We need to punt the first (and only the first) packet from each unknown IPSec flow to the control plane. So, after punting the first packet from an unknown flow through the punt socket (the UDS socket is used for punting IKE packets), we need to put an ACL on the flow to drop all subsequent packets. The Control plane will examine if this flow should be allowed, create an IPSEc tunnel for it, and remove the ACL so that the traffic can now flow through the tunnel.

For more info, please contact jmedved