I have been using transport-mode IPsec for years, with racoon with psk or with certificates, to protect traffic for an unusual remote filesystem that lacks adequate native security. I have also been using tunnel-mode in a normal VPN situation. All of this has been with the KAME-derived IPsec implementation ("options IPSEC"). I've run this on i386 and sparc64, with no real problems. The documentation seems adequate for those who are familiar with the standards. I have not looked at from the point of view of someone who doesn't really understand IPsec to start with. Certificate handling in racoon is messy. Part of this is that there's no clear plan (in the wider world) for what kind of certificate one should have to allow which kind of IPsec SA to be instantiated. The other issue is that I am not clear on if there is adequate support dynamic-remote-peer VPN (road warrior type, vs site-site), which often involves provisioning a private/internal address for the remote host to use inside a tunnel.
Description: PGP signature