diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c
index a305bb68285e..b778fe5def23 100644
--- a/sys/netipsec/ipsec_input.c
+++ b/sys/netipsec/ipsec_input.c
@@ -391,7 +391,8 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
 #endif /* DEV_ENC */
 
 	/* IP-in-IP encapsulation */
-	if (prot == IPPROTO_IPIP) {
+	if (prot == IPPROTO_IPIP &&
+	    saidx->mode != IPSEC_MODE_TRANSPORT) {
 
 		if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
 			IPSEC_ISTAT(sproto, hdrops);
@@ -431,7 +432,8 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
 	}
 #ifdef INET6
 	/* IPv6-in-IP encapsulation. */
-	if (prot == IPPROTO_IPV6) {
+	if (prot == IPPROTO_IPV6 &&
+	    saidx->mode != IPSEC_MODE_TRANSPORT) {
 
 		if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
 			IPSEC_ISTAT(sproto, hdrops);
@@ -502,6 +504,12 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
 
 	key_sa_recordxfer(sav, m);		/* record data transfer */
 
+	/*
+	 * In transport mode requeue decrypted mbuf back to IPv4 protocol
+	 * handler. This is necessary to correctly expose rcvif.
+	 */
+	if (saidx->mode == IPSEC_MODE_TRANSPORT)
+		prot = IPPROTO_IPIP;
 #ifdef DEV_ENC
 	/*
 	 * Pass the mbuf to enc0 for bpf and pfil.