diff --git a/gnutls-esp.c b/gnutls-esp.c
index 25b3bfbe..e5c3d740 100644
--- a/gnutls-esp.c
+++ b/gnutls-esp.c
@@ -109,18 +109,15 @@ int setup_esp_keys(struct openconnect_info *vpninfo)
 	default:
 		return -EINVAL;
 	}
-#if 1
-	memcpy(vpninfo->esp_in.spi, vpninfo->esp_out.spi, 0x44);
-#else
-	ret = gnutls_rnd(GNUTLS_RND_RANDOM, &vpninfo->esp_in.spi,
-			 sizeof(vpninfo->esp_in.secrets) + sizeof(vpninfo->esp_in.spi));
-	if (ret) {
+
+	if ((ret = gnutls_rnd(GNUTLS_RND_NONCE, &vpninfo->esp_in.spi, sizeof(vpninfo->esp_in.spi))) ||
+	    (ret = gnutls_rnd(GNUTLS_RND_RANDOM, &vpninfo->esp_in.secrets, sizeof(vpninfo->esp_in.secrets)))) {
 		vpn_progress(vpninfo, PRG_ERR,
 			     _("Failed to generate random keys for ESP: %s\n"),
 			     gnutls_strerror(ret));
 		return -EIO;
 	}
-#endif
+
 	ret = init_esp_ciphers(vpninfo, &vpninfo->esp_out, macalg, encalg);
 	if (ret)
 		return ret;
@@ -142,10 +139,10 @@ int decrypt_esp_packet(struct openconnect_info *vpninfo, struct pkt *pkt)
 	unsigned char hmac_buf[20];
 	int err;
 
-	if (memcmp(pkt->esp.spi, vpninfo->esp_in.spi, 4)) {
+	if (pkt->esp.spi != vpninfo->esp_in.spi) {
 		vpn_progress(vpninfo, PRG_DEBUG,
-			     _("Received ESP packet with invalid SPI %02x%02x%02x%02x\n"),
-			     pkt->esp.spi[0], pkt->esp.spi[1], pkt->esp.spi[2], pkt->esp.spi[3]);
+			     _("Received ESP packet with invalid SPI 0x%08x\n"),
+			     ntohl(pkt->esp.spi));
 		return -EINVAL;
 	}
 
@@ -185,7 +182,7 @@ int encrypt_esp_packet(struct openconnect_info *vpninfo, struct pkt *pkt)
 	int err;
 
 	/* This gets much more fun if the IV is variable-length */
-	memcpy(pkt->esp.spi, vpninfo->esp_out.spi, 4);
+	pkt->esp.spi = vpninfo->esp_out.spi;
 	pkt->esp.seq = htonl(vpninfo->esp_out.seq++);
 	err = gnutls_rnd(GNUTLS_RND_NONCE, pkt->esp.iv, sizeof(pkt->esp.iv));
 	if (err) {
diff --git a/oncp.c b/oncp.c
index 5d87faa1..d536c93f 100644
--- a/oncp.c
+++ b/oncp.c
@@ -838,7 +838,7 @@ static int process_attr(struct openconnect_info *vpninfo, int group, int attr,
 	case GRP_ATTR(7, 1):
 		if (attrlen != 4)
 			goto badlen;
-		memcpy(vpninfo->esp_out.spi, data, 4);
+		memcpy(&vpninfo->esp_out.spi, data, 4);
 		vpn_progress(vpninfo, PRG_DEBUG, _("ESP SPI (outbound): %x\n"),
 			     TLV_BE32(data));
 		break;
@@ -1136,7 +1136,7 @@ int oncp_connect(struct openconnect_info *vpninfo)
 		 * *not* to have an oc_text_buf and build it up manually, and since it's
 		 * all fixed size and fairly simple anyway, just hard-code the packet */
 		buf_append_bytes(reqbuf, esp_kmp_hdr, sizeof(esp_kmp_hdr));
-		buf_append_bytes(reqbuf, vpninfo->esp_in.spi, sizeof(vpninfo->esp_in.spi));
+		buf_append_bytes(reqbuf, &vpninfo->esp_in.spi, sizeof(vpninfo->esp_in.spi));
 		buf_append_bytes(reqbuf, esp_kmp_part2, sizeof(esp_kmp_part2));
 		buf_append_bytes(reqbuf, vpninfo->esp_in.secrets, sizeof(vpninfo->esp_in.secrets));
 		if (buf_error(reqbuf))
diff --git a/openconnect-internal.h b/openconnect-internal.h
index ce246ea8..e9ed57aa 100644
--- a/openconnect-internal.h
+++ b/openconnect-internal.h
@@ -119,7 +119,7 @@
 /****************************************************************************/
 
 struct esp_hdr {
-	unsigned char spi[4];
+	uint32_t spi;
 	uint32_t seq;
 	unsigned char iv[16];
 	unsigned char payload[];
@@ -258,7 +258,7 @@ struct esp {
 #endif
 	uint32_t seq;
 	uint32_t seq_backlog;
-	unsigned char spi[4];
+	uint32_t spi; /* Stored network-endian */
 	unsigned char secrets[0x40];
 };
 
diff --git a/openssl-esp.c b/openssl-esp.c
index 438a5d2a..e29ccb19 100644
--- a/openssl-esp.c
+++ b/openssl-esp.c
@@ -99,8 +99,8 @@ int setup_esp_keys(struct openconnect_info *vpninfo)
 		return -EINVAL;
 	}
 
-	if (!RAND_bytes((void *)&vpninfo->esp_in.spi,
-			sizeof(vpninfo->esp_in.secrets) + sizeof(vpninfo->esp_in.spi))) {
+	if (!RAND_pseudo_bytes((void *)&vpninfo->esp_in.spi, sizeof(vpninfo->esp_in.spi)) ||
+	    !RAND_bytes((void *)&vpninfo->esp_in.secrets, sizeof(vpninfo->esp_in.secrets))) {
 		vpn_progress(vpninfo, PRG_ERR,
 			     _("Failed to generate random keys for ESP:\n"));
 		openconnect_report_ssl_errors(vpninfo);
@@ -130,10 +130,10 @@ int decrypt_esp_packet(struct openconnect_info *vpninfo, struct pkt *pkt)
 	int crypt_len = pkt->len;
 	HMAC_CTX hmac_ctx;
 
-	if (memcmp(pkt->esp.spi, vpninfo->esp_in.spi, 4)) {
+	if (pkt->esp.spi != vpninfo->esp_in.spi) {
 		vpn_progress(vpninfo, PRG_DEBUG,
-			     _("Received ESP packet with invalid SPI %02x%02x%02x%02x\n"),
-			     pkt->esp.spi[0], pkt->esp.spi[1], pkt->esp.spi[2], pkt->esp.spi[3]);
+			     _("Received ESP packet with invalid SPI 0x%08x\n"),
+			     ntohl(pkt->esp.spi));
 		return -EINVAL;
 	}
 
@@ -184,7 +184,7 @@ int encrypt_esp_packet(struct openconnect_info *vpninfo, struct pkt *pkt)
 	HMAC_CTX hmac_ctx;
 
 	/* This gets much more fun if the IV is variable-length */
-	memcpy(pkt->esp.spi, vpninfo->esp_out.spi, 4);
+	pkt->esp.spi = vpninfo->esp_out.spi;
 	pkt->esp.seq = htonl(vpninfo->esp_out.seq++);
 	if (!RAND_pseudo_bytes((void *)&pkt->esp.iv, sizeof(pkt->esp.iv))) {
 		vpn_progress(vpninfo, PRG_ERR,