Going to go against the flow here and say go for OpenVPN.
This recommendation is based on the following observations:
It's easy to implement
It's secure
It's stable
By using the tls-auth option the fact that your firewall is acting as a
vpn endpoint becomes invisible to the 'net'
It easily handles NAT'ing firewalls with no special NAT requirements
Will easily work with dynamic DNS clients as end points.
Works well with OpenBSD
In your scenario you could setup a single central OpenVPN/CA server to
act as a VPN concentrator your 2nd site and your two colo servers could
then act as 'clients' making admin and setup very straight forward.
With regard to the speed of IPSec v OpenVPN (SSL/TLS), we use IPSec for
site to site VPN's (3DES+PFS) where each end has a static IP and OpenVPN
(Blowfish) for our 'road warriors'
The IPSec VPN's terminate onto a 3.8 box with a 450Mhz CPU (K62)
OpenVPN runs on a separate 3.8 box behind the firewall and uses a PII
450Mhz CPU
When comparing the two vpn solutions for speed, subjectively the OpenVPN
feels slightly faster, but there's not much in it and the different
encyption schemes may well account for the speed variance, we don't push
a lot of traffic through the VPN's hence I can get away with low power
hardware. However what I'm trying to say is that running OpenVPN doesn't
require a large amount of horsepower and is no disadvantage over IPSec.
Regards
Simon
