diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c
index 9c6026481ddf..456ba7e85865 100644
--- a/sys/netipsec/xform_ah.c
+++ b/sys/netipsec/xform_ah.c
@@ -215,8 +215,10 @@ ah_init0(struct secasvar *sav, struct xformsw *xsp,
 
 	/* Initialize crypto session. */
 	csp->csp_auth_alg = sav->tdb_authalgxform->type;
-	csp->csp_auth_klen = _KEYBITS(sav->key_auth) / 8;
-	csp->csp_auth_key = sav->key_auth->key_data;
+	if (csp->csp_auth_alg != CRYPTO_NULL_HMAC) {
+		csp->csp_auth_klen = _KEYBITS(sav->key_auth) / 8;
+		csp->csp_auth_key = sav->key_auth->key_data;
+	};
 	csp->csp_auth_mlen = AUTHSIZE(sav);
 
 	return 0;
diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c
index 22ffc92f5cb9..ba1cb7044390 100644
--- a/sys/netipsec/xform_esp.c
+++ b/sys/netipsec/xform_esp.c
@@ -220,9 +220,11 @@ esp_init(struct secasvar *sav, struct xformsw *xsp)
 
 	/* Initialize crypto session. */
 	csp.csp_cipher_alg = sav->tdb_encalgxform->type;
-	csp.csp_cipher_key = sav->key_enc->key_data;
-	csp.csp_cipher_klen = _KEYBITS(sav->key_enc) / 8 -
-	    SAV_ISCTRORGCM(sav) * 4;
+	if (csp.csp_cipher_alg != CRYPTO_NULL_CBC) {
+		csp.csp_cipher_key = sav->key_enc->key_data;
+		csp.csp_cipher_klen = _KEYBITS(sav->key_enc) / 8 -
+		    SAV_ISCTRORGCM(sav) * 4;
+	};
 	csp.csp_ivlen = txform->ivsize;
 
 	error = crypto_newsession(&sav->tdb_cryptoid, &csp, V_crypto_support);