Avoiding this was sort of thing was surely part of the motivation for IPsec, but presotto points out (I hope I'm not misrepresenting him) that implementing IPsec, at least in the kernel, is messy, requiring lots of state and the ability to interrupt and restart cryptographic computations at awkward times.
Most of the complexity in IPSEC lies in the key negotiation protocol. The actual per-packet handling (encryption and authentication) is pretty simple. The key negotiation protocols do not need to reside in the kernel, in fact in most implementations they do not.
Tim Newsham http://www.lava.net/~newsham/
