Certain issues arise when you try to achieve full IPSec cloud functionality:
The inherent nature of IPSec does not allow routing protocol updates to be routed through the IPSec tunnel, because IPSec doesn't encrypt IP multicast/broadcast packets. As a result, whenever there is a change in the topology at the hub or spokes, the other end of the IPSec tunnel cannot be dynamically notified of it.
Each time a network needs to be added to the list of IPSec participants, a new access list must be defined for user traffic encryption.
Because IPSec environments are essentially hub-and-spoke networks, the hub router's configuration can grow to the point where it becomes a management nightmare.
Many hosts' public IP addresses ...