diff --git a/sys/netinet6/ipsec.c b/sys/netinet6/ipsec.c
index 363a8025f405..6261cc9d71fd 100644
--- a/sys/netinet6/ipsec.c
+++ b/sys/netinet6/ipsec.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec.c,v 1.79 2003/09/12 07:38:12 itojun Exp $	*/
+/*	$NetBSD: ipsec.c,v 1.80 2003/09/12 07:53:29 itojun Exp $	*/
 /*	$KAME: ipsec.c,v 1.136 2002/05/19 00:36:39 itojun Exp $	*/
 
 /*
@@ -35,7 +35,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.79 2003/09/12 07:38:12 itojun Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.80 2003/09/12 07:53:29 itojun Exp $");
 
 #include "opt_inet.h"
 #include "opt_ipsec.h"
@@ -120,6 +120,9 @@ int ip6_ipsec_ecn = 0;		/* ECN ignore(-1)/forbidden(0)/allowed(1) */
 
 #endif /* INET6 */
 
+#ifdef SADB_X_EXT_TAG
+static struct pf_tag *ipsec_get_tag __P((struct mbuf *));
+#endif
 static struct secpolicy *ipsec_checkpcbcache __P((struct mbuf *,
 	struct inpcbpolicy *, int));
 static int ipsec_fillpcbcache __P((struct inpcbpolicy *, struct mbuf *,
@@ -322,6 +325,20 @@ ipsec_invalpcbcacheall()
 	return 0;
 }
 
+#ifdef SADB_X_EXT_TAG
+static struct pf_tag *
+ipsec_get_tag(m)
+	struct mbuf *m;
+{
+	struct m_tag	*mtag;
+
+	if ((mtag = m_tag_find(m, PACKET_TAG_PF_TAG, NULL)) != NULL)
+		return ((struct pf_tag *)(mtag + 1));
+	else
+		return (NULL);
+}
+#endif
+
 /*
  * For OUTBOUND packet having a socket. Searching SPD for packet,
  * and return a pointer to SP.
@@ -345,6 +362,10 @@ ipsec4_getpolicybysock(m, dir, so, error)
 	struct secpolicy *currsp = NULL;	/* policy on socket */
 	struct secpolicy *kernsp = NULL;	/* policy on kernel */
 	struct secpolicyindex spidx;
+#ifdef SADB_X_EXT_TAG
+	struct pf_tag *t;
+#endif
+	u_int16_t tag;
 
 	/* sanity check */
 	if (m == NULL || so == NULL || error == NULL)
@@ -368,6 +389,13 @@ ipsec4_getpolicybysock(m, dir, so, error)
 		panic("ipsec4_getpolicybysock: pcbsp is NULL.");
 #endif
 
+#ifdef SADB_X_EXT_TAG
+	t = ipsec_get_tag(m);
+	tag = t ? t->tag : 0;
+#else
+	tag = 0;
+#endif
+
 	/* if we have a cached entry, and if it is still valid, use it. */
 	ipsecstat.spdcachelookup++;
 	currsp = ipsec_checkpcbcache(m, pcbsp, dir);
@@ -404,7 +432,7 @@ ipsec4_getpolicybysock(m, dir, so, error)
 		case IPSEC_POLICY_ENTRUST:
 			/* look for a policy in SPD */
 			if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 1) == 0 &&
-			    (kernsp = key_allocsp(0, &spidx, dir)) != NULL) {
+			    (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
 				/* SP found */
 				KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
 					printf("DP ipsec4_getpolicybysock called "
@@ -438,7 +466,7 @@ ipsec4_getpolicybysock(m, dir, so, error)
 	/* when non-privilieged socket */
 	/* look for a policy in SPD */
 	if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 1) == 0 &&
-	    (kernsp = key_allocsp(0, &spidx, dir)) != NULL) {
+	    (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
 		/* SP found */
 		KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
 			printf("DP ipsec4_getpolicybysock called "
@@ -496,6 +524,10 @@ ipsec4_getpolicybyaddr(m, dir, flag, error)
 	int *error;
 {
 	struct secpolicy *sp = NULL;
+#ifdef SADB_X_EXT_TAG
+	struct pf_tag *t;
+#endif
+	u_int16_t tag;
 
 	/* sanity check */
 	if (m == NULL || error == NULL)
@@ -514,7 +546,14 @@ ipsec4_getpolicybyaddr(m, dir, flag, error)
 	if (*error != 0)
 		return NULL;
 
-	sp = key_allocsp(0, &spidx, dir);
+#ifdef SADB_X_EXT_TAG
+	t = ipsec_get_tag(m);
+	tag = t ? t->tag : 0;
+#else
+	tag = 0;
+#endif
+
+	sp = key_allocsp(tag, &spidx, dir);
     }
 
 	/* SP found */
@@ -554,6 +593,11 @@ ipsec6_getpolicybysock(m, dir, so, error)
 	struct secpolicy *currsp = NULL;	/* policy on socket */
 	struct secpolicy *kernsp = NULL;	/* policy on kernel */
 	struct secpolicyindex spidx;
+#ifdef SADB_X_EXT_TAG
+	struct pf_tag *t;
+#endif
+	u_int16_t tag;
+
 
 	/* sanity check */
 	if (m == NULL || so == NULL || error == NULL)
@@ -571,6 +615,13 @@ ipsec6_getpolicybysock(m, dir, so, error)
 		panic("ipsec6_getpolicybysock: pcbsp is NULL.");
 #endif
 
+#ifdef SADB_X_EXT_TAG
+	t = ipsec_get_tag(m);
+	tag = t ? t->tag : 0;
+#else
+	tag = 0;
+#endif
+
 	/* if we have a cached entry, and if it is still valid, use it. */
 	ipsec6stat.spdcachelookup++;
 	currsp = ipsec_checkpcbcache(m, pcbsp, dir);
@@ -607,7 +658,7 @@ ipsec6_getpolicybysock(m, dir, so, error)
 		case IPSEC_POLICY_ENTRUST:
 			/* look for a policy in SPD */
 			if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 1) == 0 &&
-			    (kernsp = key_allocsp(0, &spidx, dir)) != NULL) {
+			    (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
 				/* SP found */
 				KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
 					printf("DP ipsec6_getpolicybysock called "
@@ -641,7 +692,7 @@ ipsec6_getpolicybysock(m, dir, so, error)
 	/* when non-privilieged socket */
 	/* look for a policy in SPD */
 	if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 1) == 0 &&
-	    (kernsp = key_allocsp(0, &spidx, dir)) != NULL) {
+	    (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
 		/* SP found */
 		KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
 			printf("DP ipsec6_getpolicybysock called "
@@ -706,6 +757,10 @@ ipsec6_getpolicybyaddr(m, dir, flag, error)
 	int *error;
 {
 	struct secpolicy *sp = NULL;
+#ifdef SADB_X_EXT_TAG
+	struct pf_tag *t;
+#endif
+	u_int16_t tag;
 
 	/* sanity check */
 	if (m == NULL || error == NULL)
@@ -724,7 +779,14 @@ ipsec6_getpolicybyaddr(m, dir, flag, error)
 	if (*error != 0)
 		return NULL;
 
-	sp = key_allocsp(0, &spidx, dir);
+#ifdef SADB_X_EXT_TAG
+	t = ipsec_get_tag(m);
+	tag = t ? t->tag : 0;
+#else
+	tag = 0;
+#endif
+
+	sp = key_allocsp(tag, &spidx, dir);
     }
 
 	/* SP found */