diff --git a/esp.c b/esp.c
index f9f429a1..80a416cf 100644
--- a/esp.c
+++ b/esp.c
@@ -332,8 +332,20 @@ int esp_mainloop(struct openconnect_info *vpninfo, int *timeout)
 
 void esp_close(struct openconnect_info *vpninfo)
 {
+	/* We close and reopen the socket in case we roamed and our
+	   local IP address has changed. */
+	if (vpninfo->dtls_fd != -1) {
+		closesocket(vpninfo->dtls_fd);
+		unmonitor_read_fd(vpninfo, dtls);
+		unmonitor_write_fd(vpninfo, dtls);
+		unmonitor_except_fd(vpninfo, dtls);
+	}
 }
 
 void esp_shutdown(struct openconnect_info *vpninfo)
 {
+	destroy_esp_ciphers(&vpninfo->esp_in[0]);
+	destroy_esp_ciphers(&vpninfo->esp_in[1]);
+	destroy_esp_ciphers(&vpninfo->esp_out);
+	esp_close(vpninfo);
 }
diff --git a/library.c b/library.c
index 74d2c976..4819beda 100644
--- a/library.c
+++ b/library.c
@@ -257,11 +257,6 @@ void openconnect_vpninfo_free(struct openconnect_info *vpninfo)
 #endif
 #ifdef DTLS_GNUTLS
 	gnutls_free(vpninfo->gnutls_dtls_cipher);
-#endif
-#if defined(ESP_GNUTLS) || defined(ESP_OPENSSL)
-	destroy_esp_ciphers(&vpninfo->esp_in[0]);
-	destroy_esp_ciphers(&vpninfo->esp_in[1]);
-	destroy_esp_ciphers(&vpninfo->esp_out);
 #endif
 	free(vpninfo->dtls_addr);