Index: head/sys/netinet/in_proto.c
===================================================================
--- head/sys/netinet/in_proto.c
+++ head/sys/netinet/in_proto.c
@@ -148,7 +148,7 @@
 	.pr_type =		SOCK_SEQPACKET,
 	.pr_domain =		&inetdomain,
 	.pr_protocol =		IPPROTO_SCTP,
-	.pr_flags =		PR_WANTRCVD,
+	.pr_flags =		PR_WANTRCVD|PR_LASTHDR,
 	.pr_input =		sctp_input,
 	.pr_ctlinput =		sctp_ctlinput,
 	.pr_ctloutput =		sctp_ctloutput,
@@ -160,7 +160,7 @@
 	.pr_type =		SOCK_STREAM,
 	.pr_domain =		&inetdomain,
 	.pr_protocol =		IPPROTO_SCTP,
-	.pr_flags =		PR_CONNREQUIRED|PR_WANTRCVD,
+	.pr_flags =		PR_CONNREQUIRED|PR_WANTRCVD|PR_LASTHDR,
 	.pr_input =		sctp_input,
 	.pr_ctlinput =		sctp_ctlinput,
 	.pr_ctloutput =		sctp_ctloutput,
Index: head/sys/netinet/sctp_input.c
===================================================================
--- head/sys/netinet/sctp_input.c
+++ head/sys/netinet/sctp_input.c
@@ -5790,40 +5790,6 @@
 	} else if (stcb == NULL) {
 		inp_decr = inp;
 	}
-#if defined(IPSEC) || defined(IPSEC_SUPPORT)
-	/*-
-	 * I very much doubt any of the IPSEC stuff will work but I have no
-	 * idea, so I will leave it in place.
-	 */
-	if (inp != NULL) {
-		switch (dst->sa_family) {
-#ifdef INET
-		case AF_INET:
-			if (IPSEC_ENABLED(ipv4)) {
-				if (IPSEC_CHECK_POLICY(ipv4, m,
-				    &inp->ip_inp.inp) != 0) {
-					SCTP_STAT_INCR(sctps_hdrops);
-					goto out;
-				}
-			}
-			break;
-#endif
-#ifdef INET6
-		case AF_INET6:
-			if (IPSEC_ENABLED(ipv6)) {
-				if (IPSEC_CHECK_POLICY(ipv6, m,
-				    &inp->ip_inp.inp) != 0) {
-					SCTP_STAT_INCR(sctps_hdrops);
-					goto out;
-				}
-			}
-			break;
-#endif
-		default:
-			break;
-		}
-	}
-#endif /* IPSEC */
 	SCTPDBG(SCTP_DEBUG_INPUT1, "Ok, Common input processing called, m:%p iphlen:%d offset:%d length:%d stcb:%p\n",
 	    (void *)m, iphlen, offset, length, (void *)stcb);
 	if (stcb) {
Index: head/sys/netinet/sctp_os_bsd.h
===================================================================
--- head/sys/netinet/sctp_os_bsd.h
+++ head/sys/netinet/sctp_os_bsd.h
@@ -38,7 +38,6 @@
 /*
  * includes
  */
-#include "opt_ipsec.h"
 #include "opt_compat.h"
 #include "opt_inet6.h"
 #include "opt_inet.h"
@@ -82,8 +81,6 @@
 #include <netinet/ip_icmp.h>
 #include <netinet/icmp_var.h>
 
-#include <netipsec/ipsec_support.h>
-
 #ifdef INET6
 #include <sys/domain.h>
 #include <netinet/ip6.h>
@@ -94,7 +91,6 @@
 #include <netinet6/scope6_var.h>
 #endif				/* INET6 */
 
-
 #include <netinet/ip_options.h>
 
 #include <crypto/sha1.h>
Index: head/sys/netinet/sctp_pcb.c
===================================================================
--- head/sys/netinet/sctp_pcb.c
+++ head/sys/netinet/sctp_pcb.c
@@ -2469,15 +2469,6 @@
 		SCTP_INP_INFO_WUNLOCK();
 		return (ENOBUFS);
 	}
-#if defined(IPSEC) || defined(IPSEC_SUPPORT)
-	error = ipsec_init_pcbpolicy(&inp->ip_inp.inp);
-	if (error != 0) {
-		crfree(inp->ip_inp.inp.inp_cred);
-		SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_ep), inp);
-		SCTP_INP_INFO_WUNLOCK();
-		return error;
-	}
-#endif				/* IPSEC */
 	SCTP_INCR_EP_COUNT();
 	inp->ip_inp.inp.inp_ip_ttl = MODULE_GLOBAL(ip_defttl);
 	SCTP_INP_INFO_WUNLOCK();
@@ -2504,9 +2495,6 @@
 		SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, EOPNOTSUPP);
 		so->so_pcb = NULL;
 		crfree(inp->ip_inp.inp.inp_cred);
-#if defined(IPSEC) || defined(IPSEC_SUPPORT)
-		ipsec_delete_pcbpolicy(&inp->ip_inp.inp);
-#endif
 		SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_ep), inp);
 		return (EOPNOTSUPP);
 	}
@@ -2527,9 +2515,6 @@
 		SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, ENOBUFS);
 		so->so_pcb = NULL;
 		crfree(inp->ip_inp.inp.inp_cred);
-#if defined(IPSEC) || defined(IPSEC_SUPPORT)
-		ipsec_delete_pcbpolicy(&inp->ip_inp.inp);
-#endif
 		SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_ep), inp);
 		return (ENOBUFS);
 	}
@@ -3641,9 +3626,6 @@
 	 * macro here since le_next will get freed as part of the
 	 * sctp_free_assoc() call.
 	 */
-#if defined(IPSEC) || defined(IPSEC_SUPPORT)
-	ipsec_delete_pcbpolicy(ip_pcb);
-#endif
 	if (ip_pcb->inp_options) {
 		(void)sctp_m_free(ip_pcb->inp_options);
 		ip_pcb->inp_options = 0;
Index: head/sys/netinet6/in6_proto.c
===================================================================
--- head/sys/netinet6/in6_proto.c
+++ head/sys/netinet6/in6_proto.c
@@ -185,7 +185,7 @@
 	.pr_type =		SOCK_SEQPACKET,
 	.pr_domain =		&inet6domain,
 	.pr_protocol =		IPPROTO_SCTP,
-	.pr_flags =		PR_WANTRCVD,
+	.pr_flags =		PR_WANTRCVD|PR_LASTHDR,
 	.pr_input =		sctp6_input,
 	.pr_ctlinput =		sctp6_ctlinput,
 	.pr_ctloutput =	sctp_ctloutput,
@@ -199,7 +199,7 @@
 	.pr_type =		SOCK_STREAM,
 	.pr_domain =		&inet6domain,
 	.pr_protocol =		IPPROTO_SCTP,
-	.pr_flags =		PR_CONNREQUIRED|PR_WANTRCVD,
+	.pr_flags =		PR_CONNREQUIRED|PR_WANTRCVD|PR_LASTHDR,
 	.pr_input =		sctp6_input,
 	.pr_ctlinput =		sctp6_ctlinput,
 	.pr_ctloutput =		sctp_ctloutput,
Index: head/sys/netinet6/sctp6_usrreq.c
===================================================================
--- head/sys/netinet6/sctp6_usrreq.c
+++ head/sys/netinet6/sctp6_usrreq.c
@@ -551,10 +551,6 @@
 	 */
 	inp6->inp_ip_ttl = MODULE_GLOBAL(ip_defttl);
 #endif
-	/*
-	 * Hmm what about the IPSEC stuff that is missing here but in
-	 * sctp_attach()?
-	 */
 	SCTP_INP_WUNLOCK(inp);
 	return (0);
 }