The reporting and logging is better than PERMIT Enterprise's, though SNMP support is not as complete as that found in LanRover VPN Gateway. Session statistics are aggregated per VPN including packet, byte and error counts. While this indicates the busier VPNs on the network, it tells you little about the amount of data passing between VPN gateways. VPNManager will provide real-time monitoring of throughput statistics for individual VSUs with a series of graphs showing bytes in and out, and a CPU meter showing approximate load. The logging leaves something to be desired, however. We found during our initial configuration that we had misconfigured some of the VPNs, but the logs showed little information.

Virtual Plumbing Once we understood VPNet's architecture, VSU configuration was fairly streamlined. Unlike PERMIT Gateways, the VSU devices can be installed in the network as either an IP bridge or an IP router, providing greater flexibility when you integrate VPNs into your network. IP bridging devices have two NICs, but only one IP address is assigned to the device. The VSU can act as a router, though addresses are not assigned to the NICs; rather the device is assigned two addresses and the routing table and proxy ARPs determine where to send untunneled packets. As an IP bridge, the VSU sits unobtrusively next to the router, which requires no changes to your IP network addressing. The VSU can operate in a one-arm configuration, passing encrypted and decrypted traffic from the same interface.

During VPN configuration, we created subnet groups by specifying the subnets that describe members of a particular VPN protected by an individual VSU. This provides access control; desktops not in the assigned subnets cannot access the VPN. Specifying the subnets that have access to the VPN is more complicated than it needs to be. Rather than allowing users to specify contiguous address ranges as necessary, you specify a network address and a subnet mask. This means devices in your VPN address space need to fall within the N2 boundary. If you already have your network subnetted, this process should be uneventful. But if you are using standard class B or C addressing on your network and you want to exclude certain address ranges, you may need to move your IP hosts into contiguous ranges.

VPNet is the only product in this roundup to use this strategy, and it may have serious implications for your installation. For example, we moved our management station rather than add subnet ranges to our VPN. If you don't own the VSU, then you need to assign the IP address of the destination VSU as well.

With the groups specified, all that is left to do is to create a VPN, add the groups and configure security. Each VPN has a unique name and multiple members. Once we had created the VPN, we configured security by selecting HMAC-MD5 for authentication and Triple DES CBC for encryption. The VPN configuration is set dynamically, meaning the VSU isn't disrupted. VSU can have multiple VPNs assigned with different security parameters as needed. Unfortunately, we found that if we configured it for pre-shared secret mode, we couldn't change it to certificate mode without deleting the VPN. It's a minor point, but one worth noting.

Adding remote users is an unremarkable process. We created a configuration file in VPNManager and used that disk to configure VPNremote. We created a VPN in VPNManager adding the remote user and a single VPN user. Currently, remote users must use SKIP for key management, though VPNet intends to add IKE functionality sometime this year.

TimeStep Corp. PERMIT Enterprise (PERMIT/Gateway 4520, PERMIT/Director Suite and PERMIT/Client)
The first thing you notice about PERMIT Enterprise is that it has a lot of parts to fit together--the PERMIT 4500, PERMIT Config for device management, PERMIT Director for tunnel management and Entrust CA Server for certificate management. But with all the parts you have to learn and manage, TimeStep also offers this roundup's most complete VPN solution, with the widest support for data encryption beyond that required by IPSec. And with the complete version of Entrust bundled into the package, enterprises without a CA can build policy-based VPNs immediately. However, we found the 4520's performance somewhat disappointing, with approximately 25 percent degradation with Triple DES encryption; logging to external sources was lacking as well.