diff --git a/crypto/dist/ipsec-tools/ChangeLog b/crypto/dist/ipsec-tools/ChangeLog
index 67123998cd84..94defdc17b86 100644
--- a/crypto/dist/ipsec-tools/ChangeLog
+++ b/crypto/dist/ipsec-tools/ChangeLog
@@ -1,5 +1,10 @@
 2005-05-20  Emmanuel Dreyfus  <manu@netbsd.org>
 
+	* src/libipsec/pfkey.c src/racoon/ipsec_doi.c: Fix NAT-T + IPcomp
+
+	From hgates <hgates.lists@gmail.com>
+	* src/racoon/proposal.c: fix SPI size test for IPcomp
+
 	From Larry Baird <lab@gta.com>
 	* src/racoon/{handler.c|ipsec_doi.c|remoteconf.h|remoteconf.c}: When 
 	  altering lifetime, duplicate the proposal instead of modifying 
diff --git a/crypto/dist/ipsec-tools/src/libipsec/pfkey.c b/crypto/dist/ipsec-tools/src/libipsec/pfkey.c
index 1842e35e6e1c..b398622fea8e 100644
--- a/crypto/dist/ipsec-tools/src/libipsec/pfkey.c
+++ b/crypto/dist/ipsec-tools/src/libipsec/pfkey.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: pfkey.c,v 1.2 2005/04/10 21:20:55 manu Exp $	*/
+/*	$NetBSD: pfkey.c,v 1.3 2005/05/20 01:28:13 manu Exp $	*/
 
 /*	$KAME: pfkey.c,v 1.47 2003/10/02 19:52:12 itojun Exp $	*/
 
@@ -1305,9 +1305,14 @@ pfkey_send_x1(so, type, satype, mode, src, dst, spi, reqid, wsize,
 #ifdef SADB_X_EXT_NAT_T_TYPE
 	/* add nat-t packets */
 	if (l_natt_type) {
-		if (satype != SADB_SATYPE_ESP) {
+		switch(satype) {
+		case SADB_SATYPE_ESP:
+		case SADB_X_SATYPE_IPCOMP:
+			break;
+		default:
 			__ipsec_errcode = EIPSEC_NO_ALGS;
 			return -1;
+			break;
 		}
 
 		len += sizeof(struct sadb_x_nat_t_type);
diff --git a/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c b/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c
index 07087ebccf81..d44cda5497ea 100644
--- a/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c
+++ b/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_doi.c,v 1.5 2005/05/20 00:54:55 manu Exp $	*/
+/*	$NetBSD: ipsec_doi.c,v 1.6 2005/05/20 01:28:13 manu Exp $	*/
 
 /* Id: ipsec_doi.c,v 1.26.2.1 2005/02/17 13:19:18 vanhu Exp */
 
@@ -2434,6 +2434,15 @@ check_attr_ipcomp(trns)
 			case IPSECDOI_ATTR_ENC_MODE_TUNNEL:
 			case IPSECDOI_ATTR_ENC_MODE_TRNS:
 				break;
+#ifdef ENABLE_NATT
+			case IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_RFC:
+			case IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC:
+			case IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT:
+			case IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT:
+				plog(LLV_DEBUG, LOCATION, NULL,
+				     "UDP encapsulation requested\n");
+				break;
+#endif
 			default:
 				plog(LLV_ERROR, LOCATION, NULL,
 					"invalid encryption mode=%u.\n",
diff --git a/crypto/dist/ipsec-tools/src/racoon/proposal.c b/crypto/dist/ipsec-tools/src/racoon/proposal.c
index 90849a31e4fd..981c5f1df4d2 100644
--- a/crypto/dist/ipsec-tools/src/racoon/proposal.c
+++ b/crypto/dist/ipsec-tools/src/racoon/proposal.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: proposal.c,v 1.2 2005/05/10 09:23:36 manu Exp $	*/
+/*	$NetBSD: proposal.c,v 1.3 2005/05/20 01:28:13 manu Exp $	*/
 
 /* Id: proposal.c,v 1.13 2004/09/13 14:09:19 ludvigm Exp */
 
@@ -372,8 +372,8 @@ cmpsaprop_alloc(ph1, pp1, pp2, side)
 			if (pr1->spisize == sizeof(u_int16_t) &&
 			    pr2->spisize == sizeof(u_int32_t)) {
 				spisizematch = 1;
-			} else if (pr1->spisize == sizeof(u_int16_t) &&
-				 pr2->spisize == sizeof(u_int32_t)) {
+			} else if (pr2->spisize == sizeof(u_int16_t) &&
+				 pr1->spisize == sizeof(u_int32_t)) {
 				spisizematch = 1;
 			}
 			if (spisizematch) {