diff --git a/linux/net/ipsec/Config.in.os2_4 b/linux/net/ipsec/Config.in.os2_4
index eef186b..8a19617 100644
--- a/linux/net/ipsec/Config.in.os2_4
+++ b/linux/net/ipsec/Config.in.os2_4
@@ -27,6 +27,7 @@ comment '   IPsec algorithms to include'
 if [ "$CONFIG_KLIPS_ESP" = "y" ]; then
   bool '      3DES encryption algorithm' CONFIG_KLIPS_ENC_3DES
   bool '       AES encryption algorithm' CONFIG_KLIPS_ENC_AES
+  bool '      NULL encryption algorithm (WARN: non-ciphered, use at your own!)' CONFIG_KLIPS_ENC_NULL
 fi
 
 if [ "$CONFIG_KLIPS_AH" = "y" -o "$CONFIG_KLIPS_ESP" = "y" ]; then
diff --git a/linux/net/ipsec/Kconfig b/linux/net/ipsec/Kconfig
index 07b2c23..942f897 100644
--- a/linux/net/ipsec/Kconfig
+++ b/linux/net/ipsec/Kconfig
@@ -92,6 +92,13 @@ config KLIPS_ENC_AES
 	   AES the NIST replacement for DES. AES is being widely analyzed,
            and is very fast.
 
+config KLIPS_ENC_NULL
+	bool 'NULL NON-encryption algorithm'
+	default n
+	help
+	   NON encryption algo , maybe useful for ESP auth only scenarios
+	   (eg: with NAT-T), see RFC 2410.
+
 config KLIPS_IPCOMP
 	bool 'IP compression'
 	default y
diff --git a/linux/net/ipsec/Makefile.fs2_4 b/linux/net/ipsec/Makefile.fs2_4
index 1a86c44..2f94d50 100644
--- a/linux/net/ipsec/Makefile.fs2_4
+++ b/linux/net/ipsec/Makefile.fs2_4
@@ -119,6 +119,10 @@ else
 obj-$(CONFIG_KLIPS_ENC_3DES) += des_enc.o
 endif
 
+# ESP_NULL support:
+VPATH+=${KLIPS_TOP}/net/ipsec/null
+obj-$(CONFIG_KLIPS_ENC_NULL)       += ipsec_alg_null.o
+
 obj-y += satot.o
 obj-y += addrtot.o
 obj-y += ultot.o 
diff --git a/linux/net/ipsec/Makefile.fs2_6 b/linux/net/ipsec/Makefile.fs2_6
index d37c1f8..e187125 100644
--- a/linux/net/ipsec/Makefile.fs2_6
+++ b/linux/net/ipsec/Makefile.fs2_6
@@ -106,6 +106,8 @@ else
 crypto-$(CONFIG_KLIPS_ENC_AES) += aes/aes.o
 endif
 
+crypto-$(CONFIG_KLIPS_ENC_NULL) += null/ipsec_alg_null.o
+
 ipsec-y += ${crypto-y}
 
 ipsec-$(CONFIG_KLIPS_ENC_CRYPTOAPI) += ipsec_alg_cryptoapi.o
diff --git a/linux/net/ipsec/defconfig b/linux/net/ipsec/defconfig
index cc40024..dde6415 100644
--- a/linux/net/ipsec/defconfig
+++ b/linux/net/ipsec/defconfig
@@ -48,6 +48,7 @@ CONFIG_KLIPS_ALG=y
 # Encryption algorithm(s):
 CONFIG_KLIPS_ENC_3DES=y
 CONFIG_KLIPS_ENC_AES=y
+#CONFIG_KLIPS_ENC_NULL=y
 
 # Use CryptoAPI for ALG? - by default, no.
 CONFIG_KLIPS_ENC_CRYPTOAPI=n
diff --git a/linux/net/ipsec/ipsec_alg.c b/linux/net/ipsec/ipsec_alg.c
index 57328cb..882c5f1 100644
--- a/linux/net/ipsec/ipsec_alg.c
+++ b/linux/net/ipsec/ipsec_alg.c
@@ -858,6 +858,17 @@ #endif	
 		ipsec_3des_init();
 	}
 #endif
+#if defined(CONFIG_KLIPS_ENC_NULL) && CONFIG_KLIPS_ENC_NULL && !defined(CONFIG_KLIPS_ENC_NULL_MODULE) 
+#if defined(CONFIG_KLIPS_ENC_CRYPTOAPI) && CONFIG_KLIPS_ENC_CRYPTOAPI
+#warning "Using built-in null cipher rather than CryptoAPI null cipher"
+#endif	
+#warning "Building with null cipher (ESP_NULL), blame on you :-)"
+	{
+		extern int ipsec_null_init(void);
+		ipsec_null_init();
+	}
+#endif
+
 
 	/* If we are doing CryptoAPI, then init */
 #if defined(CONFIG_KLIPS_ENC_CRYPTOAPI) && CONFIG_KLIPS_ENC_CRYPTOAPI && !defined(CONFIG_KLIPS_ENC_CRYPTOAPI_MODULE)
diff --git a/linux/net/ipsec/null/ipsec_alg_null.c b/linux/net/ipsec/null/ipsec_alg_null.c
new file mode 100644
index 0000000..3134a84
--- /dev/null
+++ b/linux/net/ipsec/null/ipsec_alg_null.c
@@ -0,0 +1,145 @@
+/*
+ * ipsec_alg NULL cipher stubs
+ *
+ * Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
+ * 
+ * $Id: linux/net/ipsec/null/ipsec_alg_null.c git 2006-09-20 17:11:49.000000000 -0300 jjo Exp $
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ */
+#include <linux/config.h>
+#include <linux/version.h>
+
+/*	
+ *	special case: ipsec core modular with this static algo inside:
+ *	must avoid MODULE magic for this file
+ */
+#if defined(CONFIG_KLIPS_MODULE) && defined(CONFIG_KLIPS_ENC_NULL)
+#undef MODULE
+#endif
+
+#include <linux/module.h>
+#include <linux/init.h>
+
+#include <linux/kernel.h> /* printk() */
+#include <linux/errno.h>  /* error codes */
+#include <linux/types.h>  /* size_t */
+#include <linux/string.h>
+
+/* Check if __exit is defined, if not null it */
+#ifndef __exit
+#define __exit
+#endif
+
+/*	Low freeswan header coupling	*/
+#include "openswan/ipsec_alg.h"
+
+#define ESP_NULL		11	/* from ipsec drafts */
+#define ESP_NULL_BLK_LEN	1
+
+MODULE_AUTHOR("JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>");
+static int debug_null=0;
+static int test_null=0;
+#ifdef module_param
+module_param(debug_null, int, 0600);
+module_param(test_null, int, 0600);
+#else
+MODULE_PARM(debug_null, "i");
+MODULE_PARM(test_null, "i");
+#endif
+
+typedef int null_context;
+
+struct null_eks{
+	null_context null_ctx;
+};
+static int _null_set_key(struct ipsec_alg_enc *alg, 
+			__u8 * key_e, const __u8 * key, 
+			size_t keysize) {
+	null_context *ctx=&((struct null_eks*)key_e)->null_ctx;
+	if (debug_null > 0)
+		printk(KERN_DEBUG "klips_debug:_null_set_key:"
+				"key_e=%p key=%p keysize=%d\n",
+				key_e, key, keysize);
+	*ctx = 1;
+	return 0;
+}
+static int _null_cbc_encrypt(struct ipsec_alg_enc *alg, 
+		__u8 * key_e, __u8 * in, int ilen, const __u8 * iv, 
+		int encrypt) {
+	null_context *ctx=&((struct null_eks*)key_e)->null_ctx;
+	if (debug_null > 0)
+		printk(KERN_DEBUG "klips_debug:_null_cbc_encrypt:"
+				"key_e=%p in=%p ilen=%d iv=%p encrypt=%d\n",
+				key_e, in, ilen, iv, encrypt);
+	(*ctx)++;
+	return ilen;
+}
+static struct ipsec_alg_enc ipsec_alg_NULL = {
+	ixt_common: { ixt_version:	IPSEC_ALG_VERSION,
+		      ixt_refcnt:	ATOMIC_INIT(0),
+		      ixt_name: 	"null",
+		      ixt_blocksize:	ESP_NULL_BLK_LEN,
+		      ixt_support: {
+			ias_exttype:	IPSEC_ALG_TYPE_ENCRYPT,
+			ias_id: 	ESP_NULL,
+			ias_ivlen:	0,
+			ias_keyminbits:	0,
+			ias_keymaxbits:	0,
+		},
+	},
+#if defined(CONFIG_KLIPS_ENC_NULL_MODULE)
+	ixt_module:	THIS_MODULE,
+#endif
+	ixt_e_keylen:	0,
+	ixt_e_ctx_size:	sizeof(null_context),
+	ixt_e_set_key:	_null_set_key,
+	ixt_e_cbc_encrypt:_null_cbc_encrypt,
+};
+
+#if defined(CONFIG_KLIPS_ENC_NULL_MODULE)
+IPSEC_ALG_MODULE_INIT_MOD( ipsec_null_init )
+#else
+IPSEC_ALG_MODULE_INIT_STATIC( ipsec_null_init )
+#endif
+{
+	int ret, test_ret;
+	ret=register_ipsec_alg_enc(&ipsec_alg_NULL);
+	printk("ipsec_null_init(alg_type=%d alg_id=%d name=%s): ret=%d\n", 
+			ipsec_alg_NULL.ixt_common.ixt_support.ias_exttype,
+			ipsec_alg_NULL.ixt_common.ixt_support.ias_id,
+			ipsec_alg_NULL.ixt_common.ixt_name, 
+			ret);
+	if (ret==0 && test_null) {
+		test_ret=ipsec_alg_test(
+				ipsec_alg_NULL.ixt_common.ixt_support.ias_exttype,
+				ipsec_alg_NULL.ixt_common.ixt_support.ias_id,
+				test_null);
+		printk("ipsec_null_init(alg_type=%d alg_id=%d): test_ret=%d\n", 
+				ipsec_alg_NULL.ixt_common.ixt_support.ias_exttype,
+				ipsec_alg_NULL.ixt_common.ixt_support.ias_id,
+				test_ret);
+	}
+	return ret;
+}
+#if defined(CONFIG_KLIPS_ENC_NULL_MODULE)
+IPSEC_ALG_MODULE_EXIT_MOD( ipsec_null_fini )
+#else
+IPSEC_ALG_MODULE_EXIT_STATIC( ipsec_null_fini )
+#endif
+{
+	unregister_ipsec_alg_enc(&ipsec_alg_NULL);
+	return;
+}
+#ifdef MODULE_LICENSE
+MODULE_LICENSE("GPL");
+#endif
diff --git a/packaging/linus/config-all.h b/packaging/linus/config-all.h
index e4d17bb..b794600 100644
--- a/packaging/linus/config-all.h
+++ b/packaging/linus/config-all.h
@@ -64,6 +64,11 @@ #ifndef CONFIG_KLIPS_ENC_AES
 #define CONFIG_KLIPS_ENC_AES 1
 #endif
 
+/* jjo: ESP_NULL support: you applied this patch => you wanted enabled => don't cry 4this :) */
+#ifndef CONFIG_KLIPS_ENC_NULL
+#define CONFIG_KLIPS_ENC_NULL 1
+#endif
+
 /* off by default for now */
 #ifndef CONFIG_KLIPS_ENC_CRYPTOAPI
 #define CONFIG_KLIPS_ENC_CRYPTOAPI 0
diff --git a/packaging/linus/config-all.hmodules b/packaging/linus/config-all.hmodules
index c874034..8226a33 100644
--- a/packaging/linus/config-all.hmodules
+++ b/packaging/linus/config-all.hmodules
@@ -66,6 +66,11 @@ #ifndef CONFIG_KLIPS_ENC_AES
 #define CONFIG_KLIPS_ENC_AES 1
 #endif
 
+/* jjo: ESP_NULL support: you applied this patch => you wanted enabled => don't cry 4this :) */
+#ifndef CONFIG_KLIPS_ENC_NULL
+#define CONFIG_KLIPS_ENC_NULL 1
+#endif
+
 /* off by default for now */
 #ifndef CONFIG_KLIPS_ENC_CRYPTOAPI
 #define CONFIG_KLIPS_ENC_CRYPTOAPI 0
diff --git a/programs/pluto/kernel_netlink.c b/programs/pluto/kernel_netlink.c
index 66a015f..6ed4ad6 100644
--- a/programs/pluto/kernel_netlink.c
+++ b/programs/pluto/kernel_netlink.c
@@ -630,7 +630,10 @@ netlink_add_sa(const struct kernel_sa *s
 	attr = (struct rtattr *)((char *)attr + attr->rta_len);
     }
 
-    if (sa->enckeylen)
+    /* Consider ESP_NULL particular case (enckeylen==0),
+     * makes pluto correctly drive linux-2.6 ESP_NULL  --jjo, 09/21/06
+     */
+    if (sa->enckeylen || sa->encalg==SADB_EALG_NULL)
     {
 	struct xfrm_algo algo;
 	const char *name;