IPsec over L2TP - strongswan vs libreswan vs openswan - how do I choose?

Can somebody point me to a current comparison of implemented features, stability, etc to help me choose which S/WAN provider I should be using? There is so much conflicting information from the last decade or more it’s very difficult to make a decision.

There are oodles and oodles of recommendations and detailed guides and reviews to help make informed decisions about how to provide VPN services, but the information from the client perspective is much more scattered and harder to compare.

The dominant VPN type (client/server as opposed to site-to-site peer links) is L2TP with IPsec (Ubiquity and other mid-tier hardware vendors all prefer this method) however I have recently run into issues with Strongswan on some clients and found it very hard to diagnose once it goes wrong. When I did some reading I found articles suggesting that strongswan was a bit unstable and an inferior choice, but gave little specific guidance about what to choose.

So, what S/WAN libraries do others choose? Can anyone provide some guidance?

Android 12 and later no longer let you add L2TP/IPsec VPN connections manually from the device settings. Android 12 will still keep your old settings working if your device is upgraded from an earlier version. With Android 12, Google added support for IPsec IKEv2 which is more secure (and battery-efficient).

On Linux, libreswan and strongswan maintainers strongly recommend moving away from L2TP/IPsec to IKEv2.

openswan is not used much these days. Some hardware vendors for their VPN implementation use strongswan, others use libreswan, some still use racoon and some proprietary implementations.

Some Linux distros like Manjaro build all the experimental strongswan plugins which are normally not built by default, with some of the experimental plugins being problematic or require additional configuration. Newer versions of libreswan no longer build DH2 (modp1024) support by default, so interoperability with old L2TP/IPsec servers that are using the weak modp1024 algorithm is not possible, although I think the libreswan in AUR is built with DH2 support.

It’s an open-ended question in regard to stability, there are so many variables.

Doug,

Thanks for the great response! You’ve managed to confirm many of my suspicions and to answer the questions I asked and the questions I should have asked.

The router vendor in question is Ubiquiti. On their UniFi range they have three VPN options: Teleport, a proprietary VPN client app for mobile devices, L2TP for clients other than Android and iOS, and OpenVPN for site-to-site VPNs.

To use the OpenVPN option I need to define each client as a separate site, and that quickly spirals out of control in terms of management.

It’s looking more and more like I need to rent a Linode and run my own VPN server and then OpenVPN that back to the UniFi routers. I could try lobbying Ubiquiti to move away from L2TP, but I suspect I have about as much chance as encountering a flying pig.

The worst part is I knew half of this already, and suspected a lot of the rest. But then I come along and find a hardware vendor confidently selling L2TP hardware (not even SSTP) and I suddenly ask “am I the crazy one? Surely a giant brand selling thousands of units wouldn’t be doing something stupid?”

It’s bizarre to me that hardware vendors today, post COVID and with so many people working from home or on the road, still treat client VPNs like some sort of niche issue.

So, If I go down the road of running my own VPN endpoint… what is the best way? OpenVPN with OVPN-Admin for doing management tasks? It seems like OpenVPN is yet another Open Source project that is gradually being commercialised, and that’s usually a sign to start moving away from it (like MySQL and MariaDB).

I guess I need to find a better forum for that discussion. I will end here by saying: thanks for taking the time to make such a helpful reply!