"IPsec IS HARD!"


IPsec and IKE are very complex protocols 
hard to understand
designed by comitee
overengineered and unnecessary complex
confusing and contradicting terminology
can't be defined in a single RFC!
"IPsec protocols were originally defined by RFCs 1825 & 1829, published in 1995. In 1998, these documents were obsoleted by RFC 2401 RFC 2412, which are not compatible with RFC 1825 & RFC 1829, although they are conceptually identical. In December 2005, third-generation documents, RFC 4301 & RFC 4309, were produced. They are largely a superset of RFC 2401 & RFC 2412, but provide a second Internet Key Exchange standard. ... It is unusual to see any product that offers support for RFCs 1825 & 1829. .ESP. generally refers to RFC 2406, while ESPbis refers to RFC 4303." (Wikipedia)


this has lead to multiple implementations with varying levels of usability and code quality 
Microsoft Windows 2000/XP: 36 steps for a single tunnel!

not even OpenBSD's isakmpd.conf was immune to being complex

but things have changed!