Index: sys/netinet/ip_ipsec.c
===================================================================
--- sys/netinet/ip_ipsec.c
+++ sys/netinet/ip_ipsec.c
@@ -156,8 +156,13 @@
  */
 int
 ip_ipsec_output(struct mbuf **m, struct inpcb *inp, int *error)
+
 {
 	struct secpolicy *sp;
+
+	if (!key_havesp(IPSEC_DIR_INBOUND))
+		return 0;
+
 	/*
 	 * Check the security policy (SP) for the packet and, if
 	 * required, do IPsec-related processing.  There are two
Index: sys/netinet/tcp_subr.c
===================================================================
--- sys/netinet/tcp_subr.c
+++ sys/netinet/tcp_subr.c
@@ -1955,7 +1955,8 @@
 #endif
 	struct tcphdr *th;
 
-	if ((tp == NULL) || ((inp = tp->t_inpcb) == NULL))
+	if ((tp == NULL) || ((inp = tp->t_inpcb) == NULL) ||
+	    (!key_havesp(IPSEC_DIR_OUTBOUND)))
 		return (0);
 	m = m_gethdr(M_NOWAIT, MT_DATA);
 	if (!m)
Index: sys/netipsec/ipsec.c
===================================================================
--- sys/netipsec/ipsec.c
+++ sys/netipsec/ipsec.c
@@ -1276,6 +1276,9 @@
 	int error;
 	int result;
 
+	if (!key_havesp(IPSEC_DIR_INBOUND))
+		return 0;
+
 	IPSEC_ASSERT(m != NULL, ("null mbuf"));
 
 	/* Get SP for this packet. */
@@ -1403,6 +1406,9 @@
 	int error;
 	size_t size;
 
+	if (!key_havesp(dir))
+		return 0;
+
 	IPSEC_ASSERT(m != NULL, ("null mbuf"));
 
 	/* Get SP for this packet. */