[vpn] Advice needed
Christopher Gripp
cgripp at axcelerant.com
Mon Oct 8 13:58:44 EDT 2001
What you are looking for is an implementation that supports Aggressive
mode negotiation. To be honest I haven't seen one yet that didn't but I
know nothing about the PGP implementation. I would start searching for
material on using Aggressive mode with PGPvpn.
-----Original Message-----
From: Peter Walker [mailto:peter at grole.org]
Sent: Friday, October 05, 2001 11:27 AM
To: vpn at securityfocus.com
Subject: [vpn] Advice needed
Folks
I dont know if any of you out there can offer some advice, but here is
my
situation
At the company where I work for we were sold a PGP/NAI a package that
included the necessary licenses to run Gauntlet VPN and PGP clients
accross
our corporate network. So we now have a gauntlet 5.5 NT VPN server in
our
head office and a number of road warriors running PGPs VPN client (we
liked
the personal packet filter/firewall features included)
For some people this worked great. For some others the PGP client just
plain would not work on their machines (Particularly on IBM laptops for
some reason).
Due to the problems with the the client software we purchased a number
of
PGP's new e-ppliance boxes. These were chosen because the should work
easily with Gauntlet VPN and they had the built in firewalling, nat and
dhcp functionailty we wanted. These dont support certificates for
authentication so we had to use pre shared keys, but we were able to
live
with this.
Now we are starting to run in to another problem that I just cant see an
easy solution for.
A number of the users with the e-ppliances have DSL or Cable internet
connections with dynamic IP addresses allocated when they "connect".
This
is where the big problem is. With network to network IPSEC tunnels
using
pre-shared keys both Gauntlet VPN and the e-ppliances require that the
IP
address of the other end of the link be statically defined. What this
basically means is that every time the remote users ISP connection is
closed down (for whatever reason) they are unable to use the VPN until
someone in the head office reconfigures the gauntlet VPN server with
their
new IP address.
This just plain doesnt work for us.
We are not in a position where we can just dump everything and start
again
(both for political and financial reasons). It is possible that we
could
replace the client end software/hardware for the problem cases, and we
could perhaps stretch the budget to an IOS upgrade to a 3DES version on
one
of our routers, but if I do that I have to be sure that whatever we do
do
is sure to work.
So what would your advice be?
Thanks in advance
Peter Walker
VPN is sponsored by SecurityFocus.com
VPN is sponsored by SecurityFocus.com
More information about the VPN
mailing list