From ab94ca3cec4301c7f9bf8aee7ab2a8850ed63179 Mon Sep 17 00:00:00 2001
From: Sam Leffler <sam@FreeBSD.org>
Date: Fri, 8 Nov 2002 23:11:02 +0000
Subject: [PATCH] correct fast ipsec logic: compare destination ip address
 against the contents of the SA, not the SP

Submitted by:	"Doug Ambrisko" <ambrisko@verniernetworks.com>
---
 sys/netinet/ip_output.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index acc745502bd..44212ca01d9 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -637,7 +637,7 @@ skip_ipsec:
 			tdbi = (struct tdb_ident *)(mtag + 1);
 			if (tdbi->spi == sp->req->sav->spi &&
 			    tdbi->proto == sp->req->sav->sah->saidx.proto &&
-			    bcmp(&tdbi->dst, &sp->spidx.dst,
+			    bcmp(&tdbi->dst, &sp->req->sav->sah->saidx.dst,
 				 sizeof (union sockaddr_union)) == 0) {
 				/*
 				 * No IPsec processing is needed, free