diff --git a/security/ipsec-tools/Makefile b/security/ipsec-tools/Makefile
index 8ba6e0d49df7..4f33c3990565 100644
--- a/security/ipsec-tools/Makefile
+++ b/security/ipsec-tools/Makefile
@@ -1,104 +1,109 @@
 PORTNAME=	ipsec-tools
 PORTVERSION=	0.8.2
 PORTREVISION=	13
 CATEGORIES=	security
 MASTER_SITES=	SF
 
 MAINTAINER=	eugen@FreeBSD.org
 COMMENT=	KAME racoon IKE daemon, ipsec-tools version
 WWW=		http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/
 
 LICENSE=	BSD3CLAUSE
 
-USES=		cpe libtool tar:bzip2 ssl
+USES=		compiler cpe libtool tar:bzip2 ssl
 
 CONFLICTS=	racoon
 INSTALL_TARGET=	install-strip
 USE_RC_SUBR=	racoon
 GNU_CONFIGURE=	yes
 GNU_CONFIGURE_MANPREFIX=${PREFIX}/share
 USE_LDCONFIG=	yes
 CONFIGURE_ARGS=	--enable-shared --sysconfdir=${PREFIX}/etc/racoon \
 		--localstatedir=${STATEDIR:S/\/racoon//}
 
 STATEDIR=	/var/db/racoon
 SUB_LIST+=	STATEDIR=${STATEDIR} REQUIREMOD=${REQUIREMOD}
 PLIST_SUB+=	STATEDIR=${STATEDIR}
 
 OPTIONS_DEFINE=	IPV6 ADMINPORT STATS DPD NATT FRAG HYBRID PAM \
 		RADIUS LDAP GSSAPI SAUNSPEC RC5 IDEA DOCS EXAMPLES WCPSKEY
 OPTIONS_DEFAULT=	ADMINPORT DPD NATT FRAG HYBRID WCPSKEY
 
 ADMINPORT_DESC=	Enable Admin port
 STATS_DESC=	Statistics logging function
 DPD_DESC=	Dead Peer Detection
 NATT_DESC=	NAT-Traversal
 FRAG_DESC=	IKE fragmentation payload support
 HYBRID_DESC=	Hybrid, Xauth and Mode-cfg support
 SAUNSPEC_DESC=	Unspecified SA mode
 RC5_DESC=	RC5 encryption (patented)
 IDEA_DESC=	IDEA encryption (patented)
 PAM_DESC=	PAM authentication (Xauth server)
 RADIUS_DESC=	Radius authentication (Xauth server)
 LDAP_DESC=	LDAP authentication (Xauth server)
 WCPSKEY_DESC=	Allow wildcard matching for pre-shared keys
 
 PORTDOCS=	*
 PORTEXAMPLES=	*
 
 IPV6_CONFIGURE_ENABLE=	ipv6
 ADMINPORT_CONFIGURE_ENABLE=adminport
 STATS_CONFIGURE_ENABLE=	stats
 DPD_CONFIGURE_ENABLE=	dpd
 NATT_CONFIGURE_ON=	--enable-natt=yes --enable-natt-versions=rfc
 NATT_CONFIGURE_OFF=	--disable-natt
 FRAG_CONFIGURE_ENABLE=	frag
 HYBRID_CONFIGURE_ENABLE=hybrid
 PAM_CONFIGURE_WITH=	libpam
 GSSAPI_USES=		iconv
 GSSAPI_CFLAGS=		-I${LOCALBASE}/include
 GSSAPI_LDFLAGS=		-L${LOCALBASE}/lib
 GSSAPI_CONFIGURE_ENABLE=gssapi
 RADIUS_CONFIGURE_WITH=	libradius
 LDAP_USES=		ldap
 LDAP_CONFIGURE_ON=	--with-libldap=${LOCALBASE}
 LDAP_CONFIGURE_OFF=	--without-libldap
 SAUNSPEC_CONFIGURE_ENABLE=	samode-unspec
 RC5_CONFIGURE_ENABLE=		rc5
 IDEA_CONFIGURE_ENABLE=		idea
 NATT_EXTRA_PATCHES=		${FILESDIR}/natt.diff
 WCPSKEY_EXTRA_PATCHES=	${FILESDIR}/wildcard-psk.diff ${FILESDIR}/wildcard-psk-oakley.c.diff
 
 .include <bsd.port.pre.mk>
 
+.if ${COMPILER_TYPE} == clang && ${COMPILER_VERSION} >= 190
+CFLAGS+=	-Wno-deprecated-declarations -Wno-deprecated-non-prototype \
+		-Wno-incompatible-pointer-types-discards-qualifiers
+.endif
+
 .if ${OPSYS} == FreeBSD
 REQUIREMOD?=	ipsec
 .endif
 
 post-patch:
 	@${REINPLACE_CMD} -e "s/-Werror//g ; s/-R$$libdir/-Wl,-rpath=$$libdir/g" ${WRKSRC}/configure
 
 post-install:
 	@${MKDIR} ${STAGEDIR}/${PREFIX}/etc/racoon
 	@if [ -z `/sbin/sysctl -a | ${GREP} -q ipsec && ${ECHO_CMD} ipsec` ]; then \
 	    ${ECHO_MSG} "WARNING: IPsec feature is disabled on this host"; \
 	    ${ECHO_MSG} "         You must build the kernel if you want to run racoon on the host"; \
 	fi ;
 
 post-install-EXAMPLES-on:
 	@${MKDIR} ${STAGEDIR}/${EXAMPLESDIR}
 	@${RM} ${WRKSRC}/src/racoon/samples/*.in
 	@${CP} -r ${WRKSRC}/src/racoon/samples/* ${STAGEDIR}/${EXAMPLESDIR}
 
 post-install-DOCS-on:
 	@${MKDIR} ${STAGEDIR}/${DOCSDIR}
 	${INSTALL_DATA} ${WRKSRC}/src/racoon/doc/* ${STAGEDIR}/${DOCSDIR}
 
 .if ${OPSYS} == FreeBSD
 .  if ${SSL_DEFAULT} != openssl111
 EXTRA_PATCHES+=	${FILESDIR}/extra-patch-ipsec-tools
 PLIST_FILES+=	include/racoon/openssl_compat.h
 .  endif
 .endif
 
 .include <bsd.port.post.mk>
diff --git a/security/ipsec-tools/files/patch-ipsec_dump_policy.c b/security/ipsec-tools/files/patch-ipsec_dump_policy.c
new file mode 100644
index 000000000000..1f3ba06741d2
--- /dev/null
+++ b/security/ipsec-tools/files/patch-ipsec_dump_policy.c
@@ -0,0 +1,13 @@
+--- src/libipsec/ipsec_dump_policy.c.orig	2010-12-03 21:01:11.000000000 +0600
++++ src/libipsec/ipsec_dump_policy.c	2025-02-09 15:01:50.443167000 +0700
+@@ -77,8 +77,8 @@ ipsec_dump_policy(policy, delimiter)
+  */
+ char *
+ ipsec_dump_policy(policy, delimiter)
+-	ipsec_policy_t policy;
+-	__ipsec_const char *delimiter;
++	c_ipsec_policy_t policy;
++	__ipsec_nconst char *delimiter;
+ {
+ 	return ipsec_dump_policy1(policy, delimiter, 0);
+ }
diff --git a/security/ipsec-tools/files/patch-ipsec_get_policylen.c b/security/ipsec-tools/files/patch-ipsec_get_policylen.c
new file mode 100644
index 000000000000..206a6f6e625d
--- /dev/null
+++ b/security/ipsec-tools/files/patch-ipsec_get_policylen.c
@@ -0,0 +1,11 @@
+--- src/libipsec/ipsec_get_policylen.c.orig	2007-07-18 12:07:50.000000000 +0000
++++ src/libipsec/ipsec_get_policylen.c	2025-02-09 07:40:22.545915000 +0000
+@@ -48,7 +48,7 @@
+ 
+ int
+ ipsec_get_policylen(policy)
+-	ipsec_policy_t policy;
++	c_ipsec_policy_t policy;
+ {
+ 	return policy ? PFKEY_EXTLEN(policy) : -1;
+ }
diff --git a/security/ipsec-tools/files/patch-libpfkey.h b/security/ipsec-tools/files/patch-libpfkey.h
new file mode 100644
index 000000000000..52835c1b2cdd
--- /dev/null
+++ b/security/ipsec-tools/files/patch-libpfkey.h
@@ -0,0 +1,39 @@
+--- src/libipsec/libpfkey.h.orig	2012-08-23 18:10:45.000000000 +0700
++++ src/libipsec/libpfkey.h	2025-02-09 14:39:31.913248000 +0700
+@@ -34,6 +34,8 @@
+ #ifndef _LIBPFKEY_H
+ #define _LIBPFKEY_H
+ 
++#include <sys/param.h>
++
+ #ifndef KAME_LIBPFKEY_H
+ #define KAME_LIBPFKEY_H
+ 
+@@ -64,6 +66,14 @@
+ #define __ipsec_const const
+ #endif
+ 
++#if __FreeBSD_version >= 1500019
++typedef c_caddr_t c_ipsec_policy_t;
++#define __ipsec_nconst const
++#else
++typedef caddr_t c_ipsec_policy_t;
++#define __ipsec_nconst
++#endif
++
+ struct pfkey_send_sa_args {
+ 	int 		so;			/* socket */
+ 	u_int		type;			
+@@ -107,9 +117,9 @@
+ void ipsec_hexdump __P((const void *, int));
+ const char *ipsec_strerror __P((void));
+ void kdebug_sadb __P((struct sadb_msg *));
+-ipsec_policy_t ipsec_set_policy __P((__ipsec_const char *, int));
+-int  ipsec_get_policylen __P((ipsec_policy_t));
+-char *ipsec_dump_policy __P((ipsec_policy_t, __ipsec_const char *));
++ipsec_policy_t ipsec_set_policy __P((__ipsec_nconst char *, int));
++int  ipsec_get_policylen __P((c_ipsec_policy_t));
++char *ipsec_dump_policy __P((c_ipsec_policy_t, __ipsec_nconst char *));
+ 
+ /* PFKey Routines */
+ 
diff --git a/security/ipsec-tools/files/patch-policy_parse.c b/security/ipsec-tools/files/patch-policy_parse.c
new file mode 100644
index 000000000000..9382e7048f37
--- /dev/null
+++ b/security/ipsec-tools/files/patch-policy_parse.c
@@ -0,0 +1,11 @@
+--- src/libipsec/policy_parse.c.orig	2012-08-23 11:12:33.000000000 +0000
++++ src/libipsec/policy_parse.c	2025-02-09 07:02:38.738230000 +0000
+@@ -2262,7 +2262,7 @@ ipsec_set_policy(msg, msglen)
+ 
+ ipsec_policy_t
+ ipsec_set_policy(msg, msglen)
+-	__ipsec_const char *msg;
++	__ipsec_nconst char *msg;
+ 	int msglen;
+ {
+ 	caddr_t policy;