at the expense of latency and performance, openvpn can run in purely TCP mode which is more likely to survive shitty wifi connections and aggressive/stupid captive portal wifi and firewalls/NATs like you might find in an airport. I have an openvpn server running its public interface on port 443 in tcp mode which is frequently accessible when ipsec stuff is blocked.
> [...] openvpn can run in purely TCP mode which is more likely to survive shitty wifi connections and aggressive/stupid captive portal wifi and firewalls/NATs like you might find in an airport [...]
That's contrary to my own experience, hence my original post. Obviously I've not been to every airport, but I've been to a handful of different ones over the last decade, and I've never had problems with IPsec. And IME airport / coffee shop / hotel WiFi are usually not the ones most locked down, but corporate guest WiFi. The last one I used blocked everything except TCP port 80, 443...and UDP port 500, 1723, and 4500.
I used to run OpenVPN to my home network, since that's the general recommendation, and Cisco VPN to the school, and later work, networks, and I've had more connectivity issues with OpenVPN. Switching to one of ports 53, 80, or 443 generally works, but Cisco VPN always "just works"...connectivity wise anyway. The client software broke like every other minor OS update. I even switched to PPTP for a while, because it'd also always worked, plus support was built into the OS. And that's what drew my attention to L2TP/IPsec.
Finally, when Tunnelblick stopped working after one of the OS X major upgrade, I looked into setting up L2TP/IPsec, and have been using it since.
Maybe IPsec is more often blocked in Europe / Asia / Africa?
openvpn can also be used with obfsproxy