Index: head/security/vpnc/Makefile
===================================================================
--- head/security/vpnc/Makefile	(revision 454172)
+++ head/security/vpnc/Makefile	(revision 454173)
@@ -1,90 +1,90 @@
 # Created by: Christian Lackas
 # $FreeBSD$
 
 PORTNAME=	vpnc
 PORTVERSION=	0.5.3
-PORTREVISION=	12
+PORTREVISION=	13
 CATEGORIES=	security
 MASTER_SITES=	http://www.unix-ag.uni-kl.de/~massar/vpnc/ \
 		LOCAL/ehaupt
 
 MAINTAINER=	ehaupt@FreeBSD.org
 COMMENT=	Client for Cisco 3000 VPN Concentrator
 
 LICENSE=	GPLv2 BSD2CLAUSE
 LICENSE_COMB=	multi
 LICENSE_FILE=	${WRKSRC}/COPYING
 
 LIB_DEPENDS=	libgcrypt.so:security/libgcrypt \
 		libgpg-error.so:security/libgpg-error
 RUN_DEPENDS=	vpnc-script:sysutils/vpnc-scripts
 
 USES=		shebangfix gmake perl5
 USE_PERL5=	build
 USE_RC_SUBR=	vpnc
 
 LEGAL_TEXT=	Redistribution is not allowed if linked against OpenSSL
 
 ALL_TARGET=	all
 SHEBANG_FILES=	makeman.pl
 
 PORTDOCS=	README TODO
 MANPAGE8=	vpnc.8
 
 MAKE_ENV+=	BINS="${EXTRABUILDS}"
 
 OPTIONS_DEFINE=	DECRYPT SSL CISCOVERSION DOCS
 
 DECRYPT_DESC=		cisco-decypt password decrypt utility
 CISCOVERSION_DESC=	Mask linux presentation string
 
 OPTIONS_DEFAULT=DECRYPT
 
 .include <bsd.port.options.mk>
 
 .if ${PORT_OPTIONS:MDECRYPT}
 MANPAGE1=	cisco-decrypt.1
 EXTRABUILDS+=	cisco-decrypt
 PLIST_SUB+=	DECRYPT=""
 .else
 PLIST_SUB+=	DECRYPT="@comment "
 .endif
 
 .if ${PORT_OPTIONS:MSSL}
 NO_PACKAGE=	binary linked against OpenSSL must not be redistributed
 CFLAGS+=	-DOPENSSL_GPL_VIOLATION
 LDFLAGS+=	-lcrypto
 .endif
 
 .if ${PORT_OPTIONS:MCISCOVERSION}
 CFLAGS+=	-DCISCO_PATCH_VERSION
 .endif
 
 post-patch:
 .if ${OSVERSION} >= 1100042
 	@${REINPLACE_CMD} \
 		-e 's|.*%%FREEBSD_IPLEN_FIX%%.*|#define NEED_IPLEN_FIX 1|' \
 		${WRKSRC}/sysdep.h
 .endif
 	@${REINPLACE_CMD} -e 's|%%PREFIX%%|${PREFIX}|' ${WRKSRC}/config.c
 	@${REINPLACE_CMD} -e 's|\(/etc/vpnc\)|${PREFIX}\1|' \
 		${WRKSRC}/${MANPAGE8}.template
 
 do-install:
 	${INSTALL_PROGRAM} -m 751 ${WRKSRC}/vpnc ${STAGEDIR}${PREFIX}/sbin/vpnc
 .if ${PORT_OPTIONS:MDECRYPT}
 	${INSTALL_PROGRAM} ${WRKSRC}/cisco-decrypt ${STAGEDIR}${PREFIX}/bin
 	${INSTALL_MAN} ${WRKSRC}/${MANPAGE1} ${STAGEDIR}${MANPREFIX}/man/man1
 .endif
 	${INSTALL_SCRIPT} -m 751 ${WRKSRC}/vpnc-disconnect \
 		${STAGEDIR}${PREFIX}/sbin/vpnc-disconnect
 	${INSTALL_DATA} -m 600 ${WRKSRC}/vpnc.conf \
 		${STAGEDIR}${PREFIX}/etc/vpnc.conf.sample
 .if !exists(${STAGEDIR}${PREFIX}/etc/vpnc.conf)
 	${INSTALL_DATA} -m 600 ${WRKSRC}/vpnc.conf ${STAGEDIR}${PREFIX}/etc
 .endif
 	${INSTALL_MAN} ${WRKSRC}/${MANPAGE8} ${STAGEDIR}${MANPREFIX}/man/man8
 	@${MKDIR} ${STAGEDIR}${DOCSDIR}
 	@cd ${WRKSRC} && ${INSTALL_DATA} ${PORTDOCS} ${STAGEDIR}${DOCSDIR}
 
 .include <bsd.port.mk>
Index: head/security/vpnc/files/patch-vpnc.c
===================================================================
--- head/security/vpnc/files/patch-vpnc.c	(revision 454172)
+++ head/security/vpnc/files/patch-vpnc.c	(revision 454173)
@@ -1,72 +1,106 @@
---- ./vpnc.c.orig	2011-02-25 20:17:00.000000000 +0100
-+++ ./vpnc.c	2011-02-25 20:18:49.000000000 +0100
-@@ -2861,28 +2861,34 @@
+--- vpnc.c.orig	2008-11-19 21:55:51.000000000 +0100
++++ vpnc.c	2017-11-10 13:09:32.996639000 +0100
+@@ -1160,8 +1160,11 @@
+ 		value = a->next->u.attr_16;
+ 	else if (a->next->af == isakmp_attr_lots && a->next->u.lots.length == 4)
+ 		value = ntohl(*((uint32_t *) a->next->u.lots.data));
+-	else
+-		assert(0);
++	else {
++		DEBUG(2, printf("got unknown ike lifetime attributes af %d len %d\n",
++					a->next->af, a->next->u.lots.length));
++		return;
++	}
+ 	
+ 	DEBUG(2, printf("got ike lifetime attributes: %d %s\n", value,
+ 		(a->u.attr_16 == IKE_LIFE_TYPE_SECONDS) ? "seconds" : "kilobyte"));
+@@ -1578,6 +1581,19 @@
+ 						seen_natd_them = 1;
+ 				}
+ 				break;
++			case ISAKMP_PAYLOAD_N:
++				if (rp->u.n.type == ISAKMP_N_IPSEC_RESPONDER_LIFETIME) {
++					if (rp->u.n.protocol == ISAKMP_IPSEC_PROTO_ISAKMP)
++						lifetime_ike_process(s, rp->u.n.attributes);
++					else if (rp->u.n.protocol == ISAKMP_IPSEC_PROTO_IPSEC_ESP)
++						lifetime_ipsec_process(s, rp->u.n.attributes);
++					else
++						DEBUG(2, printf("got unknown lifetime notice, ignoring..\n"));
++				} else {
++					DEBUG(1, printf("rejecting ISAKMP_PAYLOAD_N, type is not lifetime\n"));
++					reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
++				}
++				break;
+ 			default:
+ 				DEBUG(1, printf("rejecting invalid payload type %d\n", rp->type));
+ 				reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
+@@ -2861,28 +2877,34 @@
  		free(dh_shared_secret);
  		free_isakmp_packet(r);
  		
 -		if ((opt_natt_mode == NATT_CISCO_UDP) && s->ipsec.peer_udpencap_port) {
 -			s->esp_fd = make_socket(s, opt_udpencapport, s->ipsec.peer_udpencap_port);
 -			s->ipsec.encap_mode = IPSEC_ENCAP_UDP_TUNNEL;
 -			s->ipsec.natt_active_mode = NATT_ACTIVE_CISCO_UDP;
 -		} else if (s->ipsec.encap_mode != IPSEC_ENCAP_TUNNEL) {
 -			s->esp_fd = s->ike_fd;
 -		} else {
 +		if (s->esp_fd == 0) {
 +			if ((opt_natt_mode == NATT_CISCO_UDP) && s->ipsec.peer_udpencap_port) {
 +				s->esp_fd = make_socket(s, opt_udpencapport, s->ipsec.peer_udpencap_port);
 +				s->ipsec.encap_mode = IPSEC_ENCAP_UDP_TUNNEL;
 +				s->ipsec.natt_active_mode = NATT_ACTIVE_CISCO_UDP;
 +			} else if (s->ipsec.encap_mode != IPSEC_ENCAP_TUNNEL) {
 +				s->esp_fd = s->ike_fd;
 +			} else {
  #ifdef IP_HDRINCL
 -			int hincl = 1;
 +				int hincl = 1;
  #endif
  		
 -			s->esp_fd = socket(PF_INET, SOCK_RAW, IPPROTO_ESP);
 -			if (s->esp_fd == -1) {
 -				close_tunnel(s);
 -				error(1, errno, "Couldn't open socket of ESP. Maybe something registered ESP already.\nPlease try '--natt-mode force-natt' or disable whatever is using ESP.\nsocket(PF_INET, SOCK_RAW, IPPROTO_ESP)");
 -			}
 +				s->esp_fd = socket(PF_INET, SOCK_RAW, IPPROTO_ESP);
 +				if (s->esp_fd == -1) {
 +					close_tunnel(s);
 +					error(1, errno, "Couldn't open socket of ESP. Maybe something registered ESP already.\nPlease try '--natt-mode force-natt' or disable whatever is using ESP.\nsocket(PF_INET, SOCK_RAW, IPPROTO_ESP)");
 +				}
 +#ifdef FD_CLOEXEC
 +				/* do not pass socket to vpnc-script, etc. */
 +				fcntl(s->esp_fd, F_SETFD, FD_CLOEXEC);
 +#endif
  #ifdef IP_HDRINCL
 -			if (setsockopt(s->esp_fd, IPPROTO_IP, IP_HDRINCL, &hincl, sizeof(hincl)) == -1) {
 -				close_tunnel(s);
 -				error(1, errno, "setsockopt(esp_fd, IPPROTO_IP, IP_HDRINCL, 1)");
 -			}
 +				if (setsockopt(s->esp_fd, IPPROTO_IP, IP_HDRINCL, &hincl, sizeof(hincl)) == -1) {
 +					close_tunnel(s);
 +					error(1, errno, "setsockopt(esp_fd, IPPROTO_IP, IP_HDRINCL, 1)");
 +				}
  #endif
 +			}
  		}
  		
  		s->ipsec.rx.seq_id = s->ipsec.tx.seq_id = 1;
-@@ -3224,9 +3230,14 @@
+@@ -3224,9 +3246,14 @@
  			 */
  			/* FIXME: any cleanup needed??? */
  
 -			free_isakmp_packet(r);
 -			do_phase2_qm(s);
 -			return;
 +			if (rp->u.d.num_spi >= 1 && memcmp(rp->u.d.spi[0], &s->ipsec.tx.spi, 4) == 0) {
 +				free_isakmp_packet(r);
 +				do_phase2_qm(s);
 +				return;
 +			} else {
 +				DEBUG(2, printf("got isakmp delete with bogus spi, ignoring...\n"));
 +				continue;
 +			}
  		}
  		/* skip ipsec-esp delete */
  		if (rp->u.d.protocol != ISAKMP_IPSEC_PROTO_ISAKMP) {