[vpn] Advice needed

Butters, Kevin Kevin_Butters at NAI.com
Mon Oct 8 16:10:48 EDT 2001


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Peter,
	Only the new v2.0 E Appliances support aggressive mode. All the v1.5
E Appliances and the Gauntlet NT VPN gateways only support main mode.

Kevin Butters
Security Engineer
Network Associates Inc.
PGP Fingerprint 
7AB4 5B76 5FEB 42FD 13A5  0BA6 6DDF 11A5 6570 CE07





- -----Original Message-----
From: Christopher Gripp [mailto:cgripp at axcelerant.com]
Sent: Monday, October 08, 2001 10:59 AM
To: Peter Walker; vpn at securityfocus.com
Subject: RE: [vpn] Advice needed


What you are looking for is an implementation that supports
Aggressive
mode negotiation.  To be honest I haven't seen one yet that didn't
but I
know nothing about the PGP implementation.  I would start searching
for
material on using Aggressive mode with PGPvpn.

- -----Original Message-----
From: Peter Walker [mailto:peter at grole.org]
Sent: Friday, October 05, 2001 11:27 AM
To: vpn at securityfocus.com
Subject: [vpn] Advice needed


Folks

I dont know if any of you out there can offer some advice, but here
is
my 
situation

At the company where I work for we were sold a PGP/NAI a package that
included the necessary licenses to run Gauntlet VPN and PGP clients
accross 
our corporate network. So we now have a gauntlet 5.5 NT VPN server in
our 
head office and a number of road warriors running PGPs VPN client (we
liked 
the personal packet filter/firewall features included)

For some people this worked great.  For some others the PGP client
just 
plain would not work on their machines (Particularly on IBM laptops
for 
some reason).

Due to the problems with the the client software we purchased a
number
of 
PGP's new e-ppliance boxes.  These were chosen because the should
work 
easily with Gauntlet VPN and they had the built in firewalling, nat
and 
dhcp functionailty we wanted. These dont support certificates for 
authentication so we had to use pre shared keys, but we were able to
live 
with this.

Now we are starting to run in to another problem that I just cant see
an

easy solution for.

A number of the users with the e-ppliances have DSL or Cable internet
connections with dynamic IP addresses allocated when they "connect".
This 
is where the big problem is.  With network to network IPSEC tunnels
using 
pre-shared keys both Gauntlet VPN and the e-ppliances require that
the
IP 
address of the other end of the link be statically defined. What this
basically means is that every time the remote users ISP connection is
closed down (for whatever reason) they are unable to use the VPN
until 
someone in the head office reconfigures the gauntlet VPN server with
their 
new IP address.

This just plain doesnt work for us.

We are not in a position where we can just dump everything and start
again 
(both for political and financial reasons).  It is possible that we
could 
replace the client end software/hardware for the problem cases, and
we 
could perhaps stretch the budget to an IOS upgrade to a 3DES version
on
one 
of our routers, but if I do that I have to be sure that whatever we
do
do 
is sure to work.

So what would your advice be?

Thanks in advance

	Peter Walker

VPN is sponsored by SecurityFocus.com


VPN is sponsored by SecurityFocus.com

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBO8IJGm3fEaVlcM4HAQKBhgf+Oqh52zhtA3XOFvch7k1EXf/XjU/jugQL
DVwx2MBC89O6OdcP/R4/94QYusUPdxRaGa8+wFXbJjp4PeSeND6ol4eHX9hn7xq9
y2zvVtQXAN3NdNCtws6xAzJgONE6912IHEi3jwolV7YTwGTS1nHg0myRy32ztvyE
U0MUCgbW3MNhuL9fBKt1siBXsUvxdaFiwMexzy+CmceafEGTwPlVGqe9C9iK+mnU
4+zkICVD8AOFeyTJRvUa7uPt5LTzvTz7wrY7wVV5ce53CQKNnPaEZqIqqtgCxoLy
snvi15tJQ4Kuz2qI26ftVv/7QsWNDCUj+ReTZDQaehXgXUv2XQzKhA==
=Bg3E
-----END PGP SIGNATURE-----

VPN is sponsored by SecurityFocus.com





More information about the VPN mailing list