IpSec VS OpenVPN: there's an insecure one?

Few days ago a customer told me that is far more secure OpenVPN than Ipsec.

I asked why he was believing that thing, the answer was that it was well know of far more vulnerabilities on IpSec.
I left his believing alone, were pointless to argue (no tech/TLC/It background) and i did some researches… who told me something that already knew:

  • Both kind of connection can be configured in a very insecure way (weak passhprases, weak cyphers, no certificate use, bugs on implementation)
  • OpenVPN is related with TLS/SSL, therefore any vulnerability of the library (OpenSSL/LibreSSL) could lead a footprint for vulnerability for the server; therefore, you can run a server on any port
  • Ipsec is quite hardwired on well-known ports (500, 4500, 1701 if using L2TP) but has quite a lot of different settings (including v2) that could make harder to bite

I know… in some devices (like DGN 2200 that i use at home) the settings lacks of good cypers (AES) or enough options for consider that a strong VPN Endpoint. But… I don’t know if there is any kind of OS that’s lacking of L2TP client… Without add any custom software.

Which is your favorite VPN tool?
Why you choose it?
Do you think that the opponent is less secure than the one you use?