BITW ("bump in the wire") is easy to use. Trivial. It's just devices you insert in a point-to-point link to encrypt it. You don't even need IPsec for that, but whatever.
SG ("security gateway", aka VPN) is reasonably easy to use, especially if you assign users /32s (for IPv4) and inject those into you IGP -- then you cannot have the attack I mentioned.
Transport mode is very difficult to use correctly and safely, or even at all, in any network with more than a few nodes or with fluid IP address assignments.
For transport mode, the best answer, really, would be to use BTNS [0] and connection latching [1] so that you can just use IPsec from the application (via socket options or moral equivalent), performing channel binding to application-layer authentication, or else certificate chain validation and authorization at the application layer. But this hasn't been implemented. Solaris/Illumos has some IPsec-related socket options, and it will create and/or latch SPD entries (what traffic to protect and how) policy, but not SAD entries (how to authenticate peers) nor PAD entries (how to authorize peers) -- i.e., half-way to RFC5660 :(
SG ("security gateway", aka VPN) is reasonably easy to use, especially if you assign users /32s (for IPv4) and inject those into you IGP -- then you cannot have the attack I mentioned.
Transport mode is very difficult to use correctly and safely, or even at all, in any network with more than a few nodes or with fluid IP address assignments.
For transport mode, the best answer, really, would be to use BTNS [0] and connection latching [1] so that you can just use IPsec from the application (via socket options or moral equivalent), performing channel binding to application-layer authentication, or else certificate chain validation and authorization at the application layer. But this hasn't been implemented. Solaris/Illumos has some IPsec-related socket options, and it will create and/or latch SPD entries (what traffic to protect and how) policy, but not SAD entries (how to authenticate peers) nor PAD entries (how to authorize peers) -- i.e., half-way to RFC5660 :(
[0] https://tools.ietf.org/html/rfc5386 [1] https://tools.ietf.org/html/rfc5660