ESP-in-TCP is an IPsec transport mode that carries Encapsulating Security Payload (ESP) traffic inside TCP packets. Instead of sending ESP directly over IP, the encrypted traffic is wrapped so it can pass through networks that block or mishandle native IPsec, such as some NAT devices or restrictive firewalls. This makes secure tunneling easier to deploy in real environments where plain ESP would not connect reliably.
In cyber security, the term matters because each encapsulation layer adds parsing and state-handling complexity in the kernel or VPN stack. Bugs in ESP-in-TCP processing can create denial-of-service conditions or memory corruption paths, especially when malformed packets trigger edge cases in packet reassembly or transformation. Defenders should treat enabled ESP-in-TCP support as part of host attack surface: patch affected kernels or VPN software, disable unused IPsec features, and monitor for unusual TCP-based IPsec traffic on systems that should not be using it.



