[vpn] Advice needed

Peter Walker peter at grole.org
Fri Oct 5 14:27:19 EDT 2001


I dont know if any of you out there can offer some advice, but here is my 

At the company where I work for we were sold a PGP/NAI a package that 
included the necessary licenses to run Gauntlet VPN and PGP clients accross 
our corporate network. So we now have a gauntlet 5.5 NT VPN server in our 
head office and a number of road warriors running PGPs VPN client (we liked 
the personal packet filter/firewall features included)

For some people this worked great.  For some others the PGP client just 
plain would not work on their machines (Particularly on IBM laptops for 
some reason).

Due to the problems with the the client software we purchased a number of 
PGP's new e-ppliance boxes.  These were chosen because the should work 
easily with Gauntlet VPN and they had the built in firewalling, nat and 
dhcp functionailty we wanted. These dont support certificates for 
authentication so we had to use pre shared keys, but we were able to live 
with this.

Now we are starting to run in to another problem that I just cant see an 
easy solution for.

A number of the users with the e-ppliances have DSL or Cable internet 
connections with dynamic IP addresses allocated when they "connect". This 
is where the big problem is.  With network to network IPSEC tunnels using 
pre-shared keys both Gauntlet VPN and the e-ppliances require that the IP 
address of the other end of the link be statically defined. What this 
basically means is that every time the remote users ISP connection is 
closed down (for whatever reason) they are unable to use the VPN until 
someone in the head office reconfigures the gauntlet VPN server with their 
new IP address.

This just plain doesnt work for us.

We are not in a position where we can just dump everything and start again 
(both for political and financial reasons).  It is possible that we could 
replace the client end software/hardware for the problem cases, and we 
could perhaps stretch the budget to an IOS upgrade to a 3DES version on one 
of our routers, but if I do that I have to be sure that whatever we do do 
is sure to work.

So what would your advice be?

Thanks in advance

	Peter Walker

VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list