diff --git a/roles/strongswan-swanctl/files/esp4.modules-load.conf b/roles/strongswan-swanctl/files/esp4.modules-load.conf
new file mode 100644
index 0000000..483e5ca
--- /dev/null
+++ b/roles/strongswan-swanctl/files/esp4.modules-load.conf
@@ -0,0 +1,2 @@
+# esp4.ko is required for IPsec ESP VPN connections
+esp4
diff --git a/roles/strongswan-swanctl/handlers/main.yml b/roles/strongswan-swanctl/handlers/main.yml
new file mode 100644
index 0000000..e6bf8ff
--- /dev/null
+++ b/roles/strongswan-swanctl/handlers/main.yml
@@ -0,0 +1,2 @@
+- name: load esp4 kernel module
+  command: modprobe esp4
diff --git a/roles/strongswan-swanctl/tasks/main.yml b/roles/strongswan-swanctl/tasks/main.yml
index 3fb1dac..e81b948 100644
--- a/roles/strongswan-swanctl/tasks/main.yml
+++ b/roles/strongswan-swanctl/tasks/main.yml
@@ -5,6 +5,14 @@
   tags:
   - install
 
+- name: ensure esp4 module is configured to load at boot
+  copy:
+    src: esp4.modules-load.conf
+    dest: /etc/modules-load.d/esp4.conf
+    mode: '0644'
+  notify:
+  - load esp4 kernel module
+
 - name: ensure strongswan starts at boot
   service:
     name: strongswan