It's worse with VPNs like Wireguard because Wireguard only supports tunneling (e.g. IP in IP), which when you add the authentication header means a minimum of 3x the overhead of a regular connection, whereas IPSec encapsulation without tunneling only requires 2x the overhead (just the additional authentication header). Worse, Wireguard also requires UDP encapsulation (i.e. IP inside UDP+IP), which means 4x the overhead.
To be fair, IPSec tunneling is quite common (unsure if its the predominant mode) because tunneling makes routing easier. And for road warrior setups where the peer is often behind a NAT gateway, IPSec VPNs will also tend to use UDP. In such cases there's no advantage to IPSec.
IPSec is just usually an abysmal inane thing to set up, with defaults from the 90s and an extra bonus of error messages and documentation that just make you cuss. I don't recommend anyone IPSec, whatever it offers, after you spend all the time making sure your configuration is good, is really not worth it if you can do Wireguard or even OpenVPN. Ugh, I'm annoyed just thinking about it again.
The best part is when you find out your phone supports set of parameters A, your tablet set of parameters B and your MacBook set of parameters C.... and there's no intersection between sets.
ipsec is complex because it can be used in a LOT of situations.
can wireguard do tunnel state detection? Can i do a hub and spoke topology with wireguard? or auto-vpn?
ipsec is complex because it is mainly designed as a tunnel protocol with encryption. (site-to-site), compared to the "road warrior" setup wireguard seems more useful for.
To be fair, IPSec tunneling is quite common (unsure if its the predominant mode) because tunneling makes routing easier. And for road warrior setups where the peer is often behind a NAT gateway, IPSec VPNs will also tend to use UDP. In such cases there's no advantage to IPSec.