[vpn] Advice needed

Christopher Gripp cgripp at axcelerant.com
Mon Oct 8 13:58:44 EDT 2001

What you are looking for is an implementation that supports Aggressive
mode negotiation.  To be honest I haven't seen one yet that didn't but I
know nothing about the PGP implementation.  I would start searching for
material on using Aggressive mode with PGPvpn.

-----Original Message-----
From: Peter Walker [mailto:peter at grole.org]
Sent: Friday, October 05, 2001 11:27 AM
To: vpn at securityfocus.com
Subject: [vpn] Advice needed


I dont know if any of you out there can offer some advice, but here is

At the company where I work for we were sold a PGP/NAI a package that 
included the necessary licenses to run Gauntlet VPN and PGP clients
our corporate network. So we now have a gauntlet 5.5 NT VPN server in
head office and a number of road warriors running PGPs VPN client (we
the personal packet filter/firewall features included)

For some people this worked great.  For some others the PGP client just 
plain would not work on their machines (Particularly on IBM laptops for 
some reason).

Due to the problems with the the client software we purchased a number
PGP's new e-ppliance boxes.  These were chosen because the should work 
easily with Gauntlet VPN and they had the built in firewalling, nat and 
dhcp functionailty we wanted. These dont support certificates for 
authentication so we had to use pre shared keys, but we were able to
with this.

Now we are starting to run in to another problem that I just cant see an

easy solution for.

A number of the users with the e-ppliances have DSL or Cable internet 
connections with dynamic IP addresses allocated when they "connect".
is where the big problem is.  With network to network IPSEC tunnels
pre-shared keys both Gauntlet VPN and the e-ppliances require that the
address of the other end of the link be statically defined. What this 
basically means is that every time the remote users ISP connection is 
closed down (for whatever reason) they are unable to use the VPN until 
someone in the head office reconfigures the gauntlet VPN server with
new IP address.

This just plain doesnt work for us.

We are not in a position where we can just dump everything and start
(both for political and financial reasons).  It is possible that we
replace the client end software/hardware for the problem cases, and we 
could perhaps stretch the budget to an IOS upgrade to a 3DES version on
of our routers, but if I do that I have to be sure that whatever we do
is sure to work.

So what would your advice be?

Thanks in advance

	Peter Walker

VPN is sponsored by SecurityFocus.com

VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list