One of the grand ideas of Unix is the notion that ``everything is a file''.
As a result, network devices don't show up in /dev/ in a useful way, and they don't have file-modes and file-owners. Instead you need to deal with them using special commands like ifconfig, and special system calls like bind, setsockopt, ...
As a result, it is clear how to establish an IPsec connection from host A to host B, but it is really not obvious how to establish an IPsec connection from user UX (process PX) to user UY (process PY).
Could a user have his own ipsec.conf file? How would that file be related to the system's ipsec.conf file?
Even if the user doesn't have his own ipsec.conf file, how do we implement per-user or per-process tunnels? I can imagine what the kernel code looks like to enforce the restrictions, but what does it look like to the user process? Making it look like a named pipe with a file-owner and some file-permissions is one way... that makes it look more like good-old "core" unix but less like other networking stuff.