diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c
index 774f11a16c44..c8d62b204adf 100644
--- a/sys/netipsec/xform_ah.c
+++ b/sys/netipsec/xform_ah.c
@@ -42,6 +42,7 @@
 
 #include <sys/param.h>
 #include <sys/systm.h>
+#include <sys/malloc.h>
 #include <sys/mbuf.h>
 #include <sys/socket.h>
 #include <sys/syslog.h>
@@ -108,6 +109,8 @@ SYSCTL_VNET_PCPUSTAT(_net_inet_ah, IPSECCTL_STATS, stats, struct ahstat,
     ahstat, "AH statistics (struct ahstat, netipsec/ah_var.h)");
 #endif
 
+static MALLOC_DEFINE(M_AH, "ah", "IPsec AH");
+
 static unsigned char ipseczeroes[256];	/* larger than an ip6 extension hdr */
 
 static int ah_input_cb(struct cryptop*);
@@ -426,7 +429,7 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out)
 			if (m->m_len <= skip) {
 				ptr = (unsigned char *) malloc(
 				    skip - sizeof(struct ip6_hdr),
-				    M_XDATA, M_NOWAIT);
+				    M_AH, M_NOWAIT);
 				if (ptr == NULL) {
 					DPRINTF(("%s: failed to allocate memory"
 						"for IPv6 headers\n",__func__));
@@ -505,7 +508,7 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out)
 					__func__, off));
 error6:
 				if (alloc)
-					free(ptr, M_XDATA);
+					free(ptr, M_AH);
 				m_freem(m);
 				return EINVAL;
 			}
@@ -514,7 +517,7 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out)
 		if (alloc) {
 			m_copyback(m, sizeof(struct ip6_hdr),
 			    skip - sizeof(struct ip6_hdr), ptr);
-			free(ptr, M_XDATA);
+			free(ptr, M_AH);
 		}
 
 		break;
@@ -615,7 +618,7 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 	crp->crp_digest_start = skip + rplen;
 
 	/* Allocate IPsec-specific opaque crypto info. */
-	xd = malloc(sizeof(*xd) + skip + rplen + authsize, M_XDATA,
+	xd = malloc(sizeof(*xd) + skip + rplen + authsize, M_AH,
 	    M_NOWAIT | M_ZERO);
 	if (xd == NULL) {
 		DPRINTF(("%s: failed to allocate xform_data\n", __func__));
@@ -643,7 +646,7 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 	if (error != 0) {
 		/* NB: mbuf is free'd by ah_massage_headers */
 		AHSTAT_INC(ahs_hdrops);
-		free(xd, M_XDATA);
+		free(xd, M_AH);
 		crypto_freereq(crp);
 		key_freesav(&sav);
 		return (error);
@@ -761,7 +764,7 @@ ah_input_cb(struct cryptop *crp)
 
 	/* Copyback the saved (uncooked) network headers. */
 	m_copyback(m, 0, skip, ptr);
-	free(xd, M_XDATA), xd = NULL;			/* No longer needed */
+	free(xd, M_AH), xd = NULL;			/* No longer needed */
 
 	/*
 	 * Header is now authenticated.
@@ -822,7 +825,7 @@ ah_input_cb(struct cryptop *crp)
 	if (m != NULL)
 		m_freem(m);
 	if (xd != NULL)
-		free(xd, M_XDATA);
+		free(xd, M_AH);
 	if (crp != NULL)
 		crypto_freereq(crp);
 	return error;
@@ -975,7 +978,7 @@ ah_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
 	crp->crp_digest_start = skip + rplen;
 
 	/* Allocate IPsec-specific opaque crypto info. */
-	xd =  malloc(sizeof(struct xform_data) + skip, M_XDATA,
+	xd =  malloc(sizeof(struct xform_data) + skip, M_AH,
 	    M_NOWAIT | M_ZERO);
 	if (xd == NULL) {
 		crypto_freereq(crp);
@@ -1029,7 +1032,7 @@ ah_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
 			skip, ahx->type, 1);
 	if (error != 0) {
 		m = NULL;	/* mbuf was free'd by ah_massage_headers. */
-		free(xd, M_XDATA);
+		free(xd, M_AH);
 		crypto_freereq(crp);
 		goto bad;
 	}
@@ -1121,7 +1124,7 @@ ah_output_cb(struct cryptop *crp)
 	 */
 	m_copyback(m, 0, skip, ptr);
 
-	free(xd, M_XDATA);
+	free(xd, M_AH);
 	crypto_freereq(crp);
 	AHSTAT_INC(ahs_hist[sav->alg_auth]);
 #ifdef REGRESSION
@@ -1144,7 +1147,7 @@ ah_output_cb(struct cryptop *crp)
 	return (error);
 bad:
 	CURVNET_RESTORE();
-	free(xd, M_XDATA);
+	free(xd, M_AH);
 	crypto_freereq(crp);
 	key_freesav(&sav);
 	key_freesp(&sp);
diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c
index a7d5776e4da2..7d489b69e9c2 100644
--- a/sys/netipsec/xform_esp.c
+++ b/sys/netipsec/xform_esp.c
@@ -41,6 +41,7 @@
 
 #include <sys/param.h>
 #include <sys/systm.h>
+#include <sys/malloc.h>
 #include <sys/mbuf.h>
 #include <sys/socket.h>
 #include <sys/syslog.h>
@@ -102,6 +103,8 @@ SYSCTL_VNET_PCPUSTAT(_net_inet_esp, IPSECCTL_STATS, stats,
     struct espstat, espstat,
     "ESP statistics (struct espstat, netipsec/esp_var.h");
 
+static MALLOC_DEFINE(M_ESP, "esp", "IPsec ESP");
+
 static int esp_input_cb(struct cryptop *op);
 static int esp_output_cb(struct cryptop *crp);
 
@@ -355,7 +358,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 	}
 
 	/* Get IPsec-specific opaque pointer */
-	xd = malloc(sizeof(*xd), M_XDATA, M_NOWAIT | M_ZERO);
+	xd = malloc(sizeof(*xd), M_ESP, M_NOWAIT | M_ZERO);
 	if (xd == NULL) {
 		DPRINTF(("%s: failed to allocate xform_data\n", __func__));
 		goto xd_fail;
@@ -374,7 +377,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 			int aad_skip;
 
 			crp->crp_aad_length += sizeof(seqh);
-			crp->crp_aad = malloc(crp->crp_aad_length, M_XDATA, M_NOWAIT);
+			crp->crp_aad = malloc(crp->crp_aad_length, M_ESP, M_NOWAIT);
 			if (crp->crp_aad == NULL) {
 				DPRINTF(("%s: failed to allocate xform_data\n",
 					 __func__));
@@ -464,7 +467,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 		return (crypto_dispatch(crp));
 
 crp_aad_fail:
-	free(xd, M_XDATA);
+	free(xd, M_ESP);
 xd_fail:
 	crypto_freereq(crp);
 	ESPSTAT_INC(esps_crypto);
@@ -550,8 +553,8 @@ esp_input_cb(struct cryptop *crp)
 	}
 
 	/* Release the crypto descriptors */
-	free(xd, M_XDATA), xd = NULL;
-	free(crp->crp_aad, M_XDATA), crp->crp_aad = NULL;
+	free(xd, M_ESP), xd = NULL;
+	free(crp->crp_aad, M_ESP), crp->crp_aad = NULL;
 	crypto_freereq(crp), crp = NULL;
 
 	/*
@@ -660,9 +663,9 @@ esp_input_cb(struct cryptop *crp)
 	if (m != NULL)
 		m_freem(m);
 	if (xd != NULL)
-		free(xd, M_XDATA);
+		free(xd, M_ESP);
 	if (crp != NULL) {
-		free(crp->crp_aad, M_XDATA);
+		free(crp->crp_aad, M_ESP);
 		crypto_freereq(crp);
 	}
 	return error;
@@ -854,7 +857,7 @@ esp_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
 	}
 
 	/* IPsec-specific opaque crypto info. */
-	xd = malloc(sizeof(struct xform_data), M_XDATA, M_NOWAIT | M_ZERO);
+	xd = malloc(sizeof(struct xform_data), M_ESP, M_NOWAIT | M_ZERO);
 	if (xd == NULL) {
 		DPRINTF(("%s: failed to allocate xform_data\n", __func__));
 		goto xd_fail;
@@ -914,7 +917,7 @@ esp_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
 			int aad_skip;
 
 			crp->crp_aad_length += sizeof(seqh);
-			crp->crp_aad = malloc(crp->crp_aad_length, M_XDATA, M_NOWAIT);
+			crp->crp_aad = malloc(crp->crp_aad_length, M_ESP, M_NOWAIT);
 			if (crp->crp_aad == NULL) {
 				DPRINTF(("%s: failed to allocate xform_data\n",
 					 __func__));
@@ -949,7 +952,7 @@ esp_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
 		return (crypto_dispatch(crp));
 
 crp_aad_fail:
-	free(xd, M_XDATA);
+	free(xd, M_ESP);
 xd_fail:
 	crypto_freereq(crp);
 	ESPSTAT_INC(esps_crypto);
@@ -1007,8 +1010,8 @@ esp_output_cb(struct cryptop *crp)
 		error = EINVAL;
 		goto bad;
 	}
-	free(xd, M_XDATA);
-	free(crp->crp_aad, M_XDATA);
+	free(xd, M_ESP);
+	free(crp->crp_aad, M_ESP);
 	crypto_freereq(crp);
 	ESPSTAT_INC(esps_hist[sav->alg_enc]);
 	if (sav->tdb_authalgxform != NULL)
@@ -1041,8 +1044,8 @@ esp_output_cb(struct cryptop *crp)
 	return (error);
 bad:
 	CURVNET_RESTORE();
-	free(xd, M_XDATA);
-	free(crp->crp_aad, M_XDATA);
+	free(xd, M_ESP);
+	free(crp->crp_aad, M_ESP);
 	crypto_freereq(crp);
 	key_freesav(&sav);
 	key_freesp(&sp);
diff --git a/sys/netipsec/xform_ipcomp.c b/sys/netipsec/xform_ipcomp.c
index b9dfe0e3532f..760fd8dd2aa8 100644
--- a/sys/netipsec/xform_ipcomp.c
+++ b/sys/netipsec/xform_ipcomp.c
@@ -37,6 +37,7 @@
 
 #include <sys/param.h>
 #include <sys/systm.h>
+#include <sys/malloc.h>
 #include <sys/mbuf.h>
 #include <sys/lock.h>
 #include <sys/mutex.h>
@@ -90,6 +91,8 @@ SYSCTL_VNET_PCPUSTAT(_net_inet_ipcomp, IPSECCTL_STATS, stats,
     struct ipcompstat, ipcompstat,
     "IPCOMP statistics (struct ipcompstat, netipsec/ipcomp_var.h");
 
+static MALLOC_DEFINE(M_IPCOMP, "ipcomp", "IPCOMP");
+
 static int ipcomp_input_cb(struct cryptop *crp);
 static int ipcomp_output_cb(struct cryptop *crp);
 
@@ -235,7 +238,7 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 		goto bad;
 	}
 	/* Get IPsec-specific opaque pointer */
-	xd = malloc(sizeof(*xd), M_XDATA, M_NOWAIT | M_ZERO);
+	xd = malloc(sizeof(*xd), M_IPCOMP, M_NOWAIT | M_ZERO);
 	if (xd == NULL) {
 		DPRINTF(("%s: cannot allocate xform_data\n", __func__));
 		IPCOMPSTAT_INC(ipcomps_crypto);
@@ -328,7 +331,7 @@ ipcomp_input_cb(struct cryptop *crp)
 	clen = crp->crp_olen;		/* Length of data after processing */
 
 	/* Release the crypto descriptors */
-	free(xd, M_XDATA), xd = NULL;
+	free(xd, M_IPCOMP), xd = NULL;
 	crypto_freereq(crp), crp = NULL;
 
 	/* In case it's not done already, adjust the size of the mbuf chain */
@@ -382,7 +385,7 @@ ipcomp_input_cb(struct cryptop *crp)
 	if (m != NULL)
 		m_freem(m);
 	if (xd != NULL)
-		free(xd, M_XDATA);
+		free(xd, M_IPCOMP);
 	if (crp != NULL)
 		crypto_freereq(crp);
 	return error;
@@ -486,7 +489,7 @@ ipcomp_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
 	crp->crp_payload_length = ralen;
 
 	/* IPsec-specific opaque crypto info */
-	xd =  malloc(sizeof(struct xform_data), M_XDATA, M_NOWAIT | M_ZERO);
+	xd =  malloc(sizeof(struct xform_data), M_IPCOMP, M_NOWAIT | M_ZERO);
 	if (xd == NULL) {
 		IPCOMPSTAT_INC(ipcomps_crypto);
 		DPRINTF(("%s: failed to allocate xform_data\n", __func__));
@@ -641,7 +644,7 @@ ipcomp_output_cb(struct cryptop *crp)
 	}
 
 	/* Release the crypto descriptor */
-	free(xd, M_XDATA);
+	free(xd, M_IPCOMP);
 	crypto_freereq(crp);
 
 	/* NB: m is reclaimed by ipsec_process_done. */
@@ -652,7 +655,7 @@ ipcomp_output_cb(struct cryptop *crp)
 	if (m)
 		m_freem(m);
 	CURVNET_RESTORE();
-	free(xd, M_XDATA);
+	free(xd, M_IPCOMP);
 	crypto_freereq(crp);
 	key_freesav(&sav);
 	key_freesp(&sp);