IPSec/IKEv2 is not breaking anything, maybe it just won't setup a tunnel. Maybe a better analogy: We don't say the same thing about for example a piano: "it should only be able to be used correctly". You have to study and practice a bit before you can play a somewhat decent piece, without study no piano play. The same for IPSec/IKEv2, without study no tunnel. Every VPN protocol needs a bit of study, maybe some protocol a bit more than the other. We have a Dutch saying: "Als een boer niet kan zwemmen ligt het aan zijn zwembroek", which translates to something like: "If a farmer can't swim it's because of his swimming trunks".
If you want out-of-the-box VPN solutions, you go to a VPN provider and download their apps. ;-o
But there's no value in IPsec being like a piano. Continuing the analogue, nearly everyone would be playing the exact same handful of songs in the exact same way and if they don't, they're doing it wrong. Why on earth do you have to learn to play an instrument like that?
You don't want core pieces of security technology to have room for creativity.
Yes, I guess the analogy has its limits. (-:
The only point I'm trying to make is that no VPN protocol is an out-of-the-box solution. And mind you, I'm talking about the protocol, the out of the box solution "Tailscale" is not a protocol for example, it's an app with WireGuard at its core with added proprietary functionality to make it work out-of-the-box. WireGuard as a protocol is possibly the easiest to setup, IPSec/IKEv2 might be the most challenging to setup. On the other hand WireGuard has limited capabilities, IPSec/IKEv2 has a bit more. More capabilities for IPSec/IKEv2 comes with more study and practice.
Then it's you breaking things because of lack of understanding, not IPSec/IKEv2. The same way no dishwasher is going to break plates, unless you throw them in with force yourself.
You missed the point. It shouldn’t be so easy to configure it incorrectly so it breaks security. A dishwasher shouldn’t have buttons that combine to break your dishes.
Your defense of “you don’t understand it” is exactly the problem. That’s an argument in support of my point, not against it.
Okay, how about a different analogy then. Seatbelts.
Wireguard is a seatbelt where you plug the latch plate into the buckle, it lets out an audible "click" and you're secured. If you fail to secure it properly, the latch plate will not be held by the buckle and will retract. It will be immediately obvious that you aren't secured and the car will refuse to move until the problem is resolved.
IPSec is a seatbelt where the process of putting the latch plate into the buckle requires adjusting several knobs on the buckle to the correct setting depending on your specific size and weight and then placing the latch plate into the buckle at the _exact_ right angle. The settings of these knobs and the angle required differs slightly or significantly between manufacturers as well as model years.
With the IPSec seatbelt, failing to perform these steps correctly often results in the buckle failing to engage and the car failing to start. But sometimes it also results in the buckle letting out a "click" and appearing to be latched while not being properly engaged and able to protect you in a crash. This counts as buckled as far as the car is concerned though and it's happy to let you drive this way.
Well what if I _want_ to drive around with only the appearance of a seatbelt without the safety of it, huh? Wireguard won't let me do that!
Sure, there are _very_ specific situations where IPSec is the only option to implement what we need. Great, I'm glad it exists to cover off those use cases.
But when everyone's getting the common case wrong in subtle and dangerous ways, the answer isn't "well, it's as complicated as brain surgery get good scrub" (I can't imagine how you think that's a defense of IPSec.). It's possible to design a system that allows a secure tunnel _without_ the complexity and massive number of footguns (see: wireguard). For most use cases, that makes IPSec defective by design.
If GM designed their cars to have as many buttons and knobs as a 747 cockpit, they would never make it to market. Manufacturers have been forced to recall vehicles for much less[0].
By all means, continue to use it, but expecting people to learn brain surgery to set up a secure tunnel is and should be a non-starter.
