We are currently using a Microsoft RAS server, using PPTP for people to VPN into the office network. Its not particularly secure as peoples usernames are predictable, and many of the users are not choosing secure passwords. Any attempt to enforce moderate security in passwords faces internal rebellion.
Im considering setting up the VPN to use IPSEC, and to authenticate with certificates. What i need is advice on suitable IPSEC server configurations, managing the certificates, and managing the deployment of certificates - particularly from people who have done exactly this. I have experience managing Windows, Linux and to a much lesser extent OpenBSD Operating systems.
Finally, i've seen comments about XP proffessional machines not being able to make adhoc IPSEC connections when their IP address is not fixed? Is this a genuine problem?
Thanks in advance for your help,
You do not write what size of organization you are working for - but from my experience managing a certificates for remote access solution with many users is not a desirable way to go. Certificates are difficult to understand for the average user and I have yet to see a process for issuing and reissuing certs that do not require a very good written guide or a supporter on the phone.
I would at any time prefer a hardware token based remote access solution to a certificate based one.
I do not manage the remote access gateways where I work but I know we use Cisco VPN's with RSA secureID authentication. I have also seen a more lightweight solution from a company called Giritech. But there must be hundreds of similar solutions based on hardware fobs.
ildoc