Include a patchset that solves a problem with phase2 re-keying. That is, when

phase2 lifetime (either in seconds or bytes) expires, then vpnc either silently
stops passing traffic or that plus consuming CPU time by running a tight loop.

This issue have experienced this issue on various platforms.

Example of a bug report:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496718

Bump PORTREVISION and while we're here remove MD5 sums.

Submitted by:   avg
Obtained from:  http://www.gossamer-threads.com/lists/vpnc/devel/3442, with
                slight adjustments to apply to our patchlevel by avg

security/vpnc/Makefile

@@ -7,7 +7,7 @@
 
 PORTNAME=	vpnc
 PORTVERSION=	0.5.3
-PORTREVISION=	3
+PORTREVISION=	4
 CATEGORIES=	security
 MASTER_SITES=	http://www.unix-ag.uni-kl.de/~massar/vpnc/ \
 		CRITICAL

security/vpnc/distinfo

@@ -1,3 +1,2 @@
-MD5 (vpnc-0.5.3.tar.gz) = 4378f9551d5b077e1770bbe09995afb3
 SHA256 (vpnc-0.5.3.tar.gz) = 46cea3bd02f207c62c7c6f2f22133382602baeda1dc320747809e94881414884
 SIZE (vpnc-0.5.3.tar.gz) = 98740

security/vpnc/files/patch-vpnc.c

@@ -0,0 +1,72 @@
+--- ./vpnc.c.orig	2011-02-25 20:17:00.000000000 +0100
++++ ./vpnc.c	2011-02-25 20:18:49.000000000 +0100
+@@ -2861,28 +2861,34 @@
+ 		free(dh_shared_secret);
+ 		free_isakmp_packet(r);
+ 		
+-		if ((opt_natt_mode == NATT_CISCO_UDP) && s->ipsec.peer_udpencap_port) {
+-			s->esp_fd = make_socket(s, opt_udpencapport, s->ipsec.peer_udpencap_port);
+-			s->ipsec.encap_mode = IPSEC_ENCAP_UDP_TUNNEL;
+-			s->ipsec.natt_active_mode = NATT_ACTIVE_CISCO_UDP;
+-		} else if (s->ipsec.encap_mode != IPSEC_ENCAP_TUNNEL) {
+-			s->esp_fd = s->ike_fd;
+-		} else {
++		if (s->esp_fd == 0) {
++			if ((opt_natt_mode == NATT_CISCO_UDP) && s->ipsec.peer_udpencap_port) {
++				s->esp_fd = make_socket(s, opt_udpencapport, s->ipsec.peer_udpencap_port);
++				s->ipsec.encap_mode = IPSEC_ENCAP_UDP_TUNNEL;
++				s->ipsec.natt_active_mode = NATT_ACTIVE_CISCO_UDP;
++			} else if (s->ipsec.encap_mode != IPSEC_ENCAP_TUNNEL) {
++				s->esp_fd = s->ike_fd;
++			} else {
+ #ifdef IP_HDRINCL
+-			int hincl = 1;
++				int hincl = 1;
+ #endif
+ 		
+-			s->esp_fd = socket(PF_INET, SOCK_RAW, IPPROTO_ESP);
+-			if (s->esp_fd == -1) {
+-				close_tunnel(s);
+-				error(1, errno, "Couldn't open socket of ESP. Maybe something registered ESP already.\nPlease try '--natt-mode force-natt' or disable whatever is using ESP.\nsocket(PF_INET, SOCK_RAW, IPPROTO_ESP)");
+-			}
++				s->esp_fd = socket(PF_INET, SOCK_RAW, IPPROTO_ESP);
++				if (s->esp_fd == -1) {
++					close_tunnel(s);
++					error(1, errno, "Couldn't open socket of ESP. Maybe something registered ESP already.\nPlease try '--natt-mode force-natt' or disable whatever is using ESP.\nsocket(PF_INET, SOCK_RAW, IPPROTO_ESP)");
++				}
++#ifdef FD_CLOEXEC
++				/* do not pass socket to vpnc-script, etc. */
++				fcntl(s->esp_fd, F_SETFD, FD_CLOEXEC);
++#endif
+ #ifdef IP_HDRINCL
+-			if (setsockopt(s->esp_fd, IPPROTO_IP, IP_HDRINCL, &hincl, sizeof(hincl)) == -1) {
+-				close_tunnel(s);
+-				error(1, errno, "setsockopt(esp_fd, IPPROTO_IP, IP_HDRINCL, 1)");
+-			}
++				if (setsockopt(s->esp_fd, IPPROTO_IP, IP_HDRINCL, &hincl, sizeof(hincl)) == -1) {
++					close_tunnel(s);
++					error(1, errno, "setsockopt(esp_fd, IPPROTO_IP, IP_HDRINCL, 1)");
++				}
+ #endif
++			}
+ 		}
+ 		
+ 		s->ipsec.rx.seq_id = s->ipsec.tx.seq_id = 1;
+@@ -3224,9 +3230,14 @@
+ 			 */
+ 			/* FIXME: any cleanup needed??? */
+ 
+-			free_isakmp_packet(r);
+-			do_phase2_qm(s);
+-			return;
++			if (rp->u.d.num_spi >= 1 && memcmp(rp->u.d.spi[0], &s->ipsec.tx.spi, 4) == 0) {
++				free_isakmp_packet(r);
++				do_phase2_qm(s);
++				return;
++			} else {
++				DEBUG(2, printf("got isakmp delete with bogus spi, ignoring...\n"));
++				continue;
++			}
+ 		}
+ 		/* skip ipsec-esp delete */
+ 		if (rp->u.d.protocol != ISAKMP_IPSEC_PROTO_ISAKMP) {