Index: sys/netinet/ip_input.c
===================================================================
RCS file: /mount/openbsd/cvs/src/sys/netinet/ip_input.c,v
diff -u -p -u -p -r1.395 ip_input.c
--- sys/netinet/ip_input.c	7 Jun 2024 18:24:16 -0000	1.395
+++ sys/netinet/ip_input.c	24 Jun 2024 07:28:39 -0000
@@ -465,8 +465,14 @@ ip_input_if(struct mbuf **mp, int *offp,
 		SET(flags, IP_REDIRECT);
 #endif
 
-	if (ip_forwarding != 0)
+	switch (ip_forwarding) {
+	case 2:
+		SET(flags, IP_FORWARDING_IPSEC);
+		/* FALLTHROUGH */
+	case 1:
 		SET(flags, IP_FORWARDING);
+		break;
+	}
 	if (ip_directedbcast)
 		SET(flags, IP_ALLOWBROADCAST);
 
@@ -883,7 +889,8 @@ in_ouraddr(struct mbuf *m, struct ifnet 
 				break;
 			}
 		}
-	} else if (!ISSET(flags, IP_FORWARDING) &&
+	} else if ((!ISSET(flags, IP_FORWARDING) ||
+	    ISSET(flags, IP_FORWARDING_IPSEC)) &&
 	    rt->rt_ifidx != ifp->if_index &&
 	    !((ifp->if_flags & IFF_LOOPBACK) || (ifp->if_type == IFT_ENC) ||
 	    (m->m_pkthdr.pf.flags & PF_TAG_TRANSLATE_LOCALHOST))) {
Index: sys/netinet/ip_output.c
===================================================================
RCS file: /mount/openbsd/cvs/src/sys/netinet/ip_output.c,v
diff -u -p -u -p -r1.400 ip_output.c
--- sys/netinet/ip_output.c	7 Jun 2024 18:24:16 -0000	1.400
+++ sys/netinet/ip_output.c	24 Jun 2024 07:28:39 -0000
@@ -428,9 +428,8 @@ sendit:
 #endif
 
 #ifdef IPSEC
-	if ((flags & IP_FORWARDING) && ip_forwarding == 2 &&
-	    (!ipsec_in_use ||
-	    m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) == NULL)) {
+	if (ISSET(flags, IP_FORWARDING_IPSEC) &&
+	    !ISSET(m->m_pkthdr.ph_tagsset, PACKET_TAG_IPSEC_IN_DONE)) {
 		error = EHOSTUNREACH;
 		goto bad;
 	}
Index: sys/netinet/ip_var.h
===================================================================
RCS file: /mount/openbsd/cvs/src/sys/netinet/ip_var.h,v
diff -u -p -u -p -r1.118 ip_var.h
--- sys/netinet/ip_var.h	7 Jun 2024 18:24:16 -0000	1.118
+++ sys/netinet/ip_var.h	24 Jun 2024 07:28:39 -0000
@@ -207,6 +207,7 @@ struct ipoffnxt {
 #define IP_FORWARDING		0x0001	/* most of ip header exists */
 #define IP_RAWOUTPUT		0x0002	/* raw ip header exists */
 #define IP_REDIRECT		0x0004	/* redirected by pf or source route */
+#define IP_FORWARDING_IPSEC	0x0008	/* only packets processed by IPsec */
 #define IP_ALLOWBROADCAST	SO_BROADCAST	/* can send broadcast packets */
 #define IP_MTUDISC		0x0800	/* pmtu discovery, set DF */