I recently set up a VPN for a client and was frustrated that the terminology hasn’t become more standardized in the past 5 or so years. As I mentioned in my last post, I am re-entering the IT networking world. I figured things had improved, and many functions have – SD-WAN is an exciting advance in my opinion. But some simple things – like setting up a site-to-site VPN – hasn’t improved any at all.
I have connected hundreds if not thousands of VPN’s in my career. If the VPN was connected to a remote vendor or device that I didn’t control, it was always a chore to configure the VPN. Invariably I would have to contact an experience IT professional who controlled the remote firewall and trade email information about the VPN parameters – simple things like IP address, subnet mask, gateways, and the subnets allowed on each side – along with more complex parameters such as the IKE Phase 1 proposal, IKE ID for each end, the DH Group, encryption, authentication, and other parameters. Because of security concerns we would not email the shared password.
Maybe 1 time out of 100 we could get the connection working via email. But usually not. Usually it required a coordinated phone call with me logged into my client’s firewall and the other tech logged into the other firewall. We would have to review the parameters and if we were lucky, both vendors would use the same terminology to define the parameters. More often than not we would have to decipher how each vendor labeled their specific parameter. It was maddening and totally unnecessary in my opinion and took way longer than it should to set up a VPN. How in the heck could anyone automate this process unless all the equipment was from one vendor, which it seldom was?
I was quite disappointed last week when I needed to set up a new VPN for a long-time client. While logging in and working remotely was much more pleasant and reliable, I still had to schedule a call with the remote IT firewall person and we had to get on the phone and decipher the connection parameters. I was programming a Sonicwall – which I am quite familiar with. I can’t remember what he was programming now, but it wasn’t Cisco since I am also pretty familiar with configuring those firewalls. It took us about 45 minutes and multiple tries to get traffic to pass. I would have to go into the Sonicwall logs to figure out why the connection was getting rejected, then tell the other IT guy what was going on. He would try to set his correctly to match mine. I tried to match his parameters but he wasn’t nearly as experienced and didn’t know what all the parameters meant on his end so since I knew what would work I set my parameters to a known configuration and then walked him through a variety of options until we found a match that worked.
I just can’t for the life of me figure why the terminology for setting up VPN’s hasn’t been standardized. By now this should be a fairly simple process, yet it is not – at least when dealing with different firewall vendors. I guess they still need people like me who can figure this stuff out! Job security.