From ca4cf5538b04224642f8c3fc756ba68b8a4bcddd Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 4 Nov 2015 09:54:29 +0000
Subject: [PATCH] (legacy) ipsec, obey force nat travesal

---
 src/etc/inc/vpn.inc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/etc/inc/vpn.inc b/src/etc/inc/vpn.inc
index 75536e2e0..40c64655e 100644
--- a/src/etc/inc/vpn.inc
+++ b/src/etc/inc/vpn.inc
@@ -621,6 +621,11 @@ EOD;
                 $rekey = "rekey = yes";
             }
 
+            $forceencaps = 'forceencaps = no' ;
+            if (!empty($ph1ent['nat_traversal']) && $ph1ent['nat_traversal'] == 'force') {
+                $forceencaps = 'forceencaps = yes';
+            }
+
             $ipseclifetime = 0;
             $rightsubnet_spec = array();
             $leftsubnet_spec = array();
@@ -773,6 +778,7 @@ conn con<<connectionId>>
   keyexchange = {$keyexchange}
   {$reauth}
   {$rekey}
+  {$forceencaps}
   reqid = {$ikeid}
   installpolicy = yes
   {$tunneltype}