diff --git a/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5 b/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
index 1da0c43ac580..4f7062c918fb 100644
--- a/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
+++ b/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
@@ -1,4 +1,4 @@
-.\"	$NetBSD: racoon.conf.5,v 1.54 2009/03/12 10:57:26 tteras Exp $
+.\"	$NetBSD: racoon.conf.5,v 1.55 2009/03/12 15:18:57 wiz Exp $
 .\"
 .\"	Id: racoon.conf.5,v 1.54 2006/08/22 18:17:17 manubsd Exp
 .\"
@@ -383,14 +383,16 @@ This problem is known to be fixed in Linux 2.6.25 and later.
 Specifies the IKE phase 1 parameters for each remote node.
 .Pp
 If connection is initiated using racoonctl, a unique match using the
-remote IP must be found or the remote block name has to be given. For
-received acquires (kernel notices traffic requiring a new SA) the
+remote IP must be found or the remote block name has to be given.
+For received acquires (kernel notices traffic requiring a new SA) the
 remote IP and remoteid from matching sainfo block are used to decide
-the remoteblock. If no uniquely matching remoteblock is found using
+the remoteblock.
+If no uniquely matching remoteblock is found using
 these criteria, no connection attempt is done.
 .Pp
 When acting as responder, racoon picks the first proposal that has one
-or more acceptable remote configurations. When determining if a remote
+or more acceptable remote configurations.
+When determining if a remote
 specification is matching the following information is checked:
 .Bl -bullet -tag -width Ds -compact
 .It
@@ -411,7 +413,8 @@ if
 is on.
 .It
 If a certificate request was received, it must match the issuer of
-.Ic "certificate_type x509" certificate.
+.Ic "certificate_type x509"
+certificate.
 If certificate request without issuer name was sent, the
 .Ic match_empty_cr
 parameter specifies whether or not remote block matches.
@@ -680,10 +683,10 @@ By default, the identifier sent by the remote host (as specified in its
 statement) is compared with the credentials in the certificate
 used to authenticate the remote host as follows:
 .Bl -tag -width Ds -compact
-.It Type Ic asn1dn:
+.It Type Ic asn1dn :
 The entire certificate subject name is compared with the identifier,
 e.g. "C=XX, O=YY, ...".
-.It Type Ic address, fqdn, or user_fqdn:
+.It Type Ic address, fqdn, or user_fqdn :
 The certificate's subjectAltName is compared with the identifier.
 .El
 If the two do not match the negotiation will fail.
@@ -968,10 +971,11 @@ command.
 .Bq Ic inherit Ar parent
 .Ic { Ar statements Ic }
 .Xc
-Deprecated format of specifying a remote block. This will be removed
-in future. It is a remnant from time when remote block was decided
+Deprecated format of specifying a remote block.
+This will be removed in future.
+It is a remnant from time when remote block was decided
 solely based on the peers IP address.
-
+.Pp
 This is equivalent to:
 .Bd -literal -offset
 remote "address" [inherit "parent-address"] {
@@ -1348,11 +1352,11 @@ The default is
 The host name or ip address of the ldap server.
 The default is
 .Ic localhost .
-.It Ic port Ar number;
+.It Ic port Ar number ;
 The port that the ldap server is configured to listen on.
 The default is
 .Ic 389 .
-.It Ic base Ar distinguished name;
+.It Ic base Ar distinguished name ;
 The ldap search base.
 This option has no default value.
 .It Ic subtree (on | off) ;
@@ -1360,20 +1364,20 @@ Use the subtree ldap search scope.
 Otherwise, use the one level search scope.
 The default is
 .Ic off .
-.It Ic bind_dn Ar distinguished name;
+.It Ic bind_dn Ar distinguished name ;
 The user dn used to optionally bind as before performing ldap search operations.
 If this option is not specified, anonymous binds are used.
-.It Ic bind_pw Ar string;
+.It Ic bind_pw Ar string ;
 The password used when binding as
 .Ic bind_dn .
-.It Ic attr_user Ar attribute name;
+.It Ic attr_user Ar attribute name ;
 The attribute used to specify a users name in an ldap directory.
 For example,
 if a user dn is "cn=jdoe,dc=my,dc=net" then the attribute would be "cn".
 The default value is
 .Ic cn .
-.It Ic attr_addr Ar attribute name;
-.It Ic attr_mask Ar attribute name;
+.It Ic attr_addr Ar attribute name ;
+.It Ic attr_mask Ar attribute name ;
 The attributes used to specify a users network address and subnet mask in an
 ldap directory.
 These values are forwarded during mode_cfg negotiation when
@@ -1382,13 +1386,13 @@ The default values are
 .Ic racoon-address
 and
 .Ic racoon-netmask .
-.It Ic attr_group Ar attribute name;
+.It Ic attr_group Ar attribute name ;
 The attribute used to specify a group name in an ldap directory.
 For example,
 if a group dn is "cn=users,dc=my,dc=net" then the attribute would be "cn".
 The default value is
 .Ic cn .
-.It Ic attr_member Ar attribute name;
+.It Ic attr_member Ar attribute name ;
 The attribute used to specify group membership in an ldap directory.
 The default value is
 .Ic member .
@@ -1409,12 +1413,12 @@ configuration file will be used instead.
 .Pp
 The following are valid statements:
 .Bl -tag -width Ds -compact
-.It Ic auth Ar (hostname | address) [port] sharedsecret;
+.It Ic auth Ar (hostname | address) [port] sharedsecret ;
 The host name or ip address, optional port value and shared secret value
 of a radius authentication server.
 Up to 5 radius authentication servers
 may be specified using multiple lines.
-.It Ic acct Ar (hostname | address) [port] sharedsecret;
+.It Ic acct Ar (hostname | address) [port] sharedsecret ;
 The host name or ip address, optional port value and shared secret value
 of a radius accounting server.
 Up to 5 radius accounting servers may be