[vpn] Advice needed
Peter Walker
peter at grole.org
Fri Oct 5 14:27:19 EDT 2001
Folks
I dont know if any of you out there can offer some advice, but here is my
situation
At the company where I work for we were sold a PGP/NAI a package that
included the necessary licenses to run Gauntlet VPN and PGP clients accross
our corporate network. So we now have a gauntlet 5.5 NT VPN server in our
head office and a number of road warriors running PGPs VPN client (we liked
the personal packet filter/firewall features included)
For some people this worked great. For some others the PGP client just
plain would not work on their machines (Particularly on IBM laptops for
some reason).
Due to the problems with the the client software we purchased a number of
PGP's new e-ppliance boxes. These were chosen because the should work
easily with Gauntlet VPN and they had the built in firewalling, nat and
dhcp functionailty we wanted. These dont support certificates for
authentication so we had to use pre shared keys, but we were able to live
with this.
Now we are starting to run in to another problem that I just cant see an
easy solution for.
A number of the users with the e-ppliances have DSL or Cable internet
connections with dynamic IP addresses allocated when they "connect". This
is where the big problem is. With network to network IPSEC tunnels using
pre-shared keys both Gauntlet VPN and the e-ppliances require that the IP
address of the other end of the link be statically defined. What this
basically means is that every time the remote users ISP connection is
closed down (for whatever reason) they are unable to use the VPN until
someone in the head office reconfigures the gauntlet VPN server with their
new IP address.
This just plain doesnt work for us.
We are not in a position where we can just dump everything and start again
(both for political and financial reasons). It is possible that we could
replace the client end software/hardware for the problem cases, and we
could perhaps stretch the budget to an IOS upgrade to a 3DES version on one
of our routers, but if I do that I have to be sure that whatever we do do
is sure to work.
So what would your advice be?
Thanks in advance
Peter Walker
VPN is sponsored by SecurityFocus.com
More information about the VPN
mailing list