Firewalls in "public" places, such as WiFi hotspots, will not block ESP/AH packets, because otherwise their customers would not be able to connect to their corporate VPNs.
Where IPSec may have FW trouble is when you are behind someone else's corporate firewall -- as a visitor, for example. Their network, their rules.
NAT transition may be a problem, depending on the NAT router/gateway and its limitations (e.g.: SOHO router with a maximum of one IPSec tunnel at a time), or on limitations for NAT transition due to the specific VPN configuration.
As for OpenVPN and certificates: it's been so long since I've dealt with OpenVPN, I no longer recall if certs were mandatory. Consider that you're using SSL or TLS, where authentication by cert is baked right in. Certs are relatively easy to create. If you Google for "OpenVPN OpenBSD" you'll find several how-to's -- I haven't read them, so there's no guarantee, of course, that any of them are up to date, accurate, or useful.
|