diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c
index 6807f211ba05..721cd2ef53d6 100644
--- a/sys/netipsec/key.c
+++ b/sys/netipsec/key.c
@@ -863,7 +863,8 @@ key_allocsa_tcpmd5(struct secasindex *saidx)
 		    kdebug_secash(sah, "  "));
 		if (sah->saidx.proto != IPPROTO_TCP)
 			continue;
-		if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0))
+		if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0) &&
+		    !key_sockaddrcmp(&saidx->src.sa, &sah->saidx.src.sa, 0))
 			break;
 	}
 	if (sah != NULL) {
@@ -4962,7 +4963,8 @@ key_getsav_tcpmd5(struct secasindex *saidx, uint32_t *spi)
 	LIST_FOREACH(sah, SAHADDRHASH_HASH(saidx), addrhash) {
 		if (sah->saidx.proto != IPPROTO_TCP)
 			continue;
-		if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0))
+		if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0) &&
+		    !key_sockaddrcmp(&saidx->src.sa, &sah->saidx.src.sa, 0))
 			break;
 	}
 	if (sah != NULL) {