While IP VPNs are widely accepted as an effective remote access and WAN technology that can save money, there are hidden challenges users should be aware of to avoid costly problems.

For instance, Concord, Mass., business consultancy Mercator Partners is scrapping the SonicWall IPSec VPN appliances it deployed in home offices in favor of IPSec client software on employees' PCs.

Although the appliances live up to their promise of segregating business machines from home machines via separate ports, it turns out the arrangement leaves open the possibility that family members still could tap into the corporate VPN, says Seth Cordes, IT manager at the firm.

Rather than risk that, Mercator changed technology and now just home PCs with the software can tap into the VPN.

Still, looking at the big picture, there are significant savings to be gleaned from VPNs, particularly site-to-site VPNs that replace traditional WAN links. "On average, customers are paying anywhere between $450 and $1,200 a month per site on dedicated circuits," says John Pouliot, a principal with WAN Strategies, an integrator and VPN service provider in Manchester, N.H.

With an Internet-based VPN, those costs can plummet. "Compare that with $45 a month average per site for DSL connections and the upfront cost - anywhere from $350 to $1,295 [per site] of the VPN hardware," he says.

Even with these big savings in mind, businesses have to keep in mind that VPNs are full of cost "gotchas."

Lancet Technology, a medical software company in Boston, in the past has created VPN connections with its business partners using Cisco and Nortel VPN clients, says Kevin Mulligan, CIO of the firm. But the clients are tricky to configure and the partners generally don't have experience with them.

Plus, the VPNs require reconfiguring firewalls so VPN traffic can pass through, which winds up costing Lancet time on the phone to help out.

"We had more headaches with them," Mulligan says. He had to spend a lot of time negotiating with partners to get them to agree to the VPN in the first place, the major objection being that firewall reconfiguration goes against their corporate policies.

Similarly, being on the receiving end of such a proposal and joining a partner's existing VPN can tie up valuable time, he says, which again translates into expense.

Customers trying to comply with requests to use the same client ran into trouble, creating more work for Lancet, Mulligan says. "They would call us, and we would call Cisco technical support, and six hours later we might resolve it," he says, but by then the day was shot. Instead the firm has switched to a managed SSL remote-access service that requires no client and no firewall reconfiguration.

Even when VPNs are successful, their very success can cut in on expected savings, says Dan King, network administrator for The Mental Health Center of Greater Manchester, N.H. He replaced point-to-point T-1 lines from four satellite offices to the main office with a SonicWall IPSec VPN. The switch saved enough money to give a fifth, unconnected office an ISDN-based DSL line. But the new connections gave each office its own Internet access, meaning Internet traffic was no longer funneled through the lone Internet connection at the main site. These new connections also provided faster downloads, a performance boost that resulted in more use. And when he was offered a price reduction on his 768K bit/sec DSL lines or an increase in bandwidth to 1,024K bit/sec, he gave up the savings for the bandwidth.

Customers should check out proposed VPNs in all their probable uses before committing to them, says Tony McCafferty, director of IT for Hualalai Resort in Kailua Kona, Hawaii. It can eliminate a lot of costly swapping, he says.

The resort needed remote access for traveling executives, and he believed an IPSec VPN was the way to go. Initially Check Point's Secure Remote clients were installed in company laptops, which worked well much of the time. But at hotels and at business partner sites, there were problems crossing firewalls, resulting in calls for help.