diff --git a/crypto/dist/ipsec-tools/ChangeLog b/crypto/dist/ipsec-tools/ChangeLog
index 4a6636fdb7a3..5f594f8df7fb 100644
--- a/crypto/dist/ipsec-tools/ChangeLog
+++ b/crypto/dist/ipsec-tools/ChangeLog
@@ -1,3 +1,8 @@
+2005-07-12  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/racoon/pfkey.c: Set IKE ports to 0 in the SA when NAT-T is not
+	  used. 
+
 2005-07-04  Emmanuel Dreyfus  <manu@netbsd.org>
 
 	* src/racoon/isakmp_inf.c: safety checks on informational messages
diff --git a/crypto/dist/ipsec-tools/src/racoon/pfkey.c b/crypto/dist/ipsec-tools/src/racoon/pfkey.c
index 9dc1626feb39..6f7457b6aeef 100644
--- a/crypto/dist/ipsec-tools/src/racoon/pfkey.c
+++ b/crypto/dist/ipsec-tools/src/racoon/pfkey.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: pfkey.c,v 1.4 2005/05/03 21:08:47 manu Exp $	*/
+/*	$NetBSD: pfkey.c,v 1.5 2005/07/12 14:14:46 manu Exp $	*/
 
 /* Id: pfkey.c,v 1.31.2.1 2005/02/18 10:01:40 vanhu Exp */
 
@@ -1059,10 +1059,14 @@ pk_sendupdate(iph2)
 			natt.dport = extract_port (iph2->ph1->local);
 			natt.oa = NULL;		// FIXME: Here comes OA!!!
 			natt.frag = iph2->ph1->rmconf->esp_frag;
-		}
-		else
+		} else {
 			memset (&natt, 0, sizeof (natt));
 
+			/* Remove port information, that SA doesn't use it */
+			set_port(src, 0);
+			set_port(dst, 0);
+		}
+
 		if (pfkey_send_update_nat(
 				lcconf->sock_pfkey,
 				satype,
@@ -1084,6 +1088,10 @@ pk_sendupdate(iph2)
 			return -1;
 		}
 #else
+		/* Remove port information, it is not used without NAT-T */
+		set_port(src, 0);
+		set_port(dst, 0);
+
 		plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_update\n");
 		if (pfkey_send_update(
 				lcconf->sock_pfkey,
@@ -1352,10 +1360,14 @@ pk_sendadd(iph2)
 			natt.dport = extract_port (iph2->ph1->remote);
 			natt.oa = NULL;		// FIXME: Here comes OA!!!
 			natt.frag = iph2->ph1->rmconf->esp_frag;
-		}
-		else
+		} else {
 			memset (&natt, 0, sizeof (natt));
 
+			/* Remove port information, that SA doesn't use it */
+			set_port(src, 0);
+			set_port(dst, 0);
+		}
+
 		if (pfkey_send_add_nat(
 				lcconf->sock_pfkey,
 				satype,
@@ -1379,6 +1391,10 @@ pk_sendadd(iph2)
 #else
 		plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_add\n");
 
+		/* Remove port information, it is not used without NAT-T */
+		set_port(src, 0);
+		set_port(dst, 0);
+
 		if (pfkey_send_add(
 				lcconf->sock_pfkey,
 				satype,