diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 7aa4005a7030..b06ab8ae1d9b 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -430,6 +430,13 @@ ip_input(struct mbuf *m)
 	if (ipsec_gethist(m, NULL))
 		goto pass;
 #endif
+#if defined(FAST_IPSEC) && !defined(IPSEC_FILTERGIF)
+	/*
+	 * Bypass packet filtering for packets from a tunnel (gif).
+	 */
+	if (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL)
+		goto pass;
+#endif
 
 	/*
 	 * IpHack's section.