ovpn tcp ip mode, hang on port 443, SHA1-CBC AES-128. if your tick model supports hardware encryption, turn on aes-256 and sleep peacefully.
tls-auth you don't actually need...

And can lift IPSec?

Here is what is written in the documentation:

The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS. It can protect against:
DoS attacks or port flooding on the OpenVPN UDP port.
Port scanning to determine which server UDP ports are in a listening state.
Buffer overflow vulnerabilities in the SSL/TLS implementation.
SSL/TLS handshake initiations from unauthorized machines (while such handshakes would ultimately fail to authenticate, tls-auth can cut them off at a much earlier point).

It follows from this information that tls-auth is an additional layer of protection against these types of attacks. In fact, traffic without it will be encrypted with the algorithm specified in your config.
If you have clients connected to it with static IP addresses, then you can open it on the server only to these IPs using iptables or whatever you have installed on the server.