PGPvpn's winning score stems from a number of issues but can be summed up in one statement: It provides ease of use for both the end user and the administrator. Besides Microsoft Windows, PGPvpn offered the most versatile VPN implementation, letting us specify dynamic VPNs on an as-needed basis easily. Unfortunately, PGPvpn doesn't support some advanced features, such as NAT traversal and L2TP support, and software installation and upgrading aren't automated. However, at $63 for one client, PGPvpn is a (nearly) full-featured VPN client at a very attractive price.
PGPvpn uses PGPKeys by default for VPN authentication between PGP clients, so we first had to install both the PGP Keyserver, which also serves as a configuration directory, and PGPAdmin, each on separate servers. PGPAdmin is used to configure the PGPvpn client components for distribution. There are two areas of configuration: PGP Options and PGP Administrative Options. PGP Options are the general options that each PGPvpn client will have available when it is downloaded. Unfortunately, there can be only one configuration per configuration server; if you want to customize group configurations, you must set up multiple configuration servers.
PGP Administrative Options configures basic policies for PGP, including the length and relative strength of the pass phrase users can apply, how keys are generated, designation of the keys that are to be installed by default, and which options users can modify locally. Once the options are configured, an installation kit can be built and distributed, and the directory will be updated as well. Clients are updated periodically from the directory.
PGPvpn, like SafeNet's and Microsoft's offerings, doesn't provide any remote logging tools, so troubleshooting user problems is difficult. However, the local PGP logs are detailed and still understandable. If a user can forward the logs via e-mail, a seasoned helpdesk person should be able to troubleshoot any problems.
As noted, only PGPvpn and Microsoft Windows XP let us create dynamic VPNs. A dynamic VPN occurs when there is no predefined policy between two hosts; the hosts create a VPN as needed. PGPvpn uses the PGPKeys created during the client installation for authentication. As long as both users have and trust each other's public keys, they will be able to communicate over a VPN.
There are three options for dynamic VPNs: "Attempt" indicates the client will try to create a VPN but will fall back to passing traffic in the clear if the VPN negotiation fails; "Allow" means the client won't initiate a VPN, but it will let them be negotiated; and "Require" means a VPN is required prior to passing traffic. Dynamic VPN is useful in dynamically addressed environments, such as telecommuting or DHCP. But since PGPvpn does not support NAT traversal, it will not work in all remote situations.
PGPvpn has two features that help in creating IPsec VPNs to third-party gateways. First, setting up a VPN is a straightforward process. Although there is no way to remotely configure VPN connections, host lists can be configured and imported manually, or end users can create their own VPN connections. Luckily, there are few configuration options available to end users. Enter the peer IP address; select the type of VPN peer (VPN gateway, VPN host or VPN subnet, for example); designate the mode and the authentication; and you're ready to go. Peer-to-peer VPN connections can occur automatically. However, in cases where the VPN gateway configures the client IP networking, the connection must be initiated manually.
The second feature aiding interoperability is the client logon. The main log screen shows only superficial information, but the "Advanced" tab provides a wealth of detail about the negotiation -- and it's readable to boot.
PGPvpn, starts at $63. Available: Now. Network Associates, (408) 346-5101; fax (408) 346-5015. www.nai.com
F-Secure Corp. F-Secure VPN+
VPN+ offers a mixed bag of features. Some, like remote software installation and updating, are well-thought-out; others, such as using configuration flags and HTML-based logs for event reporting, are not. F-Secure VPN+ has the best centralized management of the products we tested, but though it has remote logging, we could not get any significant events on the management console. Interoperability was weak. We were unable get the VPN+ to talk to our Nortel Contivity, and we had to use special flags for both the Cisco PIX and the Cisco 3002. From a management standpoint, VPN+ is an excellent choice, but its other problems kept it from being a top contender.
F-Secure Administrator is a hierarchical management station that gives administrators full control over remote applications. We were impressed when we distributed the F-Secure Management Agent and VPN+ from the Administrator console. We connected to the local Windows NT domain, selected the workstations we wanted, and the software installed with a click of a button. Subsequent updates were pushed out to the clients after our changes were made.
Unfortunately, there were no status updates about the policy changes. We made a policy change to a known client, shut down the workstation and pushed the client update out. F-Secure Administrator told us the workstations were all updated, when we knew this was untrue. Luckily, changes are updated when the workstation boots back up and the client contacts the configuration server.
That F-Secure supports NAT traversal in addition to remote-address management means it is working with the latest feature sets. In addition, F-Secure has the widest OS support of all the products we tested, though the non-Windows OS support is back-revved a version or two and may not provide all the latest features. Some NAT routers support IPsec pass-through, but individual combinations will have to be tested for interoperability.
F-Secure VPN+, starts at $125. Available: Now. F-Secure Corp., (408) 938-6700, (888) 432-8233; fax (408) 350-2339. www.f-secure.com
REPORTS
ANALYTICS
Follow 
