[baby]

With the 4000 LOC Wireguard https://www.wireguard.io/

what are the incentives to continue using IPsec or Strongswan?

[drdaeman]

Because IPSec is natively supported by many OSes out-of-box, while Wireguard doesn't seem to have even third-party packages for many systems?

[baby]

Sure, but if you care about security you won't mind installing it.

[discreditable]

WireGuard is not production ready.

> Warning: WireGuard is currently under heavy development, and therefore any installation steps here should be considered as experimental. Please do not rely on WireGuard at this stage. We are rapidly working toward a first release that we will consider secure and ready for widespread usage, but that time has not yet come.

https://www.wireguard.io/install/

[derefr]

You don't get to install software if you only control your end of the tunnel — because the other end is either a proprietary appliance (e.g. a Cisco router; an AWS Virtual Private Gateway) or someone else's computer (e.g. some other org you're peering an [semi-isolated] part of your network with for a shared project.)

[drdaeman]

Install what? I can install it on GNU/Linux machines. But there are no Android[1], Windows or macOS or iOS packages.

[1] Well, it's theoretically possible to build a custom kernel for some devices, and manage VPN from terminal, but I'm not sure many would enjoy it this way.

[q3k]

I don't think I can install Wireguard on my Cisco ASAs or Juniper SRXes..?

[JustSomeNobody]

I don't see an iOS client.

[danesparza]

Well, considering Wireguard says on their website "WireGuard is not yet complete. You should not rely on this code" ... I think the burden is on you to justify the comparison in the first place.

[rkeene2]

StrongSWAN (and IPSec in general) supports smartcards. WireGuard does not.

I've setup StrongSWAN using smartcards almost 15 years ago, at the time it was the only open source IPSec client that supported it. It was relatively easy to get going (the server was a Cisco VPN appliance, which I managed and it was relatively easy to extract the relevant IKE profiles).

[JustSomeNobody]

Can you clarify the point about the LOC? I don't understand why that would matter.

Oh, and where is Wireguard supported out of the box like IPsec is?

[baby]

https://twitter.com/lyon01_david/status/827918656562720769

[JustSomeNobody]

So, less code automagically makes it better. Ok.

[orf]

Don't be flippant. Less LOC means that the code is easier to audit, unlike large and older codebases. Easily audited code is good for security.

[vetinari]

It also means, that the functionality may not be there yet. For example, Strongswan, OpenVPN etc have already solved assignment of client IPs, with Wireguard you have to allocate them by hand in the config (good luck managing several hundreds of them). Strongswan, OpenVPN, etc have no problem operating the server with dynamic IP (you just create DNS record for the end point and update it, whenever the IP changes), with Wireguard you must define the server IP by hand and when it changes, you must change the config and reload it.

Stuff like these is also a reason, why Strongswan, OpenVPN, etc have bigger LOC. I'm not saying that Wireguard is something bad, it just must go through a growing period, where it will gain additional LOC.

[orf]

So, more code automagically makes it better. Ok.

[cthalupa]

Because I need something that is natively supported on phones and can be set to 'always on' on managed iOS devices.

[binalpatel]

You work in an industry like healthcare where it's IPSEC or bust for any tunneling.

[danudey]

For L2TP-over-IPSec, support for mobile devices, like iOS/Android, and relative simplicity of configuration for users (e.g. through provisioning profiles).