diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c
--- a/sys/netipsec/ipsec.c
+++ b/sys/netipsec/ipsec.c
@@ -669,7 +669,7 @@
 		 * Bypass packet filtering for packets previously handled
 		 * by IPsec.
 		 */
-		if (!V_ip4_filtertunnel &&
+		if (!V_ip4_filtertunnel ||
 		    m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL)
 			return (1);
 		return (0);
@@ -843,7 +843,7 @@
 		 * Bypass packet filtering for packets previously handled
 		 * by IPsec.
 		 */
-		if (!V_ip6_filtertunnel &&
+		if (!V_ip6_filtertunnel ||
 		    m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL)
 			return (1);
 		return (0);