2 files changed, 11 insertions, 3 deletions

diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c
index 62b12dbbdf6..a0eeed464da 100644
--- a/src/vnet/ipsec/esp_decrypt.c
+++ b/src/vnet/ipsec/esp_decrypt.c
@@ -269,9 +269,13 @@ esp_decrypt_node_fn (vlib_main_t * vm,
 		{
 		  tunnel_mode = 0;
 
-		  ih4 =
-		    (ip4_header_t *) ((u8 *) i_b0->data +
-				      vnet_buffer (i_b0)->l3_hdr_offset);
+		  if (i_b0->flags & VNET_BUFFER_F_IS_IP4)
+		    ih4 =
+		      (ip4_header_t *) ((u8 *) esp0 - sizeof (ip4_header_t));
+		  else
+		    ih4 =
+		      (ip4_header_t *) ((u8 *) esp0 - sizeof (ip6_header_t));
+
 		  if (PREDICT_TRUE
 		      ((ih4->ip_version_and_header_length & 0xF0) != 0x40))
 		    {
diff --git a/src/vnet/ipsec/ipsec_input.c b/src/vnet/ipsec/ipsec_input.c
index 08269d0244e..d61755597ba 100644
--- a/src/vnet/ipsec/ipsec_input.c
+++ b/src/vnet/ipsec/ipsec_input.c
@@ -207,6 +207,8 @@ ipsec_input_ip4_node_fn (vlib_main_t * vm,
 	  n_left_to_next -= 1;
 
 	  b0 = vlib_get_buffer (vm, bi0);
+	  b0->flags |= VNET_BUFFER_F_IS_IP4;
+	  b0->flags &= ~VNET_BUFFER_F_IS_IP6;
 	  c0 =
 	    vnet_feature_next_with_data (vnet_buffer (b0)->sw_if_index
 					 [VLIB_RX], &next0, b0,
@@ -389,6 +391,8 @@ VLIB_NODE_FUNCTION_MULTIARCH (ipsec_input_ip4_node, ipsec_input_ip4_node_fn)
 	  n_left_to_next -= 1;
 
 	  b0 = vlib_get_buffer (vm, bi0);
+	  b0->flags |= VNET_BUFFER_F_IS_IP6;
+	  b0->flags &= ~VNET_BUFFER_F_IS_IP4;
 	  c0 =
 	    vnet_feature_next_with_data (vnet_buffer (b0)->sw_if_index
 					 [VLIB_RX], &next0, b0,