In 5.5, and presumably later, you can either terminate IPSec VPNs on the firewall, or pass them through to an internal termination point. Gauntlet doesn't (AFAIK) support any local VPN termination other than IPSec.
I've set it up a couple of times and it's really quite easy, and works well. A few tricks:
1. Gauntlet does NOT support AH (weird). The "authentication" algorithm the GUI talks about is just the ESP HMAC. This could cause some frustration.
2. It can be anal about session lifetimes (time and data volume) matching at each end. Make sure they match.
3. The proxy identities must match exactly. In other words, you need to define exactly the same tunneled (inside) networks at each end.
4. You can't have overlapping networks at each end. Example: You use 10.0.0.0 in your company. You want 10.1.1.0 to use a VPN link. You can't just say 10.1.1.0 is the remote network and 10.0.0.0 is the local network. You need to define about a million links to make it work. (YO! Meenoo! That sucks! ;)
Cheers,
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 10, 2001 10:11 PM
To: [EMAIL PROTECTED]
Subject: VPN - Gauntlet E-ppliance
What is the functionality of VPN in case of Gauntlet Firewall? Please elaborate.
regards.
Anuradha
[...]
