That's exactly my problem as well. The other problem I have is the way proprietary manufacturers rely on the fact you can configure IPsec insecurely so that they never need to update their broken-on-arrival IPsec hardware and software to support modern, secure standards.