I'm resending my patches again. As Emmanuel commented there should be no problem with including the NAT-OA, I'm now hoping some could review these and comment on them. I'm still planning to implement more stuff, so getting some feedback now on needed changes could help me avoid extra work on merging the changes later to multiple patches.
The first three patches are unchanged from previous send (consider committing):
The following patches are new/changed and still a bit experimental (for review):
- removed one extra hunk adding empty line within a comment
- modfied checking of IDcr/IDci: when checking ID against NAT-OA check only the address portion against NAT-OA as port is never used in NAT-OA
- implement establish-sa [esp|ah] in admin.c
- make a new helper function isakmp_get_sainfo(); is the correct place in isakmp.c?
- send phase2 up events
- establish-sa -w option to wait until sa is established or an error happens
- add GRE protocol number to racoonctl and related manpage
I'm still planning to improve the event reporting to racoonctl. Current event dispatching is based on polling. So each event is seen only by one racoonctl process. And e.g. running multiple establish-sa requests with -w simultaneously (or vpn-connect) is broken. Also I'm planning addition of "do not replace SA" type parameter for establish-sa. These would make integration of ipsec-tools with OpenNHRP [http://sourceforge.net/projects/opennhrp] very straight forward.