Methods and apparatus for preventing packet retransmissions during Internet Protocol security (IPsec) security association establishment. Application socket requests are monitored. An application requests a Transmission Control Protocol (TCP) connection or transmission of User Datagram Protocol (UDP) data on a socket. A determination is made whether there is an active security association that exists to protect network flow associated with the request. The request is prevented from proceeding if no active security association exists to protect the network flow. A determination is made whether a security policy exists for the network flow if no active security association exists to protect the network flow. A security association negotiation component is alerted to initiate negotiation for a security association based on the security policy if the security policy exists for the network flow. The request is allowed to proceed, i.e. the TCP connection established or the UDP data sent, if the active security association exists or the security association is established from the negotiation.