Skip to main content

TCP Encapsulation of IKE and IPsec Packets

Document Type Replaced Internet-Draft (ipsecme WG)
Expired & archived
Authors Valery Smyslov , Tommy Pauly
Last updated 2021-03-10 (Latest revision 2020-10-29)
Replaced by RFC 9329
RFC stream Internet Engineering Task Force (IETF)
Intended RFC status (None)
Additional resources Mailing list discussion
Stream WG state Adopted by a WG
Document shepherd (None)
IESG IESG state Replaced by draft-ietf-ipsecme-rfc8229bis
Consensus boilerplate Unknown
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


This document describes a method to transport Internet Key Exchange Protocol (IKE) and IPsec packets over a TCP connection for traversing network middleboxes that may block IKE negotiation over UDP. This method, referred to as "TCP encapsulation", involves sending both IKE packets for Security Association establishment and Encapsulating Security Payload (ESP) packets over a TCP connection. This method is intended to be used as a fallback option when IKE cannot be negotiated over UDP. TCP encapsulation for IKE and IPsec was defined in [RFC8229]. This document updates specification for TCP encapsulation by including additional calarifications obtained during implementation and deployment of this method. This documents makes RFC8229 obsolete.


Valery Smyslov
Tommy Pauly

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)