Index: sys/netipsec/xform_esp.c
===================================================================
--- sys/netipsec/xform_esp.c
+++ sys/netipsec/xform_esp.c
@@ -620,20 +620,29 @@
 	/* Restore the Next Protocol field */
 	m_copyback(m, protoff, sizeof (u_int8_t), lastthree + 2);
 
-	switch (saidx->dst.sa.sa_family) {
+	/* Silently drop packet if next_header is IPPROTO_NONE (RFC 4303) */
+	if (lastthree[2] != IPPROTO_NONE)
+	{
+		switch (saidx->dst.sa.sa_family) {
 #ifdef INET6
-	case AF_INET6:
-		error = ipsec6_common_input_cb(m, sav, skip, protoff);
-		break;
+		case AF_INET6:
+			error = ipsec6_common_input_cb(m, sav, skip, protoff);
+			break;
 #endif
 #ifdef INET
-	case AF_INET:
-		error = ipsec4_common_input_cb(m, sav, skip, protoff);
-		break;
+		case AF_INET:
+			error = ipsec4_common_input_cb(m, sav, skip, protoff);
+			break;
 #endif
-	default:
-		panic("%s: Unexpected address family: %d saidx=%p", __func__,
-		    saidx->dst.sa.sa_family, saidx);
+		default:
+			panic("%s: Unexpected address family: %d saidx=%p", __func__,
+			    saidx->dst.sa.sa_family, saidx);
+		}
+	}
+	else
+	{
+		error = 0;
+		goto bad;
 	}
 	CURVNET_RESTORE();
 	return error;