Wow, you think that's bad, I got one for ya'. My university has some contacts with the folks down at Tinker AFB. Evidently some of the VA/GI bill/TriCare/etc. processing goes through there (though I have no idea why), so a couple of their people need access to our system. Of course, anything TriCare is HIPPA, and they're kinda touchy about the other records going out unencrypted as well, so they needed VPN access to the appropriate stuff on our end.
Unless you've tried it, you cannot imagine what a hassle it is to get a workstation on base configured with the software, and get all the routing and assorted firewalls (I saw at least half a dozen between the office at Tinker and the outside universe, and I know they didn't let me see half of their security stuff) configured to allow a single measly VPN tunnel through. After two weeks of daily phone calls with one person after another, we finally settled for an isolated workstation that dialed directly into the university because we realized it would literally take an act of congress to get the security folks at the base to let this run through their network. I'm all for security, but sheesh!