Index: sys/netipsec/xform_ah.c
===================================================================
--- sys/netipsec/xform_ah.c
+++ sys/netipsec/xform_ah.c
@@ -108,6 +108,8 @@
 #endif
 
 static unsigned char ipseczeroes[256];	/* larger than an ip6 extension hdr */
+static struct timeval md5warn, ripewarn, kpdkmd5warn, kpdksha1warn;
+static struct timeval warninterval = { .tv_sec = 1, .tv_usec = 0 };
 
 static int ah_input_cb(struct cryptop*);
 static int ah_output_cb(struct cryptop*);
@@ -184,6 +186,26 @@
 			__func__, sav->alg_auth));
 		return EINVAL;
 	}
+
+	switch (sav->alg_auth) {
+	case SADB_AALG_MD5HMAC:
+		if (ratecheck(&md5warn, &warninterval))
+			gone_in(13, "MD5-HMAC authenticator for IPsec");
+		break;
+	case SADB_X_AALG_RIPEMD160HMAC:
+		if (ratecheck(&ripewarn, &warninterval))
+			gone_in(13, "RIPEMD160-HMAC authenticator for IPsec");
+		break;
+	case SADB_X_AALG_MD5:
+		if (ratecheck(&kpdkmd5warn, &warninterval))
+			gone_in(13, "Keyed-MD5 authenticator for IPsec");
+		break;
+	case SADB_X_AALG_SHA:
+		if (ratecheck(&kpdksha1warn, &warninterval))
+			gone_in(13, "Keyed-SHA1 authenticator for IPsec");
+		break;
+	}
+
 	/*
 	 * Verify the replay state block allocation is consistent with
 	 * the protocol type.  We check here so we can make assumptions
Index: sys/netipsec/xform_esp.c
===================================================================
--- sys/netipsec/xform_esp.c
+++ sys/netipsec/xform_esp.c
@@ -94,6 +94,9 @@
     struct espstat, espstat,
     "ESP statistics (struct espstat, netipsec/esp_var.h");
 
+static struct timeval deswarn, blfwarn, castwarn, camelliawarn;
+static struct timeval warninterval = { .tv_sec = 1, .tv_usec = 0 };
+
 static int esp_input_cb(struct cryptop *op);
 static int esp_output_cb(struct cryptop *crp);
 
@@ -156,6 +159,26 @@
 			__func__));
 		return EINVAL;
 	}
+
+	switch (sav->alg_enc) {
+	case SADB_EALG_DESCBC:
+		if (ratecheck(&deswarn, &warninterval))
+			gone_in(13, "DES cipher for IPsec");
+		break;
+	case SADB_X_EALG_BLOWFISHCBC:
+		if (ratecheck(&blfwarn, &warninterval))
+			gone_in(13, "Blowfish cipher for IPsec");
+		break;
+	case SADB_X_EALG_CAST128CBC:
+		if (ratecheck(&castwarn, &warninterval))
+			gone_in(13, "CAST cipher for IPsec");
+		break;
+	case SADB_X_EALG_CAMELLIACBC:
+		if (ratecheck(&camelliawarn, &warninterval))
+			gone_in(13, "Camellia cipher for IPsec");
+		break;
+	}
+
 	/* subtract off the salt, RFC4106, 8.1 and RFC3686, 5.1 */
 	keylen = _KEYLEN(sav->key_enc) - SAV_ISCTRORGCM(sav) * 4;
 	if (txform->minkey > keylen || keylen > txform->maxkey) {