diff --git a/test/captures/esp-bug-12671.pcapng.gz b/test/captures/esp-bug-12671.pcapng.gz
new file mode 100644
index 0000000000..a31e8c54e3
Binary files /dev/null and b/test/captures/esp-bug-12671.pcapng.gz differ
diff --git a/test/config/esp_sa.tmpl b/test/config/esp_sa.tmpl
new file mode 100644
index 0000000000..24fbb21799
--- /dev/null
+++ b/test/config/esp_sa.tmpl
@@ -0,0 +1,2 @@
+"IPv4","192.168.0.1","192.168.0.100","0x070883c2","AES-CBC [RFC3602]","0x5de1a4c2c72662c9fda7a7c78cd25623","HMAC-SHA-1-96 [RFC2404]","0x51c9213c18232f8f26c70c4dee6e0e6d56e31e8a"
+"IPv4","192.168.0.100","192.168.0.1","0xc254fe64","AES-CBC [RFC3602]","0x88e1dad7140af03b8d4f3d734d21be4b","HMAC-SHA-1-96 [RFC2404]","0x3e00d517c1220d4b7d2950fcc02edd4b6023d278"
diff --git a/test/suite-decryption.sh b/test/suite-decryption.sh
index c9d3c75e0e..85a0261f02 100755
--- a/test/suite-decryption.sh
+++ b/test/suite-decryption.sh
@@ -23,7 +23,6 @@
 
 # To do:
 #   IEEE 802.15.4
-#   IPsec / ESP
 #   ISAKMP / IKEv2
 #   PKCS#12
 #   SNMP
@@ -42,6 +41,7 @@ EXIT_ERROR=2
 UAT_FILES="
 	80211_keys
 	dtlsdecrypttablefile
+	esp_sa
 	ssl_keys
 	c1222_decryption_table
 	ikev1_decryption_table
@@ -162,6 +162,22 @@ decryption_step_dtls() {
 	test_step_ok
 }
 
+# IPsec ESP
+# https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12671
+decryption_step_ipsec_esp() {
+	$TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS \
+		-o "esp.enable_encryption_decode: TRUE" \
+		-Tfields -e data.data \
+		-r "$CAPTURE_DIR/esp-bug-12671.pcapng.gz" -Y data \
+		| grep "08:09:0a:0b:0c:0d:0e:0f:10:11:12:13:14:15:16:17" > /dev/null 2>&1
+	RETURNVALUE=$?
+	if [ ! $RETURNVALUE -eq $EXIT_OK ]; then
+		test_step_failed "Failed to decrypt DTLS"
+		return
+	fi
+	test_step_ok
+}
+
 # SSL, using the server's private key
 # https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=view&target=snakeoil2_070531.tgz
 decryption_step_ssl() {
@@ -328,6 +344,7 @@ tshark_decryption_suite() {
 	test_step_add "IEEE 802.11 WPA EAP Decryption" decryption_step_80211_wpa_eap
 	test_step_add "IEEE 802.11 WPA TDLS Decryption" decryption_step_80211_wpa_tdls
 	test_step_add "DTLS Decryption" decryption_step_dtls
+	test_step_add "IPsec ESP Decryption" decryption_step_ipsec_esp
 	test_step_add "SSL Decryption (private key)" decryption_step_ssl
 	test_step_add "SSL Decryption (RSA private key with p smaller than q)" decryption_step_ssl_rsa_pq
 	test_step_add "SSL Decryption (private key with password)" decryption_step_ssl_with_password