This RFC documents the use of TCP instead of UDP for the IKE. A substantial number of ISPs are blocking UDP at the edge of their network and this will cause IPsec to break. I’m guessing this is a simple fix to the many different types of UDP reflection attacks on DNS, NTP and SNMP that we have seen. A poor mans DDOS prevention, if you will. Another reason is that many NAT gateways don’t handle UDP predictably.
(55KB) This document describes a method to transport Internet Key Exchange Protocol (IKE) and IPsec packets over a TCP connection for traversing network middleboxes that may block IKE negotiation over UDP. This method, referred to as “TCP encapsulation”, involves sending both IKE packets for Security Association establishment and Encapsulating Security Payload (ESP) packets over a TCP connection. This method is intended to be used as a fallback option when IKE cannot be negotiated over UDP.
The increasing use of QUIC to replace the TCP/TLS/HTTP2 stack should lead to an interesting situation where UDP will, eventually, be unblocked. QUIC uses slightly less bandwidth thus giving ISPs a motivation to make the change. It will probably take about 5 years to catch on given how slowly your average ISP changes.