Index: sys/netinet/ip_input.c
===================================================================
--- sys/netinet/ip_input.c
+++ sys/netinet/ip_input.c
@@ -926,6 +926,23 @@
 	}
 #endif
 
+#ifdef IPSEC
+	switch(ip_ipsec_output(&m, NULL, &error)) {
+	case 1:
+		m_freem(m);
+		/* FALLTHROUGH */
+	case -1:
+		return;
+		/* NOTREACHED */
+	case 0:
+	default:
+		break;	/* Continue with packet processing. */
+	}
+	/* Update variables that are affected by ipsec output. */
+	ip = mtod(m, struct ip *);
+
+#endif /* IPSEC */
+
 	bzero(&ro, sizeof(ro));
 	sin = (struct sockaddr_in *)&ro.ro_dst;
 	sin->sin_family = AF_INET;
@@ -943,7 +960,7 @@
 		ifa_ref(&ia->ia_ifa);
 	} else
 		ia = NULL;
-#ifndef IPSEC
+
 	/*
 	 * 'ia' may be NULL if there is no route for this destination.
 	 * In case of IPsec, Don't discard it just yet, but pass it to
@@ -954,7 +971,6 @@
 		RO_RTFREE(&ro);
 		return;
 	}
-#endif
 
 	/*
 	 * Save the IP header and at most 8 bytes of the payload,
@@ -1030,7 +1046,7 @@
 		}
 	}
 
-	error = ip_output(m, NULL, &ro, IP_FORWARDING, NULL, NULL);
+	error = ip_output(m, NULL, &ro, IP_FORWARDING | IP_IPSECSKIP, NULL, NULL);
 
 	if (error == EMSGSIZE && ro.ro_rt)
 		mtu = ro.ro_rt->rt_mtu;
Index: sys/netinet/ip_output.c
===================================================================
--- sys/netinet/ip_output.c
+++ sys/netinet/ip_output.c
@@ -449,26 +449,28 @@
 
 sendit:
 #ifdef IPSEC
-	switch(ip_ipsec_output(&m, inp, &error)) {
-	case 1:
-		goto bad;
-	case -1:
-		goto done;
-	case 0:
-	default:
-		break;	/* Continue with packet processing. */
+	if (!(flags & IP_IPSECSKIP)) {
+		switch(ip_ipsec_output(&m, inp, &error)) {
+		case 1:
+			goto bad;
+		case -1:
+			goto done;
+		case 0:
+		default:
+			break;	/* Continue with packet processing. */
+		}
+		/*
+		 * Check if there was a route for this packet; return error if not.
+		 */
+		if (no_route_but_check_spd) {
+			IPSTAT_INC(ips_noroute);
+			error = EHOSTUNREACH;
+			goto bad;
+		}
+		/* Update variables that are affected by ipsec4_output(). */
+		ip = mtod(m, struct ip *);
+		hlen = ip->ip_hl << 2;
 	}
-	/*
-	 * Check if there was a route for this packet; return error if not.
-	 */
-	if (no_route_but_check_spd) {
-		IPSTAT_INC(ips_noroute);
-		error = EHOSTUNREACH;
-		goto bad;
-	}
-	/* Update variables that are affected by ipsec4_output(). */
-	ip = mtod(m, struct ip *);
-	hlen = ip->ip_hl << 2;
 #endif /* IPSEC */
 
 	/* Jump over all PFIL processing if hooks are not active. */
Index: sys/netinet/ip_var.h
===================================================================
--- sys/netinet/ip_var.h
+++ sys/netinet/ip_var.h
@@ -162,6 +162,7 @@
 #define IP_ROUTETOIF		SO_DONTROUTE	/* 0x10 bypass routing tables */
 #define IP_ALLOWBROADCAST	SO_BROADCAST	/* 0x20 can send broadcast packets */
 #define	IP_NODEFAULTFLOWID	0x40		/* Don't set the flowid from inp */
+#define	IP_IPSECSKIP		0x80		/* Skip IPSEC processing */
 
 #ifdef __NO_STRICT_ALIGNMENT
 #define IP_HDR_ALIGNED_P(ip)	1