diff --git a/crypto/dist/ipsec-tools/ChangeLog b/crypto/dist/ipsec-tools/ChangeLog
index 0c3e5ba6d404..9e9fc09df91b 100644
--- a/crypto/dist/ipsec-tools/ChangeLog
+++ b/crypto/dist/ipsec-tools/ChangeLog
@@ -1,3 +1,10 @@
+2005-08-26  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/cfparse.y: handle xauth_login correctly
+	* src/racoon/isakmp.c: catch internal error
+	* src/raccon/isakmp_agg.c: fix racoon as Xauth client
+	* src/raccon/{isakmp_agg.c|isakmp_base.c}: Proposal safety checks
+
 2005-08-23  Emmanuel Dreyfus  <manu@netbsd.org>
 
 	* src/racoon/{isakmp_agg.c|isakmp_ident.c|isakmp_base.c}: Correctly
diff --git a/crypto/dist/ipsec-tools/src/racoon/cfparse.y b/crypto/dist/ipsec-tools/src/racoon/cfparse.y
index c8ab2df7859f..383f7d53f607 100644
--- a/crypto/dist/ipsec-tools/src/racoon/cfparse.y
+++ b/crypto/dist/ipsec-tools/src/racoon/cfparse.y
@@ -1,4 +1,4 @@
-/*	$NetBSD: cfparse.y,v 1.7 2005/09/24 22:45:51 christos Exp $	*/
+/*	$NetBSD: cfparse.y,v 1.8 2005/09/26 16:24:57 manu Exp $	*/
 
 /* Id: cfparse.y,v 1.37.2.4 2005/05/10 09:45:45 manubsd Exp */
 
@@ -1263,6 +1263,7 @@ remote_spec
 		{
 #ifdef ENABLE_HYBRID
 			/* formerly identifier type login */
+			cur_rmconf->idvtype = IDTYPE_LOGIN;
 			if (set_identifier(&cur_rmconf->idv, IDTYPE_LOGIN, $2) != 0) {
 				yyerror("failed to set identifer.\n");
 				return -1;
diff --git a/crypto/dist/ipsec-tools/src/racoon/isakmp.c b/crypto/dist/ipsec-tools/src/racoon/isakmp.c
index 9dcccce0ddf6..f5f0d5cdf4b5 100644
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp.c
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp.c,v 1.9 2005/08/20 00:57:06 manu Exp $	*/
+/*	$NetBSD: isakmp.c,v 1.10 2005/09/26 16:24:57 manu Exp $	*/
 
 /* Id: isakmp.c,v 1.34.2.19 2005/08/11 14:58:51 vanhu Exp */
 
@@ -2853,13 +2853,21 @@ isakmp_plist_append (struct payload_list *plist, vchar_t *payload, int payload_t
 vchar_t * 
 isakmp_plist_set_all (struct payload_list **plist, struct ph1handle *iph1)
 {
-	struct payload_list *ptr = *plist, *first;
+	struct payload_list *ptr, *first;
 	size_t tlen = sizeof (struct isakmp), n = 0;
 	vchar_t *buf;
 	char *p;
 
+	if (plist == NULL) {
+		plog(LLV_ERROR, LOCATION, NULL, 
+		    "in isakmp_plist_set_all: plist == NULL\n");
+		return NULL;
+	}
+
 	/* Seek to the first item.  */
-	while (ptr->prev) ptr = ptr->prev;
+	ptr = *plist;
+	while (ptr->prev)
+		ptr = ptr->prev;
 	first = ptr;
 	
 	/* Compute the whole length.  */
diff --git a/crypto/dist/ipsec-tools/src/racoon/isakmp_agg.c b/crypto/dist/ipsec-tools/src/racoon/isakmp_agg.c
index 53f8a1169c46..87804ab57773 100644
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_agg.c
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_agg.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_agg.c,v 1.5 2005/09/23 14:22:27 manu Exp $	*/
+/*	$NetBSD: isakmp_agg.c,v 1.6 2005/09/26 16:24:57 manu Exp $	*/
 
 /* Id: isakmp_agg.c,v 1.20.2.1 2005/04/09 22:32:06 manubsd Exp */
 
@@ -650,6 +650,10 @@ agg_i2send(iph1, msg)
 
 	switch (iph1->approval->authmethod) {
 	case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
+#ifdef ENABLE_HYBRID
+	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
+	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
+#endif  
 		/* set HASH payload */
 		plist = isakmp_plist_append(plist, iph1->hash, ISAKMP_NPTYPE_HASH);
 		break;
@@ -695,6 +699,11 @@ agg_i2send(iph1, msg)
 		plist = isakmp_plist_append(plist, gsshash, ISAKMP_NPTYPE_HASH);
 		break;
 #endif
+	default:
+		plog(LLV_ERROR, LOCATION, NULL, "invalid authmethod %d\n",
+			iph1->approval->authmethod);
+		goto end;
+		break;
 	}
 
 #ifdef ENABLE_NATT
@@ -1205,6 +1214,11 @@ agg_r1send(iph1, msg)
 
 		break;
 #endif
+	default:
+		plog(LLV_ERROR, LOCATION, NULL, "Invalid authmethod %d\n",
+			iph1->approval->authmethod);
+		goto end;
+		break;
 	}
 
 #ifdef ENABLE_NATT
diff --git a/crypto/dist/ipsec-tools/src/racoon/isakmp_base.c b/crypto/dist/ipsec-tools/src/racoon/isakmp_base.c
index a2c54d10099b..3107c4138ae9 100644
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_base.c
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_base.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_base.c,v 1.3 2005/09/23 14:22:27 manu Exp $	*/
+/*	$NetBSD: isakmp_base.c,v 1.4 2005/09/26 16:24:57 manu Exp $	*/
 
 /*	$KAME: isakmp_base.c,v 1.49 2003/11/13 02:30:20 sakane Exp $	*/
 
@@ -427,6 +427,11 @@ base_i2send(iph1, msg)
 	case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
 	case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
 		break;
+	default:
+		plog(LLV_ERROR, LOCATION, NULL, "invalid authmethod %d\n",
+			iph1->approval->authmethod);
+		goto end;
+		break;
 	}
 
 #ifdef ENABLE_NATT
@@ -1126,6 +1131,11 @@ base_r2send(iph1, msg)
 	case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
 	case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
 		break;
+	default:
+		plog(LLV_ERROR, LOCATION, NULL, "invalid authmethod %d\n",
+			iph1->approval->authmethod);
+		goto end;
+		break;
 	}
 
 #ifdef ENABLE_NATT