IKEv2 should interoperate a lot more smoothly. I agree that interop with IPsec could be painful years ago. We always managed to find an interoperable common denominator across vendors, but most of the time the resulting crypto was quite weak by modern standards. Triple DES, D-H Group 2, disabled PFS, and so forth.
Nope, not lazy. IPSEC is a royal pain, and the terminology is confusing.
On the other hand, it doesn’t seem like a clear-cut case of just budget. Surely there were means of proactively handling the eventuality without spending four or five figures?
Open vpn is a powerful tool, I’ve used it many times (use to run it for my home network too) these days I exclusively run Forticlient since I run a Fortigate / work at a Fortigate shop.
Yeah Protocol 50 has come to bite us in the ass at work, where a partner was blocking all traffic that wasn’t icmp, tcp, or udp. And they weren’t going to allow ip/50 through.
The problem with those least common denominators is that it results in an unsafe vpn.
DES was broken twenty years ago with $250,000 of ASICs (you can probably doit today with a $250 FPGA).
Disabled PFS is the mother of all no-nos.
DH-2 specifies a 1024-bit key, which is getting smaller every day.
Apathy, stubbornness, and “security” are the reasons we’ve found – usually in that order.
you also forgot stupidity.
But I’ve seen it all at the same time.