Transcript VPN - Oxford University ICT Forum

OUCS VPN Service
Bridget Lewis
OUCS
The Problem

Resources restricted by IP Address


Web pages e.g. OXAM, OxLIP, bibliographic
resources
Resources inaccessible through firewall
Full OxLIP
 Microsoft and Samba shares


OU members may need to access
resources from anywhere in the world
Oxford University Network
OXAM
Anywhere else

ftp://micros.oucs/

Full OxLIP

The Solution
PCs need to appear to be within OU
Network
 Authentication mechanism
 Encrypted traffic across WAN
 Virtual Private Network (VPN)

Oxford University Network
OXAM
Anywhere else

ftp://micros.oucs/

Full OxLIP

What is a Virtual Private Network?
Secure private communications over
public internet
 Private IP packets encapsulated within
public packets (tunnel)
 Additional header added
 Authentication
 Private packet may also be encrypted
(desirable)

Variations

VPN connection types


Types of VPN


Client to Server, Server to Server
Hardware, software, firewall
Protocols

PPTP, L2F, L2TP, IPSec
How does VPN solve our Problem?

VPN connection uses ESP protocol
Allowed through firewall
 TCP/IP traffic tunnelled within VPN
connection


Client part of virtual network

Allocated Oxford IP address (163.1.86.xyz)
VPN in Oxford

CISCO 3000 Series VPN Concentrator

Software client for various platforms
Client to Server only
 IPSec


IP only (not NetBEUI, IPX etc.)
Split tunnelling disabled
 NAT enabled

Requirements

Existing Internet connection


Cisco client software


Windows, Mac OS X, some Linux
Or third party client


Modem, LAN, cable, ADSL, ISDN etc.
Mac OS 8, 9
OUCS Remote Access username and
passwords
Cisco Clients

Windows 95, 98, Me, NT, 2000, XP
95 requires Dial-up Networking upgrade
 Cannot use Windows 2000/XP native VPN
support


Mac OS X

v10.1.0 or later
Cisco Clients

RedHat 6.2 or compatible
Kernel 2.2.12 or later (not 2.5)
 Currently being tested and documented
 Problems on 7.3 (7.2 OK)


Solaris UltraSPARC running 32-bit kernel
OS v2.6 or later

Untested
Non-Cisco Clients

Mac OS 8.6 to OS 9.2.x
Netlock VPN Client for Cisco
 http://www.netlock.com/
 Evaluation copy available

 Let
us know results if you try it!
Around £80
 Untested by OUCS

Installation — General
Instructions available —
http://www.oucs.ox.ac.uk/network/vpn/ouc
s-service/
 Windows version is mostly preconfigured
 Mac OS X client available
 Linux client not yet available

Installation — 2000/XP
When installing, will get warning about
disabling IPSec policies
 Default IPSec policies not restrictive
 Only likely to be a problem if you have
enabled more rigorous IPSec policies

Installation —XP

May want to turn off driver signing before
installation



Installation process will warn you about this
Otherwise be prepared to click on Continue several
times
Upgrading to XP with Cisco client installed


May warn about incompatibility
It is compatible, but may be best to uninstall prior to
upgrade
Installation — Mac OS X

Not a GUI install!






Command line familiarity
Knowledge of paths
Edit text file
Enable root account prior to installation
Install from command line
Contrary to documentation, v3.5.1 of client
allows Classic apps to use the tunnel
Configuring — Windows

Need to enter initial connection password
(once only)


Options/Properties/Authentication
Optional configuration
Options/Properties/Connection
 Automatically connect via dial-up or…
 Automatically connect via application


Stateful firewall — 3.5.1 release
Configuring — NT/2000/XP
Full domain login possible
 Requires VPN start before login

Options/Windows Logon Properties
 Probably necessary also to set to
automatically establish dialup connection

Configuring — Mac OS X
Not preconfigured
 Create profile from sample
 Text editor
 Full documentation from Cisco

Connecting – General

Test from computer on OU network


IP address assigned is 163.1.86.xyz


Except OUCS in-house network
May not be easy to see as will also have IP
address assigned by ISP etc.
DNS server addresses passed across
Connecting – Windows

WINS addresses also assigned


Check DNS and WINS addresses using
winipcfg or ipconfig /all
VPN icon displayed in system tray
Status including IP address assigned
 Statistics
 Disconnect

Connecting – Mac OS X
Started from command line
 Or use VPNConnect utility

Allows start from GUI
 http://www.wiesbeck.biz/
 Also available from micros.oucs.ox.ac.uk ftp
server

Limitations
Split tunnelling disabled
 No access to local LAN resources when
VPN connection is active
 Security concern
 Client behaves as if within Oxford network
 Client unable to access local resources
e.g. servers, networked printers

Limitations

Full version of OxLIP may be too slow to
use over VPN over dialup

Starting full OxLIP downloads about 1.8MB
data (e.g. 10 minutes over dialup)
May be similar problems accessing e.g.
files on Microsoft shares
 If full OxLIP is essential, broadband may
be the answer

Caveats
Worth reading release notes
 E.g. 2000 systems may need to install
Client for MS networks
 Windows 98 shutdown problem
 Non-DHCP 95/98 may not get WINS
addresses
 No network browsing with AOL 6.0
 MSN install fails with VPN installed

Password Confusion 1

Usernames/passwords to use the service



Provided when user registers to use Remote
Access Services


Remote Access Services account details
VPN Initial connection password
OUCS Registration/Web registration
NB If registered to use dial-up pre-November
2001, contact OUCS Registration for VPN initial
connection password
Password Confusion 2
Username/password to obtain the client
software
 micros.oucs FTP Server username and
password for client download



OUCS Shop
NB only accessible from OU network
(including dialup) — special cases contact
Helpcentre
Personal Firewalls

Must allow ISAKMP (UDP 500)


Initial exchange
Must allow ESP protocol (number 50)

Subsequent IPSEC traffic
VPN connection OK, but no internet
response, suspect ESP not allowed
 XP firewall appears OK without change

Firewalls

Departmental/College firewalls
VPN connection made outside
departmental/college firewall
 Access to departmental/college resources
dependent on firewall configuration


External organisations

May cause problems for individuals
connecting from e.g. another university
Web Proxy Servers

Configured by some ISPs

Freeserve
Symptom: with VPN connection, can
telnet, ftp but not access web with IE
 Reason: trying to use ISP web proxy
server but access denied
 Solution: configure exceptions to proxy for
restricted web pages

Miscellaneous
OUCS Dial-up users don’t generally
require VPN!
 Watch SMTP settings

ISP require own SMTP server
 With VPN must use smtp.ox.ac.uk


Generally connection will be slower over
VPN

Only use as required
MTU Size

MTU = Maximum Transmission Unit


Setting determines largest packet size
Some devices fragment large packets
Some firewalls reject fragments
 Slows performance


Set MTU utility to change defaults


Set to 1400 or less , 576 default for dialup adapters
Hasn’t yet solved any problems
Service Usage Figures by Month
1000
900
800
700
600
500
400
300
200
100
0
Users
Successes
Failures
Nov
'01
Dec
'01
Jan
'02
Feb
'02
Mar
'02
Apr
'02
May
'02
References

Cisco Documentation


VPNConnect utility for Mac


http://www.cisco.com/univercd/cc/td/doc/produ
ct/vpn/client/
http://www.wiesbeck.biz/
Netlock Cisco VPN Client for Mac

http://www.netlock.com/
References

Comparison of VPN Protocols: IPSec,
PPTP and L2TP


http://ece.gmu.edu/courses/ECE543/reportsF
01/arveal.pdf
VPN FAQ

http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.
html
Questions?