Index: sys/netipsec/xform_esp.c
===================================================================
--- sys/netipsec/xform_esp.c
+++ sys/netipsec/xform_esp.c
@@ -620,6 +620,10 @@
 	/* Restore the Next Protocol field */
 	m_copyback(m, protoff, sizeof (u_int8_t), lastthree + 2);
 
+	/* Silently drop packet if next_header is IPPROTO_NONE (RFC 4303) */
+	if (lastthree[2] == IPPROTO_NONE)
+		goto bad;
+
 	switch (saidx->dst.sa.sa_family) {
 #ifdef INET6
 	case AF_INET6: