iirc, ipsec is considered somewhat of a security nightmare by modern standards, given that it difficult to fully understand and very easy to misconfigure in an insecure way. I would only recommend using ipsec over wireguard when legacy compat matters.
It is. Even the companies I integrate with that require it know it's full of pitfalls. When you've been doing ipsec for two decades and it's a checkbox in your compliance sheet though, you check the box and hopefully you're good at it by now.
IKEv2 can be configured securely, but by someone that that is familiar with that particular minefield. Both on Windows and MacOS the GUIs configure weaker security by default (the cynic may wonder why!).
On MacOS you can use Apple Configurator /Apple Profile Manager and on Windows Powershell, to configure stronger security.
The nice thing with WireGuard is it’s either secure or it’s off.
As you say, it’s easy to misconfigure IPSec and the number of experts gets smaller day by day.
