diff --git a/etcdmain/config.go b/etcdmain/config.go
index e06d642c7e6e..c8b54ff6602b 100644
--- a/etcdmain/config.go
+++ b/etcdmain/config.go
@@ -210,6 +210,7 @@ func newConfig() *config {
 	fs.StringVar(&cfg.ec.PeerTLSInfo.CRLFile, "peer-crl-file", "", "Path to the peer certificate revocation list file.")
 	fs.StringVar(&cfg.ec.PeerTLSInfo.AllowedCN, "peer-cert-allowed-cn", "", "Allowed CN for inter peer authentication.")
 	fs.Var(flags.NewStringsValue(""), "cipher-suites", "Comma-separated list of supported TLS cipher suites between client/server and peers (empty will be auto-populated by Go).")
+	fs.BoolVar(&cfg.ec.PeerTLSInfo.SkipClientVerify, "peer-skip-client-verify", false, "Skip client IP verification for peer connections.")
 
 	fs.Var(
 		flags.NewUniqueURLsWithExceptions("*", "*"),
diff --git a/pkg/transport/listener.go b/pkg/transport/listener.go
index 0c593e8e2bf8..32c8870bfb66 100644
--- a/pkg/transport/listener.go
+++ b/pkg/transport/listener.go
@@ -56,6 +56,9 @@ func wrapTLS(scheme string, tlsinfo *TLSInfo, l net.Listener) (net.Listener, err
 	if scheme != "https" && scheme != "unixs" {
 		return l, nil
 	}
+	if tlsinfo != nil && tlsinfo.SkipClientVerify {
+		return NewTLSListener(l, tlsinfo)
+	}
 	return newTLSListener(l, tlsinfo, checkSAN)
 }
 
@@ -66,6 +69,7 @@ type TLSInfo struct {
 	ClientCertAuth     bool
 	CRLFile            string
 	InsecureSkipVerify bool
+	SkipClientVerify   bool
 
 	// ServerName ensures the cert matches the given host in case of discovery / virtual hosting
 	ServerName string