diff -ruN freeswan-1.99-x509-0.9.15-alg-nd-natt-0.5/README.NAT-Traversal freeswan-1.99-x509-0.9.15-alg-nd-natt-0.5a/README.NAT-Traversal
--- freeswan-1.99-x509-0.9.15-alg-nd-natt-0.5/README.NAT-Traversal	Thu Jan  2 18:38:17 2003
+++ freeswan-1.99-x509-0.9.15-alg-nd-natt-0.5a/README.NAT-Traversal	Mon Jan  6 10:11:15 2003
@@ -1,6 +1,6 @@
 
-NAT-Traversal Patch -- Version 0.5   [ Contributed by Arkoon Network Security ]
-==================================   [                  http://www.arkoon.net ]
+NAT-Traversal Patch -- Version 0.5a  [ Contributed by Arkoon Network Security ]
+===================================  [                  http://www.arkoon.net ]
                                      [          http://open-source.arkoon.net ]
 
 NAT-Traversal patch allows FreeS/WAN to be used behind any NAT device
@@ -188,4 +188,8 @@
     - Warning if IPSec-Passthrough NAT device is suspected and old drafts used
     - accept most recent NAT-T VID instead of first one
     - new ISAKMP VID (SSH Sentinel, esp-in-udp, Timestep)
+
+  o Version 0.5a
+    - fix bug that can block udp/4500 packets and create %hold state
+    - cosmetics
 
diff -ruN freeswan-1.99-x509-0.9.15-alg-nd-natt-0.5/klips/net/ipsec/ipsec_tunnel.c freeswan-1.99-x509-0.9.15-alg-nd-natt-0.5a/klips/net/ipsec/ipsec_tunnel.c
--- freeswan-1.99-x509-0.9.15-alg-nd-natt-0.5/klips/net/ipsec/ipsec_tunnel.c	Thu Jan  2 17:34:44 2003
+++ freeswan-1.99-x509-0.9.15-alg-nd-natt-0.5a/klips/net/ipsec/ipsec_tunnel.c	Mon Jan  6 10:11:15 2003
@@ -710,7 +710,12 @@
 	    && (!er
 		|| iph->daddr == er->er_said.dst.s_addr
 		|| INADDR_ANY == er->er_said.dst.s_addr)
-	    && (sport == 500)) {
+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
+	    && ((sport == 500) || (sport == 4500))
+#else
+	    && (sport == 500)
+#endif
+	    ) {
 		/* Whatever the eroute, this is an IKE message
 		 * from us (i.e. not being forwarded).
 		 * Furthermore, if there is a tunnel eroute,
diff -ruN freeswan-1.99-x509-0.9.15-alg-nd-natt-0.5/pluto/demux.c freeswan-1.99-x509-0.9.15-alg-nd-natt-0.5a/pluto/demux.c
--- freeswan-1.99-x509-0.9.15-alg-nd-natt-0.5/pluto/demux.c	Thu Jan  2 17:40:50 2003
+++ freeswan-1.99-x509-0.9.15-alg-nd-natt-0.5a/pluto/demux.c	Mon Jan  6 10:11:15 2003
@@ -715,6 +715,18 @@
 		    /* note dirty trick to suppress ~ at start of format
 		     * if we know what state to blame.
 		     */
+#ifdef NAT_TRAVERSAL
+		    if ((packet_len == 1) && (buffer[0] = 0xff)
+#ifdef DEBUG
+			&& ((cur_debugging & DBG_NATT) == 0)
+#endif
+			) {
+			/* don't log NAT-T keepalive related errors unless NATT debug is
+			 * enabled
+			 */
+		    }
+		    else
+#endif
 		    log((sender != NULL) + "~"
 			"ERROR: asynchronous network error report on %s"
 			"%s"
diff -ruN freeswan-1.99-x509-0.9.15-alg-nd-natt-0.5/pluto/nat_traversal.c freeswan-1.99-x509-0.9.15-alg-nd-natt-0.5a/pluto/nat_traversal.c
--- freeswan-1.99-x509-0.9.15-alg-nd-natt-0.5/pluto/nat_traversal.c	Thu Jan  2 16:46:15 2003
+++ freeswan-1.99-x509-0.9.15-alg-nd-natt-0.5a/pluto/nat_traversal.c	Mon Jan  6 10:11:15 2003
@@ -73,7 +73,7 @@
 static unsigned int _ka_evt = 0;
 static bool _force_ka = 0;
 
-static const char *natt_version = "0.5";
+static const char *natt_version = "0.5a";
 
 static const char *natt_methods[] = {
 	"draft-ietf-ipsec-nat-t-ike-00",