If a country wants to stop either all citizens or a specific individual from being able to communicate using IPSec, I think a good place for them to start would be the ISPs.  Since ISPs by nature of the service they provide have access to the inbound and outbound traffic their clients are generating, working with them would give a government the means to stop its citizens from using IPSec to securely communicate internationally.

Since the ISPs are responsible for finding the best route for your data and delivering your data to those routes, they can spy on inbound and outbound traffic, and simply choose not to send packets they don’t want to.  The ability to modify your data in transit is a corollary to their ability to sniff and drop your traffic.

It is not very difficult for an ISP to set up some sort of rule-based filtering restrictions on traffic, and I would not be surprised to learn that most ISPs these days already have systems like this in place which can operate on multiple sets of complex dynamic rules.

In the case of IPSec, both tunnel mode and transport mode require a visible IPSec header.  Routers that receive the packet must be able to determine what to do with it even if it is not for them.  This means the IPSec header will be plain text readable by the ISPs, and a good starting point for building a rule to filter out IPSec traffic.