Currently, the IKE and IPsec use UDP encapsulation whenever faced with NAT gateways which do not allow ESP or IKE packets. But some NAT rules even drop the UDP packets, only allowing TCP streams to go through. TCP encapsulation can reach through to hosts behind such NATs. An initiator must always try to send IKE_SA_INIT over UDP first, and if there are a certain number of transmission fails then only it should fall back to TCP. Another thing to do would be to schedule checks for UDP so we can go to establishing the tunnel using UDP if it becomes available and tear down the TCP IPsec tunnel. The above two steps are to be done as TCP encapsulation adds overheads and has performance trade offs compared to UDP, therefore we should always prefer using UDP unless required otherwise. Once the TCP support is added, we need to look into enabling ESPinTCP support in the kernel. The kernel must be able to identify TCP packets where the first 4 bytes are zero and we must tell the kernel to process ESPinTCP packets. Everything else will be done by following the draft RFC draft-ietf-ipsecme-tcp-encaps-09.



Mayank Totale


  • Paul Wouters
  • Tuomo Soini