On 04/05/2016 12:30 PM, Gordon Messmer wrote: > IPSec is typically encapsulated on UDP port 4500, due to the ubiquity > of NAT. OpenVPN doesn't really have an advantage, there. IPSec and OpenVPN (and the others) each have their use cases. I have had experience with IPSec (via SmoothWall's SmoothTunnel implementation), Cisco's VPN implementation, and the commercial OpenVPN Access Server, and I have found OpenVPN AS the easiest to support for the road warrior use case, including and especially wifi and 3G/4G connected ios and android devices. OpenVPN AS will listen on TCP port 443, and virtually no one blocks TCP/443 (although you do lose some tunnel functionality with TCP encapsulation). I did have numerous issues with the road warrior cases with the IPSec solution, many of which were firewall/captive portal issues and not issues with the otherwise excellent SmoothTunnel. I will admit that I have not tried an IPsec solution in a while, but I haven't had the need to do so, either. OpenVPN AS takes all the hard parts out of the server-side config, and it works well on CentOS 7 (which is the platform on which I am running the server). For point-to-point remote offices, I deploy small routers running DD-WRT, which has a reasonable OpenVPN client that works well once you get it working initially. It isn't necessarily the easiest to get working, though.