[RJIb8RBYxzAMX9u]

Genuine question: why's OpenVPN so popular over L2TP/IPsec? Configuration on the server side is maybe a little more complicated, but configuration on the client side is super simple, as all major OS, mobile or otherwise, have support built-in.

I've read arguments that firewalls tend to block IPsec packets, but there's also UDP encapsulation. And IME, I've never had connectivity issues, from multiple random coffee shop / airport WiFi, in multiple countries. I suspect it's because Cisco's VPN product used to (still?) uses IPsec, just with proprietary authentication schemes, and a lot of businesses use it, so most firewalls are configured to let it through.

[terrywang]

L2TP/IPsec is obsolete, itself does NOT provide encryption or confidentiality to traffic passes through it. L2TP/IPsec encapsulates data twice at layer 2, it has pros and cons. See this (may be out-dated) -> https://www.bestvpn.com/blog/4147/pptp-vs-l2tp-vs-openvpn-vs...

IKEv{1,2} + IPsec (ESP) (tunnel mode) is recommended. strongSwan is probably the best free, open source IPsec solution out there (much better than libreswan...), good documentation, use cases and examples etc, actively developed and maintained by a group of passionate developers that knows the stuff well.

My employer (pre-IPO startup) has been using strongSwan for 2+ years as site-to-site solution from AWS VPC to on-premises data centres (or other cloud virtual network), proved to be rock solid as long as it's properly configured (pretty much all outages were caused by AWS...) ;-)

The only drawback is that strongSwan currently does NOT have a mature HA solution but it's shaping up (5.4.0 introduced IKEv2 redirect). Hopefully a proper HA solution (not sure if it is something similar to VRRP - curious to know more - PLEASE comment) will be built on top and later productized ;-)

In addition: I myself have been using strongSwan since its 5.0.x for remote access, to protect privacy, fight censorship (yes, originally from China mainland where the infamous GFW is in place...). The native strongSwan client for Android is a killer feature, RSA authentication with X509 certificates works flawlessly with 1 click ;-)

BTW: OpenVPN is SSL VPN, relatively easy to install and configure, that's why it's more popular (remote access). IPsec works at IP layer (layer 3), generally speaking it requires deeper networking knowledge and more experience to get things right. OpenVPN is harder to block as it can disguise as HTTPS (TLS) or other traffic while IPsec requires UDP ports 500 (IKE) and 4500 (NAT-T) to work which is easier to block.

HTH

[walrus01]

at the expense of latency and performance, openvpn can run in purely TCP mode which is more likely to survive shitty wifi connections and aggressive/stupid captive portal wifi and firewalls/NATs like you might find in an airport. I have an openvpn server running its public interface on port 443 in tcp mode which is frequently accessible when ipsec stuff is blocked.

openvpn can also be used with obfsproxy

[RJIb8RBYxzAMX9u]

> [...] openvpn can run in purely TCP mode which is more likely to survive shitty wifi connections and aggressive/stupid captive portal wifi and firewalls/NATs like you might find in an airport [...]

That's contrary to my own experience, hence my original post. Obviously I've not been to every airport, but I've been to a handful of different ones over the last decade, and I've never had problems with IPsec. And IME airport / coffee shop / hotel WiFi are usually not the ones most locked down, but corporate guest WiFi. The last one I used blocked everything except TCP port 80, 443...and UDP port 500, 1723, and 4500.

I used to run OpenVPN to my home network, since that's the general recommendation, and Cisco VPN to the school, and later work, networks, and I've had more connectivity issues with OpenVPN. Switching to one of ports 53, 80, or 443 generally works, but Cisco VPN always "just works"...connectivity wise anyway. The client software broke like every other minor OS update. I even switched to PPTP for a while, because it'd also always worked, plus support was built into the OS. And that's what drew my attention to L2TP/IPsec.

Finally, when Tunnelblick stopped working after one of the OS X major upgrade, I looked into setting up L2TP/IPsec, and have been using it since.

Maybe IPsec is more often blocked in Europe / Asia / Africa?