling of setups where single node participates to
   multiple dmvpn networks. enable using of grekey in setkey,
   SPD and sainfo; also match remoteconfs using sainfo ph1id

4 files changed, 1067 insertions, 44 deletions

diff --git a/main/ipsec-tools/10-cmpsaddr-fix.patch b/main/ipsec-tools/10-cmpsaddr-fix.patch
new file mode 100644
index 000000000..af73c2e5e
--- /dev/null
+++ b/main/ipsec-tools/10-cmpsaddr-fix.patch
@@ -0,0 +1,421 @@
+Index: ipsec-tools-cvs-HEAD/src/racoon/grabmyaddr.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/grabmyaddr.c	2011-03-03 17:54:33.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/grabmyaddr.c	2011-03-03 18:45:24.000000000 +0200
+@@ -100,7 +100,7 @@
+ 		return TRUE;
+ 
+ 	LIST_FOREACH(cfg, &configured, chain) {
+-		if (cmpsaddr(addr, (struct sockaddr *) &cfg->addr) == 0)
++		if (cmpsaddr(addr, (struct sockaddr *) &cfg->addr) <= CMPSADDR_WILDPORT_MATCH)
+ 			return TRUE;
+ 	}
+ 
+@@ -116,7 +116,7 @@
+ 
+ 	/* Already open? */
+ 	LIST_FOREACH(my, &opened, chain) {
+-		if (cmpsaddr(addr, (struct sockaddr *) &my->addr) == 0)
++		if (cmpsaddr(addr, (struct sockaddr *) &my->addr) <= CMPSADDR_WILDPORT_MATCH)
+ 			return TRUE;
+ 	}
+ 
+@@ -156,7 +156,7 @@
+ 
+ 	LIST_FOREACH(cfg, &configured, chain) {
+ 		if (addr != NULL &&
+-		    cmpsaddr(addr, (struct sockaddr *) &cfg->addr) != 0)
++		    cmpsaddr(addr, (struct sockaddr *) &cfg->addr) > CMPSADDR_WILDPORT_MATCH)
+ 			continue;
+ 		if (!myaddr_open((struct sockaddr *) &cfg->addr, cfg->udp_encap))
+ 			return FALSE;
+@@ -262,7 +262,7 @@
+ 	struct myaddr *my;
+ 
+ 	LIST_FOREACH(my, &opened, chain) {
+-		if (cmpsaddr((struct sockaddr *) &my->addr, addr) == 0)
++		if (cmpsaddr((struct sockaddr *) &my->addr, addr) <= CMPSADDR_WILDPORT_MATCH)
+ 			return my->fd;
+ 	}
+ 
+@@ -276,7 +276,7 @@
+ 	struct myaddr *my;
+ 
+ 	LIST_FOREACH(my, &opened, chain) {
+-		if (cmpsaddr((struct sockaddr *) &my->addr, addr) == 0)
++		if (cmpsaddr((struct sockaddr *) &my->addr, addr) <= CMPSADDR_WILDPORT_MATCH)
+ 			return extract_port((struct sockaddr *) &my->addr);
+ 	}
+ 
+Index: ipsec-tools-cvs-HEAD/src/racoon/handler.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/handler.c	2011-03-03 17:54:33.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/handler.c	2011-03-03 18:48:10.000000000 +0200
+@@ -120,11 +120,11 @@
+ 	LIST_FOREACH(p, &ph1tree, chain) {
+ 		if (sel != NULL) {
+ 			if (sel->local != NULL &&
+-			    cmpsaddr(sel->local, p->local) != 0)
++			    cmpsaddr(sel->local, p->local) > CMPSADDR_WILDPORT_MATCH)
+ 				continue;
+ 
+ 			if (sel->remote != NULL &&
+-			    cmpsaddr(sel->remote, p->remote) != 0)
++			    cmpsaddr(sel->remote, p->remote) > CMPSADDR_WILDPORT_MATCH)
+ 				continue;
+ 		}
+ 
+@@ -300,8 +300,8 @@
+ 		if (p->status < PHASE1ST_DYING)
+ 			continue;
+ 
+-		if (cmpsaddr(iph1->local, p->local) == 0
+-		 && cmpsaddr(iph1->remote, p->remote) == 0)
++		if (cmpsaddr(iph1->local, p->local) == CMPSADDR_MATCH
++		 && cmpsaddr(iph1->remote, p->remote) == CMPSADDR_MATCH)
+ 			migrate_ph12(p, iph1);
+ 	}
+ }
+@@ -547,11 +547,11 @@
+ 				continue;
+ 
+ 			if (sel->src != NULL &&
+-			    cmpsaddr(sel->src, p->src) != 0)
++			    cmpsaddr(sel->src, p->src) != CMPSADDR_MATCH)
+ 				continue;
+ 
+ 			if (sel->dst != NULL &&
+-			    cmpsaddr(sel->dst, p->dst) != 0)
++			    cmpsaddr(sel->dst, p->dst) != CMPSADDR_MATCH)
+ 				continue;
+ 		}
+ 
+@@ -615,8 +615,8 @@
+ 
+ 	LIST_FOREACH(p, &ph2tree, chain) {
+ 		if (spid == p->spid &&
+-		    cmpsaddr(src, p->src) == 0 &&
+-		    cmpsaddr(dst, p->dst) == 0){
++		    cmpsaddr(src, p->src) <= CMPSADDR_WILDPORT_MATCH &&
++		    cmpsaddr(dst, p->dst) <= CMPSADDR_WILDPORT_MATCH){
+ 			/* Sanity check to detect zombie handlers
+ 			 * XXX Sould be done "somewhere" more interesting,
+ 			 * because we have lots of getph2byxxxx(), but this one
+@@ -643,8 +643,8 @@
+ 	struct ph2handle *p;
+ 
+ 	LIST_FOREACH(p, &ph2tree, chain) {
+-		if (cmpsaddr(src, p->src) == 0 &&
+-		    cmpsaddr(dst, p->dst) == 0)
++		if (cmpsaddr(src, p->src) <= CMPSADDR_WILDPORT_MATCH &&
++		    cmpsaddr(dst, p->dst) <= CMPSADDR_WILDPORT_MATCH)
+ 			return p;
+ 	}
+ 
+@@ -947,7 +947,7 @@
+ 	struct contacted *p;
+ 
+ 	LIST_FOREACH(p, &ctdtree, chain) {
+-		if (cmpsaddr(remote, p->remote) == 0)
++		if (cmpsaddr(remote, p->remote) <= CMPSADDR_WILDPORT_MATCH)
+ 			return p;
+ 	}
+ 
+@@ -988,7 +988,7 @@
+ 	struct contacted *p;
+ 
+ 	LIST_FOREACH(p, &ctdtree, chain) {
+-		if (cmpsaddr(remote, p->remote) == 0) {
++		if (cmpsaddr(remote, p->remote) <= CMPSADDR_WILDPORT_MATCH) {
+ 			LIST_REMOVE(p, chain);
+ 			racoon_free(p->remote);
+ 			racoon_free(p);
+@@ -1042,7 +1042,7 @@
+ 	/*
+ 	 * the packet was processed before, but the remote address mismatches.
+ 	 */
+-	if (cmpsaddr(remote, r->remote) != 0)
++	if (cmpsaddr(remote, r->remote) != CMPSADDR_MATCH)
+ 		return 2;
+ 
+ 	/*
+Index: ipsec-tools-cvs-HEAD/src/racoon/isakmp.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/isakmp.c	2011-03-03 17:54:33.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/isakmp.c	2011-03-03 18:50:22.000000000 +0200
+@@ -468,8 +468,8 @@
+ 		/* Floating ports for NAT-T */
+ 		if (NATT_AVAILABLE(iph1) &&
+ 		    ! (iph1->natt_flags & NAT_PORTS_CHANGED) &&
+-		    ((cmpsaddr(iph1->remote, remote) != 0) ||
+-		     (cmpsaddr(iph1->local, local) != 0)))
++		    ((cmpsaddr(iph1->remote, remote) != CMPSADDR_MATCH) ||
++		     (cmpsaddr(iph1->local, local) != CMPSADDR_MATCH)))
+ 		{
+ 			/* prevent memory leak */
+ 			racoon_free(iph1->remote);
+@@ -510,7 +510,7 @@
+ #endif
+ 
+ 		/* must be same addresses in one stream of a phase at least. */
+-		if (cmpsaddr(iph1->remote, remote) != 0) {
++		if (cmpsaddr(iph1->remote, remote) != CMPSADDR_MATCH) {
+ 			char *saddr_db, *saddr_act;
+ 
+ 			saddr_db = racoon_strdup(saddr2str(iph1->remote));
+@@ -636,7 +636,7 @@
+ 					"exchange received.\n");
+ 				return -1;
+ 			}
+-			if (cmpsaddr(iph1->remote, remote) != 0) {
++			if (cmpsaddr(iph1->remote, remote) != CMPSADDR_MATCH) {
+ 				plog(LLV_WARNING, LOCATION, remote,
+ 					"remote address mismatched. "
+ 					"db=%s\n",
+@@ -3322,10 +3322,10 @@
+ 		 * Select only SAs where src == local and dst == remote (outgoing)
+ 		 * or src == remote and dst == local (incoming).
+ 		 */
+-		if ((cmpsaddr(iph1->local, src) ||
+-		     cmpsaddr(iph1->remote, dst)) &&
+-		    (cmpsaddr(iph1->local, dst) ||
+-		     cmpsaddr(iph1->remote, src))) {
++		if ((cmpsaddr(iph1->local, src) != CMPSADDR_MATCH ||
++		     cmpsaddr(iph1->remote, dst) != CMPSADDR_MATCH) &&
++		    (cmpsaddr(iph1->local, dst) != CMPSADDR_MATCH ||
++		     cmpsaddr(iph1->remote, src) != CMPSADDR_MATCH)) {
+ 			msg = next;
+ 			continue;
+ 		}
+Index: ipsec-tools-cvs-HEAD/src/racoon/isakmp_inf.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/isakmp_inf.c	2011-03-03 17:54:34.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/isakmp_inf.c	2011-03-03 18:51:05.000000000 +0200
+@@ -1177,7 +1177,7 @@
+ 
+ 		/* don't delete inbound SAs at the moment */
+ 		/* XXX should we remove SAs with opposite direction as well? */
+-		if (cmpsaddr(dst0, dst)) {
++		if (cmpsaddr(dst0, dst) != CMPSADDR_MATCH) {
+ 			msg = next;
+ 			continue;
+ 		}
+@@ -1355,10 +1355,10 @@
+ 		 * ports. Correct thing to do is delete all entries with
+                  * same identity. -TT
+                  */
+-		if ((cmpsaddr(iph1->local, src) != 0 ||
+-		     cmpsaddr(iph1->remote, dst) != 0) &&
+-		    (cmpsaddr(iph1->local, dst) != 0 ||
+-		     cmpsaddr(iph1->remote, src) != 0))
++		if ((cmpsaddr(iph1->local, src) != CMPSADDR_MATCH ||
++		     cmpsaddr(iph1->remote, dst) != CMPSADDR_MATCH) &&
++		    (cmpsaddr(iph1->local, dst) != CMPSADDR_MATCH ||
++		     cmpsaddr(iph1->remote, src) != CMPSADDR_MATCH))
+ 			continue;
+ 
+ 		/*
+Index: ipsec-tools-cvs-HEAD/src/racoon/isakmp_quick.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/isakmp_quick.c	2011-03-03 17:54:34.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/isakmp_quick.c	2011-03-03 18:51:48.000000000 +0200
+@@ -629,7 +629,7 @@
+ #endif
+ 
+ 		if (cmpsaddr((struct sockaddr *) &proposed_addr,
+-			     (struct sockaddr *) &got_addr) == 0) {
++			     (struct sockaddr *) &got_addr) == CMPSADDR_MATCH) {
+ 			plog(LLV_DEBUG, LOCATION, NULL,
+ 				"IDci matches proposal.\n");
+ #ifdef ENABLE_NATT
+@@ -677,13 +677,13 @@
+ #endif
+ 
+ 		if (cmpsaddr((struct sockaddr *) &proposed_addr,
+-			     (struct sockaddr *) &got_addr) == 0) {
++			     (struct sockaddr *) &got_addr) == CMPSADDR_MATCH) {
+ 			plog(LLV_DEBUG, LOCATION, NULL,
+ 				"IDcr matches proposal.\n");
+ #ifdef ENABLE_NATT
+ 		} else if (iph2->natoa_dst != NULL
+ 			&& cmpsaddr(iph2->natoa_dst,
+-				    (struct sockaddr *) &got_addr) == 0) {
++				    (struct sockaddr *) &got_addr) == CMPSADDR_MATCH) {
+ 			plog(LLV_DEBUG, LOCATION, NULL,
+ 				"IDcr matches NAT-OAr.\n");
+ #endif
+Index: ipsec-tools-cvs-HEAD/src/racoon/nattraversal.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/nattraversal.c	2011-03-03 17:54:34.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/nattraversal.c	2011-03-03 18:52:20.000000000 +0200
+@@ -398,8 +398,8 @@
+   struct natt_ka_addrs *ka = NULL, *new_addr;
+   
+   TAILQ_FOREACH (ka, &ka_tree, chain) {
+-    if (cmpsaddr(ka->src, src) == 0 &&
+-	cmpsaddr(ka->dst, dst) == 0) {
++    if (cmpsaddr(ka->src, src) == CMPSADDR_MATCH &&
++	cmpsaddr(ka->dst, dst) == CMPSADDR_MATCH) {
+       ka->in_use++;
+       plog (LLV_INFO, LOCATION, NULL, "KA found: %s (in_use=%u)\n",
+ 	    saddr2str_fromto("%s->%s", src, dst), ka->in_use);
+@@ -462,8 +462,8 @@
+     plog (LLV_DEBUG, LOCATION, NULL, "KA tree dump: %s (in_use=%u)\n",
+ 	  saddr2str_fromto("%s->%s", src, dst), ka->in_use);
+ 
+-    if (cmpsaddr(ka->src, src) == 0 &&
+-	cmpsaddr(ka->dst, dst) == 0 &&
++    if (cmpsaddr(ka->src, src) == CMPSADDR_MATCH &&
++	cmpsaddr(ka->dst, dst) == CMPSADDR_MATCH &&
+ 	-- ka->in_use <= 0) {
+ 
+       plog (LLV_DEBUG, LOCATION, NULL, "KA removing this one...\n");
+Index: ipsec-tools-cvs-HEAD/src/racoon/pfkey.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/pfkey.c	2011-03-03 17:54:34.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/pfkey.c	2011-03-03 18:52:50.000000000 +0200
+@@ -2882,8 +2882,8 @@
+ 	u_int16_t port;
+ 
+ 	/* Already up-to-date? */
+-	if (cmpsaddr(iph1->local, ma->local) == 0 &&
+-	    cmpsaddr(iph1->remote, ma->remote) == 0)
++	if (cmpsaddr(iph1->local, ma->local) == CMPSADDR_MATCH &&
++	    cmpsaddr(iph1->remote, ma->remote) == CMPSADDR_MATCH)
+ 		return 0;
+ 
+ 	if (iph1->status < PHASE1ST_ESTABLISHED) {
+@@ -2983,8 +2983,8 @@
+ 		migrate_ph1_ike_addresses(iph2->ph1, arg);
+ 
+ 	/* Already up-to-date? */
+-	if (cmpsaddr(iph2->src, ma->local) == 0 &&
+-	    cmpsaddr(iph2->dst, ma->remote) == 0)
++	if (cmpsaddr(iph2->src, ma->local) == CMPSADDR_MATCH &&
++	    cmpsaddr(iph2->dst, ma->remote) == CMPSADDR_MATCH)
+ 		return 0;
+ 
+ 	/* save src/dst as sa_src/sa_dst before rewriting */
+@@ -3207,8 +3207,8 @@
+ 		     "changing address families (%d to %d) for endpoints.\n",
+ 		     osaddr->sa_family, nsaddr->sa_family);
+ 
+-	if (cmpsaddr(osaddr, (struct sockaddr *) &saidx->src) ||
+-	    cmpsaddr(odaddr, (struct sockaddr *) &saidx->dst)) {
++	if (cmpsaddr(osaddr, (struct sockaddr *) &saidx->src) != CMPSADDR_MATCH ||
++	    cmpsaddr(odaddr, (struct sockaddr *) &saidx->dst) != CMPSADDR_MATCH) {
+ 		plog(LLV_DEBUG, LOCATION, NULL, "SADB_X_MIGRATE: "
+ 		     "mismatch of addresses in saidx and xisr.\n");
+ 		return -1;
+Index: ipsec-tools-cvs-HEAD/src/racoon/policy.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/policy.c	2011-03-03 17:54:34.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/policy.c	2011-03-03 19:09:42.000000000 +0200
+@@ -142,7 +142,7 @@
+ 	plog(LLV_DEBUG, LOCATION, NULL, "src2: %s\n",
+ 		saddr2str((struct sockaddr *)&spidx->src));
+ 
+-	if (cmpsaddr(iph2->src, (struct sockaddr *) &spidx->src) ||
++	if (cmpsaddr(iph2->src, (struct sockaddr *) &spidx->src) != CMPSADDR_MATCH ||
+ 	    spidx->prefs != prefixlen)
+ 		return NULL;
+ 
+@@ -151,7 +151,7 @@
+ 	plog(LLV_DEBUG, LOCATION, NULL, "dst2: %s\n",
+ 		saddr2str((struct sockaddr *)&spidx->dst));
+ 
+-	if (cmpsaddr(iph2->dst, (struct sockaddr *) &spidx->dst) ||
++	if (cmpsaddr(iph2->dst, (struct sockaddr *) &spidx->dst) != CMPSADDR_MATCH ||
+ 	    spidx->prefd != prefixlen)
+ 		return NULL;
+ 
+@@ -201,10 +201,10 @@
+ 		return 1;
+ 
+ 	if (cmpsaddr((struct sockaddr *) &a->src,
+-		     (struct sockaddr *) &b->src))
++		     (struct sockaddr *) &b->src) != CMPSADDR_MATCH)
+ 		return 1;
+ 	if (cmpsaddr((struct sockaddr *) &a->dst,
+-		     (struct sockaddr *) &b->dst))
++		     (struct sockaddr *) &b->dst) != CMPSADDR_MATCH)
+ 		return 1;
+ 
+ #ifdef HAVE_SECCTX
+@@ -261,7 +261,7 @@
+ 		a, b->prefs, saddr2str((struct sockaddr *)&sa1));
+ 	plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n",
+ 		b, b->prefs, saddr2str((struct sockaddr *)&sa2));
+-	if (cmpsaddr((struct sockaddr *)&sa1, (struct sockaddr *)&sa2))
++	if (cmpsaddr((struct sockaddr *)&sa1, (struct sockaddr *)&sa2) > CMPSADDR_WILDPORT_MATCH)
+ 		return 1;
+ 
+ #ifndef __linux__
+@@ -279,7 +279,7 @@
+ 		a, b->prefd, saddr2str((struct sockaddr *)&sa1));
+ 	plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n",
+ 		b, b->prefd, saddr2str((struct sockaddr *)&sa2));
+-	if (cmpsaddr((struct sockaddr *)&sa1, (struct sockaddr *)&sa2))
++	if (cmpsaddr((struct sockaddr *)&sa1, (struct sockaddr *)&sa2) > CMPSADDR_WILDPORT_MATCH)
+ 		return 1;
+ 
+ #ifdef HAVE_SECCTX
+Index: ipsec-tools-cvs-HEAD/src/racoon/sockmisc.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/sockmisc.c	2011-03-03 17:54:35.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/sockmisc.c	2011-03-03 18:55:01.000000000 +0200
+@@ -132,11 +132,13 @@
+ 		return CMPSADDR_MISMATCH;
+ 	}
+ 
+-	if (port1 == port2 ||
+-	    port1 == IPSEC_PORT_ANY ||
+-	    port2 == IPSEC_PORT_ANY)
++	if (port1 == port2)
+ 		return CMPSADDR_MATCH;
+ 
++	if (port1 == IPSEC_PORT_ANY ||
++	    port2 == IPSEC_PORT_ANY)
++		return CMPSADDR_WILDPORT_MATCH;
++
+ 	return CMPSADDR_WOP_MATCH;
+ }
+ 
+@@ -934,7 +936,7 @@
+ 		free(a2);
+ 		free(a3);
+ 	}
+-	if (cmpsaddr(&sa, &naddr->sa.sa) == 0)
++	if (cmpsaddr(&sa, &naddr->sa.sa) <= CMPSADDR_WOP_MATCH)
+ 		return naddr->prefix + port_score;
+ 
+ 	return -1;
+Index: ipsec-tools-cvs-HEAD/src/racoon/sockmisc.h
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/sockmisc.h	2011-03-03 17:54:35.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/sockmisc.h	2011-03-03 18:40:30.000000000 +0200
+@@ -57,8 +57,9 @@
+ extern const int niflags;
+ 
+ #define CMPSADDR_MATCH		0
+-#define CMPSADDR_WOP_MATCH	1
+-#define CMPSADDR_MISMATCH	2
++#define CMPSADDR_WILDPORT_MATCH	1
++#define CMPSADDR_WOP_MATCH	2
++#define CMPSADDR_MISMATCH	3
+ 
+ extern int cmpsaddr __P((const struct sockaddr *, const struct sockaddr *));
+ 
+Index: ipsec-tools-cvs-HEAD/src/racoon/throttle.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/throttle.c	2011-03-03 17:54:35.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/throttle.c	2011-03-03 18:55:31.000000000 +0200
+@@ -104,7 +104,7 @@
+ 			goto restart;
+ 		}
+ 
+-		if (cmpsaddr(addr, (struct sockaddr *) &te->host) == 0) {
++		if (cmpsaddr(addr, (struct sockaddr *) &te->host) <= CMPSADDR_WOP_MATCH) {
+ 			found = 1;
+ 			break;
+ 		}
diff --git a/main/ipsec-tools/20-grekey-support.patch b/main/ipsec-tools/20-grekey-support.patch
new file mode 100644
index 000000000..9ad2bca74
--- /dev/null
+++ b/main/ipsec-tools/20-grekey-support.patch
@@ -0,0 +1,608 @@
+Index: ipsec-tools-cvs-HEAD/src/racoon/racoonctl.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/racoonctl.c	2011-03-03 19:28:29.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/racoonctl.c	2011-03-03 19:29:42.000000000 +0200
+@@ -232,7 +232,7 @@
+ "\n"
+ "    <saopts>: \"isakmp\" <family> <src> <dst>\n"
+ "            : {\"esp\",\"ah\"} <family> <src/prefixlen/port> <dst/prefixlen/port>\n"
+-"                              <ul_proto>\n"
++"                              <ul_proto> [grekey <grekey>]\n"
+ "    <family>: \"inet\" or \"inet6\"\n"
+ "    <ul_proto>: \"icmp\", \"tcp\", \"udp\", \"gre\" or \"any\"\n"
+ "\n",
+@@ -819,7 +819,7 @@
+ {
+ 	int family;
+ 
+-	if (ac != 3 && ac != 4) {
++	if (ac < 3) {
+ 		errno = EINVAL;
+ 		return NULL;
+ 	}
+@@ -861,10 +861,8 @@
+ 	struct sockaddr *src = NULL, *dst = NULL;
+ 	int ulproto;
+ 
+-	if (ac != 2 && ac != 3) {
+-		errno = EINVAL;
+-		return NULL;
+-	}
++	if (ac < 2)
++		goto bad_args;
+ 
+ 	if (get_comindex(*av, &p_name, &p_port, &p_prefs) == -1)
+ 		goto bad;
+@@ -901,13 +899,34 @@
+ 
+ 	av++;
+ 	ac--;
+-	if(ac){
++	if (ac) {
+ 		ulproto = get_ulproto(*av);
+ 		if (ulproto == -1)
+ 			goto bad;
+-	}else
++		av++;
++		ac--;
++	} else
+ 		ulproto=0;
+ 
++	if (ac == 2 && strcmp(av[0], "grekey") == 0) {
++		int a, b, c, d;
++		unsigned long u;
++
++		if (sscanf(av[1], "%d.%d.%d.%d", &a, &b, &c, &d) == 4) {
++			set_port(src, (a << 8) + b);
++			set_port(dst, (c << 8) + d);
++		} else if (sscanf(av[1], "%lu", &u) == 1) {
++			set_port(src, u >> 16);
++			set_port(dst, u & 0xffff);
++		} else
++			goto bad_args;
++		av += 2;
++		ac -= 2;
++	}
++
++	if (ac != 0)
++		goto bad_args;
++
+ 	ci = (struct admin_com_indexes *)buf->v;
+ 	if(p_prefs)
+ 		ci->prefs = (u_int8_t)atoi(p_prefs); /* XXX should be handled error. */
+@@ -926,7 +945,9 @@
+ 
+ 	return buf;
+ 
+-   bad:
++bad_args:
++	errno = EINVAL;
++bad:
+ 	if (p_name)
+ 		racoon_free(p_name);
+ 	if (p_port)
+Index: ipsec-tools-cvs-HEAD/src/racoon/admin.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/admin.c	2011-03-03 19:28:29.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/admin.c	2011-03-03 21:16:47.000000000 +0200
+@@ -444,7 +444,7 @@
+ 
+ 			/* search appropreate configuration */
+ 			if (name == NULL)
+-				rmconf = getrmconf(dst, 0);
++				rmconf = getrmconf(dst, 0, 0);
+ 			else
+ 				rmconf = getrmconf_by_name(name);
+ 			if (rmconf == NULL) {
+@@ -536,6 +536,16 @@
+ 			spidx.prefs = ndx->prefd;
+ 			spidx.prefd = ndx->prefs;
+ 			spidx.ul_proto = ndx->ul_proto;
++			switch (ndx->ul_proto) {
++			case IPPROTO_ICMP:
++			case IPPROTO_ICMPV6:
++			case IPPROTO_GRE:
++				/* Ports are UL specific data, and should
++				 * not get swapped */
++				set_port((struct sockaddr *) &spidx.src, extract_port(src));
++				set_port((struct sockaddr *) &spidx.dst, extract_port(dst));
++				break;
++			}
+ 
+ 			sp_in = getsp_r(&spidx);
+ 			if (sp_in) {
+Index: ipsec-tools-cvs-HEAD/src/racoon/cftoken.l
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/cftoken.l	2011-03-03 19:57:26.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/cftoken.l	2011-03-04 13:07:03.000000000 +0200
+@@ -288,6 +288,7 @@
+ <S_SAINF>any		{ YYD; return(ANY); }
+ <S_SAINF>from		{ YYD; return(FROM); }
+ <S_SAINF>group		{ YYD; return(GROUP); }
++<S_SAINF>grekey		{ YYD; return(GREKEY); }
+ 	/* sainfo spec */
+ <S_SAINF>{bcl}		{ BEGIN S_SAINFS; return(BOC); }
+ <S_SAINF>{semi}		{ BEGIN S_INI; return(EOS); }
+Index: ipsec-tools-cvs-HEAD/src/racoon/cfparse.y
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/cfparse.y	2011-03-03 19:57:30.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/cfparse.y	2011-03-04 13:09:01.000000000 +0200
+@@ -213,7 +213,7 @@
+ 	/* algorithm */
+ %token ALGORITHM_CLASS ALGORITHMTYPE STRENGTHTYPE
+ 	/* sainfo */
+-%token SAINFO FROM
++%token SAINFO FROM GREKEY
+ 	/* remote */
+ %token REMOTE ANONYMOUS CLIENTADDR INHERIT REMOTE_ADDRESS
+ %token EXCHANGE_MODE EXCHANGETYPE DOI DOITYPE SITUATION SITUATIONTYPE
+@@ -1301,6 +1301,35 @@
+ 			cur_sainfo->idsrc = $1;
+ 			cur_sainfo->iddst = $2;
+ 		}
++	|	sainfo_id sainfo_id GREKEY ADDRSTRING
++		{
++			int a, b, c, d;
++
++			if (sscanf($4->v, "%d.%d.%d.%d", &a, &b, &c, &d) == 4) {
++				a = ipsecdoi_fixup_id_uldata(
++					$1, $2, IPPROTO_GRE,
++					(a << 8) + b, (c << 8) + d);
++			} else {
++				yyerror("grekey format unrecognized.");
++				return -1;
++			}
++			if (a != 0) {
++				yyerror("ul_proto needs to be 'gre' to use grekey.");
++				return -1;
++			}
++			cur_sainfo->idsrc = $1;
++			cur_sainfo->iddst = $2;
++		}
++	|	sainfo_id sainfo_id GREKEY NUMBER
++		{
++			if (ipsecdoi_fixup_id_uldata($1, $2, IPPROTO_GRE,
++						     ($4) >> 16, ($4) & 0xffff) != 0) {
++				yyerror("ul_proto needs to be 'gre' to use grekey.");
++				return -1;
++			}
++			cur_sainfo->idsrc = $1;
++			cur_sainfo->iddst = $2;
++		}
+ 	;
+ sainfo_id
+ 	:	IDENTIFIERTYPE ADDRSTRING prefix port ul_proto
+@@ -1667,7 +1696,7 @@
+ 		{
+ 			struct remoteconf *from, *new;
+ 
+-			from = getrmconf($4, GETRMCONF_F_NO_ANONYMOUS);
++			from = getrmconf($4, GETRMCONF_F_NO_ANONYMOUS, 0);
+ 			if (from == NULL) {
+ 				yyerror("failed to get remoteconf for %s.",
+ 					saddr2str($4));
+Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.h
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/ipsec_doi.h	2011-03-03 20:19:23.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.h	2011-03-03 20:42:35.000000000 +0200
+@@ -227,6 +227,9 @@
+ extern int set_identifier_qual __P((vchar_t **, int, vchar_t *, int));
+ extern int ipsecdoi_setid2 __P((struct ph2handle *));
+ extern vchar_t *ipsecdoi_sockaddr2id __P((struct sockaddr *, u_int, u_int));
++extern int ipsecdoi_fixup_id_uldata __P((vchar_t *, vchar_t *, u_int16_t, u_int16_t, u_int16_t));
++extern int ipsecdoi_id_has_port __P((vchar_t *));
++
+ extern int ipsecdoi_id2sockaddr __P((vchar_t *, struct sockaddr *,
+ 	u_int8_t *, u_int16_t *));
+ extern char *ipsecdoi_id2str __P((const vchar_t *));
+Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/ipsec_doi.c	2011-03-03 20:19:23.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c	2011-03-03 21:01:16.000000000 +0200
+@@ -3371,6 +3371,7 @@
+ 	vchar_t ident_t;
+ 	vchar_t ident_s;
+ 	int result;
++	int check_ports = 0;
+ 
+ 	/* handle wildcard IDs */
+ 
+@@ -3460,6 +3461,7 @@
+ 
+ 		case IPSECDOI_ID_IPV4_ADDR:
+ 			/* validate lengths */
++			check_ports = 1;
+ 			if ((ident_t.l != sizeof(struct in_addr))||
+ 			    (ident_s.l != sizeof(struct in_addr)))
+ 				goto cmpid_invalid;
+@@ -3468,6 +3470,7 @@
+ 		case IPSECDOI_ID_IPV4_ADDR_SUBNET:
+ 		case IPSECDOI_ID_IPV4_ADDR_RANGE:
+ 			/* validate lengths */
++			check_ports = 1;
+ 			if ((ident_t.l != (sizeof(struct in_addr)*2))||
+ 			    (ident_s.l != (sizeof(struct in_addr)*2)))
+ 				goto cmpid_invalid;
+@@ -3476,6 +3479,7 @@
+ #ifdef INET6
+ 		case IPSECDOI_ID_IPV6_ADDR:
+ 			/* validate lengths */
++			check_ports = 1;
+ 			if ((ident_t.l != sizeof(struct in6_addr))||
+ 			    (ident_s.l != sizeof(struct in6_addr)))
+ 				goto cmpid_invalid;
+@@ -3484,6 +3488,7 @@
+ 		case IPSECDOI_ID_IPV6_ADDR_SUBNET:
+ 		case IPSECDOI_ID_IPV6_ADDR_RANGE:
+ 			/* validate lengths */
++			check_ports = 1;
+ 			if ((ident_t.l != (sizeof(struct in6_addr)*2))||
+ 			    (ident_s.l != (sizeof(struct in6_addr)*2)))
+ 				goto cmpid_invalid;
+@@ -3502,10 +3507,15 @@
+ 	}
+ 
+ 	/* validate matching data and length */
+-	if (ident_t.l == ident_s.l)
+-		result = memcmp(ident_t.v,ident_s.v,ident_t.l);
+-	else
++	if (check_ports &&
++	    (id_bt->port != id_bs->port && id_bs->port != 0))
++		/* if target is wildcard, source should be too, otherwise
++		 * specific rule matches wildcard request */
+ 		result = 1;
++	else if (ident_t.l != ident_s.l)
++		result = 1;
++	else
++		result = memcmp(ident_t.v,ident_s.v,ident_t.l);
+ 
+ cmpid_result:
+ 
+@@ -4089,6 +4099,44 @@
+ 	return new;
+ }
+ 
++int ipsecdoi_fixup_id_uldata(srcid, dstid, ul_proto, ul_data1, ul_data2)
++	vchar_t *srcid, *dstid;
++	u_int16_t ul_proto;
++	u_int16_t ul_data1, ul_data2;
++{
++	struct ipsecdoi_id_b *src = (struct ipsecdoi_id_b *) srcid->v;
++	struct ipsecdoi_id_b *dst = (struct ipsecdoi_id_b *) dstid->v;
++
++	if (src->proto_id != ul_proto ||
++	    dst->proto_id != ul_proto)
++		return -1;
++
++	src->port = htons(ul_data1);
++	dst->port = htons(ul_data2);
++
++	return 0;
++}
++
++int ipsecdoi_id_has_port(id)
++	vchar_t *id;
++{
++	struct ipsecdoi_id_b *id_b = (struct ipsecdoi_id_b *) id->v;
++
++	switch (id_b->type) {
++	case IPSECDOI_ID_IPV4_ADDR:
++	case IPSECDOI_ID_IPV4_ADDR_SUBNET:
++	case IPSECDOI_ID_IPV4_ADDR_RANGE:
++	case IPSECDOI_ID_IPV6_ADDR:
++	case IPSECDOI_ID_IPV6_ADDR_SUBNET:
++	case IPSECDOI_ID_IPV6_ADDR_RANGE:
++		if (ntohs(id_b->port) != 0)
++			return 1;
++		break;
++	}
++	return 0;
++}
++
++
+ vchar_t *
+ ipsecdoi_sockrange2id(laddr, haddr, ul_proto)
+ 	struct sockaddr *laddr, *haddr;
+@@ -4318,7 +4366,7 @@
+ 		saddr.sa.sa_len = sizeof(struct sockaddr_in);
+ #endif
+ 		saddr.sa.sa_family = AF_INET;
+-		saddr.sin.sin_port = IPSEC_PORT_ANY;
++		saddr.sin.sin_port = id_b->port;
+ 		memcpy(&saddr.sin.sin_addr,
+ 			id->v + sizeof(*id_b), sizeof(struct in_addr));
+ 		break;
+@@ -4331,7 +4379,7 @@
+ 		saddr.sa.sa_len = sizeof(struct sockaddr_in6);
+ #endif
+ 		saddr.sa.sa_family = AF_INET6;
+-		saddr.sin6.sin6_port = IPSEC_PORT_ANY;
++		saddr.sin6.sin6_port = id_b->port;
+ 		memcpy(&saddr.sin6.sin6_addr,
+ 			id->v + sizeof(*id_b), sizeof(struct in6_addr));
+ 		saddr.sin6.sin6_scope_id =
+@@ -4347,7 +4395,7 @@
+ #ifdef INET6
+ 	case IPSECDOI_ID_IPV6_ADDR:
+ #endif
+-		len = snprintf( buf, BUFLEN, "%s", saddrwop2str(&saddr.sa));
++		len = snprintf( buf, BUFLEN, "%s", saddr2str(&saddr.sa));
+ 		break;
+ 
+ 	case IPSECDOI_ID_IPV4_ADDR_SUBNET:
+@@ -4403,7 +4451,9 @@
+ 			plen += l;
+ 		}
+ 
+-		len = snprintf( buf, BUFLEN, "%s/%i", saddrwop2str(&saddr.sa), plen);
++		len = snprintf(buf, BUFLEN, "%s/%i[%d]",
++			       saddrwop2str(&saddr.sa), plen,
++			       ntohs(id_b->port));
+ 	    }
+ 		break;
+ 
+@@ -4415,12 +4465,12 @@
+ 		saddr.sa.sa_len = sizeof(struct sockaddr_in);
+ #endif
+ 		saddr.sa.sa_family = AF_INET;
+-		saddr.sin.sin_port = IPSEC_PORT_ANY;
++		saddr.sin.sin_port = id_b->port;
+ 		memcpy(&saddr.sin.sin_addr,
+ 			id->v + sizeof(*id_b) + sizeof(struct in_addr),
+ 			sizeof(struct in_addr));
+ 
+-		len += snprintf(buf + len, BUFLEN - len, "%s", saddrwop2str(&saddr.sa));
++		len += snprintf(buf + len, BUFLEN - len, "%s", saddr2str(&saddr.sa));
+ 		break;
+ 
+ #ifdef INET6
+@@ -4431,7 +4481,7 @@
+ 		saddr.sa.sa_len = sizeof(struct sockaddr_in6);
+ #endif
+ 		saddr.sa.sa_family = AF_INET6;
+-		saddr.sin6.sin6_port = IPSEC_PORT_ANY;
++		saddr.sin6.sin6_port = id_b->port;
+ 		memcpy(&saddr.sin6.sin6_addr,
+ 			id->v + sizeof(*id_b) + sizeof(struct in6_addr),
+ 			sizeof(struct in6_addr));
+@@ -4440,7 +4490,7 @@
+ 				? ((struct sockaddr_in6 *)id_b)->sin6_scope_id
+ 				: 0);
+ 
+-		len += snprintf(buf + len, BUFLEN - len, "%s", saddrwop2str(&saddr.sa));
++		len += snprintf(buf + len, BUFLEN - len, "%s", saddr2str(&saddr.sa));
+ 		break;
+ #endif
+ 
+Index: ipsec-tools-cvs-HEAD/src/racoon/sainfo.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/sainfo.c	2011-03-03 20:07:44.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/sainfo.c	2011-03-03 20:55:02.000000000 +0200
+@@ -124,7 +124,7 @@
+ 		plog(LLV_DEBUG, LOCATION, NULL,
+ 			"evaluating sainfo: %s\n", sainfostr);
+ 
+-		if(s->remoteid != remoteid) {
++		if (remoteid != -1 && s->remoteid != remoteid) {
+ 			plog(LLV_DEBUG, LOCATION, NULL,
+ 				"remoteid mismatch: %u != %u\n",
+ 				s->remoteid, remoteid);
+@@ -234,16 +234,22 @@
+ 	int pri = 0;
+ 
+ 	if(s->remoteid)
+-		pri += 3;
++		pri += 7;
+ 
+ 	if(s->id_i)
+-		pri += 3;
++		pri += 7;
+ 
+-	if(s->idsrc)
++	if(s->idsrc) {
+ 		pri++;
++		if (ipsecdoi_id_has_port(s->idsrc))
++			pri += 2;
++	}
+ 
+-	if(s->iddst)
++	if(s->iddst) {
+ 		pri++;
++		if (ipsecdoi_id_has_port(s->iddst))
++			pri += 2;
++	}
+ 
+ 	return pri;
+ }
+Index: ipsec-tools-cvs-HEAD/src/racoon/isakmp.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/isakmp.c	2011-03-03 20:55:57.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/isakmp.c	2011-03-03 21:14:13.000000000 +0200
+@@ -2170,7 +2170,15 @@
+ 	 * so no need to bother yet. --arno */
+ 
+ 	if (iph1hint == NULL || iph1hint->rmconf == NULL) {
+-		rmconf = getrmconf(iph2->dst, nopassive ? GETRMCONF_F_NO_PASSIVE : 0);
++		int flags = 0;
++		uint32_t remoteid;
++		if (nopassive)
++			flags |= GETRMCONF_F_NO_PASSIVE;
++		if (iph2->sainfo != NULL) {
++			flags |= GETRMCONF_F_HAS_REMOTEID;
++			remoteid = iph2->sainfo->remoteid;
++		}
++		rmconf = getrmconf(iph2->dst, flags, remoteid);
+ 		if (rmconf == NULL) {
+ 			plog(LLV_ERROR, LOCATION, NULL,
+ 				"no configuration found for %s.\n",
+@@ -2246,7 +2254,7 @@
+ 	struct secpolicy *sp_out, *sp_in;
+ {
+ 	struct remoteconf *conf;
+-	uint32_t remoteid = 0;
++	uint32_t remoteid = -1;
+ 
+ 	plog(LLV_DEBUG, LOCATION, NULL,
+ 		"new acquire %s\n", spidx2str(&sp_out->spidx));
+@@ -2273,7 +2281,7 @@
+ 			return -1;
+ 		}
+ 
+-		conf = getrmconf(iph2->dst, 0);
++		conf = getrmconf(iph2->dst, 0, 0);
+ 		if (conf != NULL)
+ 			remoteid = conf->ph1id;
+ 		else
+Index: ipsec-tools-cvs-HEAD/src/racoon/remoteconf.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/remoteconf.c	2011-03-03 21:06:03.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/remoteconf.c	2011-03-03 21:17:09.000000000 +0200
+@@ -217,6 +217,13 @@
+ 		return MATCH_NONE;
+ 	}
+ 
++	if ((rmsel->flags & GETRMCONF_F_HAS_REMOTEID) &&
++	    rmsel->remoteid != rmconf->ph1id){
++		plog(LLV_DEBUG2, LOCATION, rmsel->remote,
++		     "Not matched: remote_id did not match.\n");
++		return MATCH_NONE;
++	}
++
+ 	ret |= MATCH_BASIC;
+ 
+ 	/* Check address */
+@@ -387,9 +394,10 @@
+  */
+ 
+ struct remoteconf *
+-getrmconf(remote, flags)
++getrmconf(remote, flags, remoteid)
+ 	struct sockaddr *remote;
+ 	int flags;
++	uint32_t remoteid;
+ {
+ 	struct rmconf_find_context ctx;
+ 	int n = 0;
+@@ -397,6 +405,7 @@
+ 	memset(&ctx, 0, sizeof(ctx));
+ 	ctx.sel.flags = flags;
+ 	ctx.sel.remote = remote;
++	ctx.sel.remoteid = remoteid;
+ 
+ 	if (enumrmconf(&ctx.sel, rmconf_find, &ctx) != 0) {
+ 		plog(LLV_ERROR, LOCATION, remote,
+Index: ipsec-tools-cvs-HEAD/src/racoon/remoteconf.h
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/remoteconf.h	2011-03-03 21:06:03.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/remoteconf.h	2011-03-03 21:10:53.000000000 +0200
+@@ -178,6 +178,7 @@
+ 	int flags;
+ 	struct sockaddr *remote;
+ 	int etype;
++	uint32_t remoteid;
+ 	struct isakmpsa *approval;
+ 	vchar_t *identity;
+ 	vchar_t *certificate_request;
+@@ -191,12 +192,13 @@
+ 
+ #define GETRMCONF_F_NO_ANONYMOUS	0x0001
+ #define GETRMCONF_F_NO_PASSIVE		0x0002
++#define GETRMCONF_F_HAS_REMOTEID	0x0004
+ 
+ #define RMCONF_ERR_MULTIPLE		((struct remoteconf *) -1)
+ 
+ extern int rmconf_match_identity __P((struct remoteconf *rmconf,
+ 				      vchar_t *id_p));
+-extern struct remoteconf *getrmconf __P((struct sockaddr *remote, int flags));
++extern struct remoteconf *getrmconf __P((struct sockaddr *remote, int flags, uint32_t remoteid));
+ extern struct remoteconf *getrmconf_by_ph1 __P((struct ph1handle *iph1));
+ extern struct remoteconf *getrmconf_by_name __P((const char *name));
+ 
+Index: ipsec-tools-cvs-HEAD/src/racoon/pfkey.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/pfkey.c	2011-03-03 21:14:45.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/pfkey.c	2011-03-03 21:16:17.000000000 +0200
+@@ -2898,7 +2898,7 @@
+ 
+ 		/* If we are not acting as initiator, let's just leave and
+ 		 * let the remote peer handle the restart */
+-		rmconf = getrmconf(ma->remote, 0);
++		rmconf = getrmconf(ma->remote, 0, 0);
+ 		if (rmconf == NULL || !rmconf->passive) {
+ 			iph1->status = PHASE1ST_EXPIRED;
+ 			sched_schedule(&iph1->sce, 1, isakmp_ph1delete_stub);
+@@ -3068,8 +3068,10 @@
+ 
+ 		if (iph2->ph1 && iph2->ph1->rmconf)
+ 			rmconf = iph2->ph1->rmconf;
++		else if (iph2->sainfo != NULL)
++			rmconf = getrmconf(iph2->dst, GETRMCONF_F_HAS_REMOTEID, iph2->sainfo->remoteid);
+ 		else
+-			rmconf = getrmconf(iph2->dst, 0);
++			rmconf = getrmconf(iph2->dst, 0, 0);
+ 
+ 		if (rmconf && !rmconf->passive) {
+ 			struct ph1handle *iph1hint;
+Index: ipsec-tools-cvs-HEAD/src/setkey/setkey.8
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/setkey/setkey.8	2011-03-04 11:48:30.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/setkey/setkey.8	2011-03-04 11:48:56.000000000 +0200
+@@ -453,7 +453,7 @@
+ .Pp
+ A second example of requiring transport mode encryption of specific
+ GRE tunnel:
+-.Dl spdadd 0.0.0.0 0.0.0.0 gre 1234 ipsec esp/transport//require ;
++.Dl spdadd 0.0.0.0 0.0.0.0 gre 1234 -P in ipsec esp/transport//require ;
+ .Pp
+ .Em Note :
+ .Ar upperspec
+Index: ipsec-tools-cvs-HEAD/src/racoon/racoon.conf.5
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/racoon.conf.5	2011-03-04 11:57:36.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/racoon.conf.5	2011-03-04 12:01:13.000000000 +0200
+@@ -981,6 +981,7 @@
+ .Bl -tag -width Ds -compact
+ .It Ic sainfo Po Ar local_id | Ic anonymous Pc \
+ Po Ar remote_id | Ic clientaddr | Ic anonymous Pc \
++Bo Ic grekey Ar key Bc \
+ Bo Ic from Ar idtype Bo Ar string Bc Bc Bo Ic group Ar string Bc \
+ Ic { Ar statements Ic }
+ Defines the parameters of the IKE phase 2 (IPsec-SA establishment).
+@@ -1026,6 +1027,15 @@
+ to restrict policy generation when racoon is acting as a client gateway
+ for peers with dynamic ip addresses.
+ .Pp
++If both
++.Ar local_id
++and
++.Ar remote_id
++are specified with GRE as upper layer protocol, the upper layer GRE
++key match can be specified with
++.Ic grekey
++.Ar key .
++.Pp
+ The
+ .Ic from
+ keyword allows an sainfo to only match for peers that use a specific phase1
+Index: ipsec-tools-cvs-HEAD/src/setkey/parse.y
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/setkey/parse.y	2011-03-04 13:04:05.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/setkey/parse.y	2011-03-04 13:04:09.000000000 +0200
+@@ -856,6 +856,17 @@
+ 			}
+ 			$$.len = strlen($$.buf);
+ 		}
++	|	DECSTRING
++		{
++			char tmp[16];
++			sprintf(tmp, "%lu", $1);
++			$$.buf = strdup(tmp);
++			if (!$$.buf) {
++				yyerror("insufficient memory");
++				return -1;
++			}
++			$$.len = strlen(tmp);
++		}
+ 	;
+ 
+ context_spec
diff --git a/main/ipsec-tools/50-reverse-connect.patch b/main/ipsec-tools/50-reverse-connect.patch
index f29c3d509..54e77a397 100644
--- a/main/ipsec-tools/50-reverse-connect.patch
+++ b/main/ipsec-tools/50-reverse-connect.patch
@@ -13,11 +13,11 @@ over pending phase1:s. Useful when the other party is firewalled or NATted.
  5 files changed, 83 insertions(+), 12 deletions(-)
 
 
-diff --git a/src/racoon/admin.c b/src/racoon/admin.c
-index b67e545..710c9bf 100644
---- a/src/racoon/admin.c
-+++ b/src/racoon/admin.c
-@@ -414,11 +414,23 @@ admin_process(so2, combuf)
+Index: ipsec-tools-cvs-HEAD/src/racoon/admin.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/admin.c	2011-03-03 21:16:47.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/admin.c	2011-03-04 13:50:30.000000000 +0200
+@@ -414,11 +414,23 @@
  		struct sockaddr *dst;
  		struct sockaddr *src;
  		char *name = NULL;
@@ -41,11 +41,11 @@ index b67e545..710c9bf 100644
  		if (com->ac_cmd == ADMIN_ESTABLISH_SA &&
  		    com->ac_len > sizeof(*com) + sizeof(*ndx))
  			name = (char *) ((caddr_t) ndx + sizeof(*ndx));
-diff --git a/src/racoon/evt.c b/src/racoon/evt.c
-index 4ce1334..000c1f8 100644
---- a/src/racoon/evt.c
-+++ b/src/racoon/evt.c
-@@ -396,4 +396,17 @@ evt_list_cleanup(list)
+Index: ipsec-tools-cvs-HEAD/src/racoon/evt.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/evt.c	2011-03-03 19:25:50.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/evt.c	2011-03-04 13:50:30.000000000 +0200
+@@ -396,4 +396,17 @@
  		evt_unsubscribe(LIST_FIRST(list));
  }
  
@@ -63,11 +63,11 @@ index 4ce1334..000c1f8 100644
 +}
 +
  #endif /* ENABLE_ADMINPORT */
-diff --git a/src/racoon/evt.h b/src/racoon/evt.h
-index 0ce65bd..ba7fb57 100644
---- a/src/racoon/evt.h
-+++ b/src/racoon/evt.h
-@@ -124,6 +124,8 @@ void evt_phase2 __P((const struct ph2handle *ph2, int type, vchar_t *optdata));
+Index: ipsec-tools-cvs-HEAD/src/racoon/evt.h
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/evt.h	2011-03-03 19:25:50.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/evt.h	2011-03-04 13:50:30.000000000 +0200
+@@ -124,6 +124,8 @@
  vchar_t *evt_dump __P((void));
  
  int  evt_subscribe __P((struct evt_listener_list *list, int fd));
@@ -76,7 +76,7 @@ index 0ce65bd..ba7fb57 100644
  void evt_list_init __P((struct evt_listener_list *list));
  void evt_list_cleanup __P((struct evt_listener_list *list));
  
-@@ -136,6 +138,7 @@ void evt_list_cleanup __P((struct evt_listener_list *list));
+@@ -136,6 +138,7 @@
  #define evt_phase2(ph2, type, optdata) ;
  
  #define evt_subscribe(eventlist, fd) ;
@@ -84,17 +84,11 @@ index 0ce65bd..ba7fb57 100644
  #define evt_list_init(eventlist) ;
  #define evt_list_cleanup(eventlist) ;
  #define evt_get_fdmask(nfds, fdset) nfds
-diff --git a/src/racoon/handler.c b/src/racoon/handler.c
-index b33986f..9fd3817 100644
---- a/src/racoon/handler.c
-+++ b/src/racoon/handler.c
-@@ -269,26 +269,40 @@ migrate_ph12(old_iph1, new_iph1)
- }
- 
- /*
-- * the iph1 is new, migrate all phase2s that belong to a dying or dead ph1
-+ * the iph1 is new, migrate all phase2s that belong to a dying or dead ph1.
-  */
+Index: ipsec-tools-cvs-HEAD/src/racoon/handler.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/handler.c	2011-03-03 19:29:31.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/handler.c	2011-03-04 13:53:01.000000000 +0200
+@@ -292,17 +292,32 @@
  void migrate_dying_ph12(iph1)
  	struct ph1handle *iph1;
  {
@@ -114,8 +108,8 @@ index b33986f..9fd3817 100644
 +		    iph1->rmconf != p->rmconf)
  			continue;
  
--		if (cmpsaddr(iph1->local, p->local) == 0
--		 && cmpsaddr(iph1->remote, p->remote) == 0)
+-		if (cmpsaddr(iph1->local, p->local) == CMPSADDR_MATCH
+-		 && cmpsaddr(iph1->remote, p->remote) == CMPSADDR_MATCH)
 +		/* migrate phase2:s from expiring entries */
 +		if (p->status >= PHASE1ST_DYING)
  			migrate_ph12(p, iph1);
@@ -132,15 +126,11 @@ index b33986f..9fd3817 100644
  	}
  }
  
--
- /*
-  * dump isakmp-sa
-  */
-diff --git a/src/racoon/isakmp.c b/src/racoon/isakmp.c
-index 0de16d1..2dfda2f 100644
---- a/src/racoon/isakmp.c
-+++ b/src/racoon/isakmp.c
-@@ -2138,13 +2138,33 @@ isakmp_ph2delete(iph2)
+Index: ipsec-tools-cvs-HEAD/src/racoon/isakmp.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/isakmp.c	2011-03-03 21:14:13.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/isakmp.c	2011-03-04 13:50:30.000000000 +0200
+@@ -2138,13 +2138,33 @@
  
  	remph2(iph2);
  	delph2(iph2);
@@ -176,7 +166,7 @@ index 0de16d1..2dfda2f 100644
  /*
   * receive ACQUIRE from kernel, and begin either phase1 or phase2.
   * if phase1 has been finished, begin phase2.
-@@ -2220,8 +2240,14 @@ isakmp_post_acquire(iph2)
+@@ -2235,8 +2255,14 @@
  		/*NOTREACHED*/
  	}
  
@@ -193,7 +183,7 @@ index 0de16d1..2dfda2f 100644
  
  	/* found ISAKMP-SA. */
  	plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n");
-@@ -2388,7 +2414,10 @@ isakmp_chkph1there(iph2)
+@@ -2403,7 +2429,10 @@
  		plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(iph2->dst));
  
  		/* begin quick mode */
diff --git a/main/ipsec-tools/APKBUILD b/main/ipsec-tools/APKBUILD
index 6e4a009fd..3e9609bb7 100644
--- a/main/ipsec-tools/APKBUILD
+++ b/main/ipsec-tools/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=ipsec-tools
-pkgver=0.8_alpha20101208
-_myver=0.8-alpha20101208
+pkgver=0.8.0_rc1
+_myver=0.8.0.RC
 pkgrel=0
 pkgdesc="User-space IPsec tools for various IPsec implementations"
 url="http://ipsec-tools.sourceforge.net/"
@@ -13,6 +13,8 @@ subpackages="$pkgname-doc $pkgname-dev"
 source="http://downloads.sourceforge.net/$pkgname/$pkgname-$_myver.tar.gz
 	racoon.initd
 	racoon.confd
+	10-cmpsaddr-fix.patch
+	20-grekey-support.patch
 	50-reverse-connect.patch
 	70-defer-isakmp-ident-handling.patch
 	75-racoonctl-rcvbuf.patch
@@ -55,9 +57,11 @@ package() {
 	install -D -m644 ../racoon.confd "$pkgdir"/etc/conf.d/racoon
 }
 
-md5sums="9da0417ea19629777d7d7a555667f6d8  ipsec-tools-0.8-alpha20101208.tar.gz
+md5sums="9473d0ce8746f16281fce1b75a9fffa3  ipsec-tools-0.8.0.RC.tar.gz
 74f12ed04ed273a738229c0bfbf829cc  racoon.initd
 2d00250cf72da7f2f559c91b65a48747  racoon.confd
-13bda94a598aabf593280e04ea16065d  50-reverse-connect.patch
+e4c9ae678bf80518107690bde97dc14b  10-cmpsaddr-fix.patch
+64a859d51f57206a11e52f6ad4830ec5  20-grekey-support.patch
+f97205eea3dc68d2437a2ad8720f4520  50-reverse-connect.patch
 94773c94233e14cdce0fa02ff780a43e  70-defer-isakmp-ident-handling.patch
 2d5d24c4a3684a38584f88720f71c7d6  75-racoonctl-rcvbuf.patch"