Abstract: TCP Performance Enhancement Proxy (TCP PEP) mechanisms have been proposed, and in some cases widely deployed, to improve TCP performance in all-IP wireless networks. However, this technique is conflicted with IPsec -- a standard IP security protocol that will make inroad into wireless networks. This paper analyzes the fundamental problem behind this conflict and develops a solution called ML-IPsec. The basic principle is to use a multi-layer protection model and a fine grain access control to make IP security protocols compatible with TCP PEP. It allows wireless network operators or service providers to grant base stations or wireless routers limited and controllable access to the TCP headers for performance enhancement purposes. Through careful design, implementation, and evaluation, we show that we can easily add ML-IPsec to existing IPsec software and the overhead is low. We conclude that ML-IPsec can help wireless networks provide both security and performance.