The setkey manual says that the null encryption mode is supported, but when trying to create a SA with -E null it will result in a Invalid Argument. This is because the SADB_EXT_KEY_ENCRYPT is not included in to the PF_KEY message, if the null is defined. Although it should be included in case the mode is ESP because the kernel expects to receive it whenever the SA type is ESP even if the null encryption is to be used.
http://www.freebsd.org/cgi/query-pr.cgi?pr=105614
>Category: bin
>Responsible: freebsd-bugs
>Synopsis: Creating NULL encryption ESP SAs with setkey fails
>Arrival-Date: Thu Nov 16 20:30:01 GMT 2006