Thats all well and good if you have a routable address range, if you are just getting one public address statically from your service provider then you are stuck with 1) a firewall on the same box as the vpn is terminated or 2) no firewall at all. The reason for this is that IPSEC cannot be nat'ed, so you would need to have a firewall-->DMZ-->VPN Termination box.
IPSEC would definitely be the best choice provided you are willing to either sit down and really find out what makes it tick. The freeswan implimentation is crap, the underlying software is quite good, but the 'scripts' which attempt to make things easier, dont, and it needs a lot of work. As far as security goes, back orifice on any windows machine running a vpn client or citrix is still going to give someone access to the internal network. If you want complete security pull the plug on your computer, after all locks were invented to keep the honest people out. Cheers, Adam. > > However, you still want a firewall or the like protecting the VPN box, if > the VPN box is compromised, then the whole VPN is compromised too. -- Adam Hewitt <[EMAIL PROTECTED]> -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug