On 2012/09/24 13:24, Christoph Leser wrote: > It seems that the patch from Stuart Henderson, proposed on Aug.4 2012 > on tech@ has not made it into –current yet.
I only forwarded it, the patch is from hshoexer. Also it is only a partial diff, not suitable to be committed, the encap mode value needs to be controllable per-peer so it needs a config option, changes to ipsecctl, etc. This problem certainly would have affected older OpenBSD versions though, if they negotiated NAT-T they would have used the value from the RFC not the one from the internet-draft that cisco use. Have you tried just disabling nat-t completely, see the options list in isakmpd(8), to see what happens?
