The only thing is used from this code is ipip_output() function, that does IPIP encapsulation. Other parts of XF_IP4 code were removed in r275133.
Also it isn't possible to configure the use of XF_IP4, nor from userland via setkey(8), nor from the kernel.
Simplify the ipip_output() function and rename it to ipsec_encap().

• move IP_DF handling from ipsec4_process_packet() into ipsec_encap();
• since ipsec_encap() called from ipsec[64]_process_packet(), it is safe to assume that mbuf is contiguous at least to IP header for used IP version. Remove all unneeded m_pullup(), m_copydata and related checks;
• use V_ip_defttl and V_ip6_defhlim for outer headers;
• move all diagnostic messages to the ipsec_encap() callers;
• simplify handling of ipsec_encap() return result: if it returns non zero value, print diagnostic message and free mbuf.