From 3d5ebe16a617e1184e92094a58c07f80e3bc597e Mon Sep 17 00:00:00 2001
From: mpi <mpi@openbsd.org>
Date: Thu, 7 Dec 2017 11:44:02 +0000
Subject: [PATCH] Set the correct ENCAPSULATION_MODE when doing NAT-T.

Fix at least interoperability with Cisco when isakmpd(8) is initiating
the connections, originally reported by sebastia@ in 2014.

Refreshed diff from and ok hshoexer@, ok sthen@, ok remi@
---
 sbin/isakmpd/ike_quick_mode.c | 40 +++++++++++++++++++++++++++++++----
 1 file changed, 36 insertions(+), 4 deletions(-)

diff --git a/sbin/isakmpd/ike_quick_mode.c b/sbin/isakmpd/ike_quick_mode.c
index f48f5e89e38..dd437bdf884 100644
--- a/sbin/isakmpd/ike_quick_mode.c
+++ b/sbin/isakmpd/ike_quick_mode.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ike_quick_mode.c,v 1.111 2017/11/08 13:33:49 patrick Exp $	 */
+/* $OpenBSD: ike_quick_mode.c,v 1.112 2017/12/07 11:44:02 mpi Exp $	 */
 /* $EOM: ike_quick_mode.c,v 1.139 2001/01/26 10:43:17 niklas Exp $	 */
 
 /*
@@ -406,6 +406,7 @@ initiator_send_HASH_SA_NONCE(struct message *msg)
 	struct constant_map *id_map;
 	char           *protocol_id, *transform_id;
 	char           *local_id, *remote_id;
+	char           *name;
 	int             group_desc = -1, new_group_desc;
 	struct ipsec_sa *isa = msg->isakmp_sa->data;
 	struct hash    *hash = hash_get(isa->hash);
@@ -621,9 +622,40 @@ initiator_send_HASH_SA_NONCE(struct message *msg)
 					}
 					conf_free_list(life_conf);
 				}
-				attribute_set_constant(xf->field,
-				    "ENCAPSULATION_MODE", ipsec_encap_cst,
-				    IPSEC_ATTR_ENCAPSULATION_MODE, &attr);
+
+				if (proto_id == IPSEC_PROTO_IPSEC_ESP &&
+				    (exchange->flags &
+				    EXCHANGE_FLAG_NAT_T_ENABLE)) {
+					name = conf_get_str(xf->field,
+					    "ENCAPSULATION_MODE");
+					if (name) {
+						value = constant_value(
+						    ipsec_encap_cst,
+						    name);
+						switch (value) {
+						case IPSEC_ENCAP_TUNNEL:
+							value = exchange->flags & EXCHANGE_FLAG_NAT_T_DRAFT ?
+							    IPSEC_ENCAP_UDP_ENCAP_TUNNEL_DRAFT :
+							    IPSEC_ENCAP_UDP_ENCAP_TUNNEL;
+							break;
+						case IPSEC_ENCAP_TRANSPORT:
+							value = exchange->flags & EXCHANGE_FLAG_NAT_T_DRAFT ?
+							    IPSEC_ENCAP_UDP_ENCAP_TRANSPORT_DRAFT :
+							    IPSEC_ENCAP_UDP_ENCAP_TRANSPORT;
+							break;
+						}
+						attr = attribute_set_basic(
+						    attr,
+						    IPSEC_ATTR_ENCAPSULATION_MODE,
+						    value);
+					}
+				} else {
+					attribute_set_constant(xf->field,
+					    "ENCAPSULATION_MODE",
+					    ipsec_encap_cst,
+					    IPSEC_ATTR_ENCAPSULATION_MODE,
+					    &attr);
+				}
 
 				if (proto_id != IPSEC_PROTO_IPCOMP) {
 					attribute_set_constant(xf->field,
-- 
2.20.1