I saw both articles is being driven by ego, a whole Lotta handwaving and a lot of misunderstanding (deliberate and otherwise) on both sides. It’s also important to recognize that technical decisions are made on the basis of emotion, ego, ignorance, and imposter syndrome.
Let me illustrate why I say technical decisions are made based on ego and emotion through my tale of why I forking hate IPSec to the ends of the earth and if I could burn away anything or any knowledge related to IPSec, it would be a good way to spend my life.
Back when I was working with IPCop, we recognized that IPSec was a cluster fark. I tried really really hard to make incredibly simple user interface that solved the net to net problem. I almost succeeded but to be fair, it still took at least an hour of digging around to make it work.
Fast forward to today. In the past year alone IPSec has cost me close to $8000 in lost billable time. Every implementation I encounter is different and incompatible. Every vendor swears they are fully inherent to the standard. This means either they are completely full of crap or the standard is so bad it makes a dogs breakfast look appealing.
My latest loss was trying to connect to IPFire systems to each other by IPSec and also to a Cisco AS5508.
Problem 1) you can’t run IPSec over a red interface using DHCP. This only happens when IPSec is active, every time Comcast does a DHCP lease renewal, the red interface is shut down and restarted which temporarily breaks the VPN. If you have any persistent connection such as SSH, it fails.
I need to try and see if IP fire does the same interface breaking trick with open VPN. I’m more than willing to dig into the problem myself but there’s some demon triggering the interface shut down that I haven’t been able to figure out yet.
Problem 2) IPFire to IPFire. Should be simple but no. It runs for a while and then stops. Nothing’s changed. It just stops working. I kicked both ends, sometimes it restarts, sometimes it doesn’t. Thankfully open VPN is a couple orders of magnitude more reliable so I was able to ditch IPSec that circumstance.
Problem 3) one of the times I briefly got IPFire IPSec talking to the Cisco box, it would run fine for about three hours and then the key negotiation sequence would fail, the connection will break and then it would restart. For a month or two no one could track it down but although we knew was that SSH connections to the data center were breaking This one did serious damage to my client’s business, caused me serious reputation damage and I had to compensate them by giving them between $5000 to $6000 of free consulting.
You know what the reliable solution was? Running open VPN client net to net from one of the servers in the data center back to the office plus a little bit of router magic in the rack. It’s a bit of a kludge, I’m a little embarrassed to have them would say it but it took me an hour to get it to run and it just forking works.
Wireguard has its own challenges. It’s a different concept of a VPN than traditional ones. I am going to experiment with it and see if it’s more like open VPN or more like IPSec.
In conclusion, this is the year I tell IPSec to go fark itself for no other reason that it has driven me insane, cost me lots of money, and has been a complete and total forking pain in the ass. I hate it beyond all rational reason and this is why I say technical decisions are made on emotion and ego dressed up in the language of capx and opx.