diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c
index f97e53d26a21..778cb558ad6d 100644
--- a/sys/netipsec/ipsec.c
+++ b/sys/netipsec/ipsec.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec.c,v 1.101 2017/07/07 01:37:34 ozaki-r Exp $	*/
+/*	$NetBSD: ipsec.c,v 1.102 2017/07/12 07:00:40 ozaki-r Exp $	*/
 /*	$FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $	*/
 /*	$KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $	*/
 
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.101 2017/07/07 01:37:34 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.102 2017/07/12 07:00:40 ozaki-r Exp $");
 
 /*
  * IPsec controller part.
@@ -832,7 +832,7 @@ ipsec4_forward(struct mbuf *m, int *destmtu)
 	/*
 	 * Find the correct route for outer IPv4 header, compute tunnel MTU.
 	 */
-	if (sp->req && sp->req->sav && sp->req->sav->sah) {
+	if (sp->req && sp->req->sav) {
 		struct route *ro;
 		struct rtentry *rt;
 
diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c
index ae8a6fded85f..8fbf3035d9ec 100644
--- a/sys/netipsec/ipsec_input.c
+++ b/sys/netipsec/ipsec_input.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_input.c,v 1.47 2017/07/07 01:37:34 ozaki-r Exp $	*/
+/*	$NetBSD: ipsec_input.c,v 1.48 2017/07/12 07:00:40 ozaki-r Exp $	*/
 /*	$FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $	*/
 /*	$OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $	*/
 
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.47 2017/07/07 01:37:34 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.48 2017/07/12 07:00:40 ozaki-r Exp $");
 
 /*
  * IPsec input processing.
@@ -332,7 +332,6 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
 
 	KASSERT(m != NULL);
 	KASSERT(sav != NULL);
-	KASSERT(sav->sah != NULL);
 	saidx = &sav->sah->saidx;
 	af = saidx->dst.sa.sa_family;
 	KASSERTMSG(af == AF_INET, "unexpected af %u", af);
@@ -574,7 +573,6 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip,
 
 	KASSERT(m != NULL);
 	KASSERT(sav != NULL);
-	KASSERT(sav->sah != NULL);
 	saidx = &sav->sah->saidx;
 	af = saidx->dst.sa.sa_family;
 	KASSERTMSG(af == AF_INET6, "unexpected af %u", af);
diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c
index 295433c58d5e..df822a3033b0 100644
--- a/sys/netipsec/ipsec_output.c
+++ b/sys/netipsec/ipsec_output.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_output.c,v 1.50 2017/07/06 09:49:46 ozaki-r Exp $	*/
+/*	$NetBSD: ipsec_output.c,v 1.51 2017/07/12 07:00:40 ozaki-r Exp $	*/
 
 /*-
  * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
@@ -29,7 +29,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.50 2017/07/06 09:49:46 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.51 2017/07/12 07:00:40 ozaki-r Exp $");
 
 /*
  * IPsec output processing.
@@ -164,7 +164,6 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr)
 	KASSERT(isr != NULL);
 	sav = isr->sav;
 	KASSERT(sav != NULL);
-	KASSERT(sav->sah != NULL);
 
 	saidx = &sav->sah->saidx;
 
diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c
index ea8d8faa45cf..fa528c4367ee 100644
--- a/sys/netipsec/key.c
+++ b/sys/netipsec/key.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: key.c,v 1.178 2017/07/12 03:59:32 ozaki-r Exp $	*/
+/*	$NetBSD: key.c,v 1.179 2017/07/12 07:00:40 ozaki-r Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $	*/
 /*	$KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $	*/
 
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.178 2017/07/12 03:59:32 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.179 2017/07/12 07:00:40 ozaki-r Exp $");
 
 /*
  * This code is referd to RFC 2367
@@ -866,8 +866,6 @@ key_checkrequest(struct ipsecrequest *isr, const struct secasindex *saidx)
 	 * SADB_SASTATE_DEAD.  The SA for outbound must be the oldest.
 	 */
 	if (isr->sav != NULL) {
-		if (isr->sav->sah == NULL)
-			panic("key_checkrequest: sah is null");
 		if (isr->sav == (struct secasvar *)LIST_FIRST(
 			    &isr->sav->sah->savtree[SADB_SASTATE_DEAD])) {
 			KEY_FREESAV(&isr->sav);
@@ -6768,7 +6766,6 @@ key_expire(struct secasvar *sav)
 	s = splsoftnet();	/*called from softclock()*/
 
 	KASSERT(sav != NULL);
-	KASSERT(sav->sah != NULL);
 
 	satype = key_proto2satype(sav->sah->saidx.proto);
 	KASSERTMSG(satype != 0, "invalid proto is passed");
@@ -7694,8 +7691,6 @@ key_checktunnelsanity(
 )
 {
 
-	KASSERT(sav->sah != NULL);
-
 	/* XXX: check inner IP header */
 
 	return 1;
diff --git a/sys/netipsec/xform_ipip.c b/sys/netipsec/xform_ipip.c
index 062e5cd0d9e5..b935539902b0 100644
--- a/sys/netipsec/xform_ipip.c
+++ b/sys/netipsec/xform_ipip.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: xform_ipip.c,v 1.50 2017/06/29 07:13:41 ozaki-r Exp $	*/
+/*	$NetBSD: xform_ipip.c,v 1.51 2017/07/12 07:00:40 ozaki-r Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/xform_ipip.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $	*/
 /*	$OpenBSD: ip_ipip.c,v 1.25 2002/06/10 18:04:55 itojun Exp $ */
 
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.50 2017/06/29 07:13:41 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.51 2017/07/12 07:00:40 ozaki-r Exp $");
 
 /*
  * IP-inside-IP processing
@@ -419,7 +419,6 @@ ipip_output(
 
 	KASSERT(isr->sav != NULL);
 	sav = isr->sav;
-	KASSERT(sav->sah != NULL);
 
 	/* XXX Deal with empty TDB source/destination addresses. */