OUCS VPN ServiceOUCS VPN Service

Bridget LewisBridget LewisOUCSOUCS

The ProblemThe ProblemResources restricted by IP AddressResources restricted by IP Address

Web pages e.g. OXAM, OxLIP, bibliographic Web pages e.g. OXAM, OxLIP, bibliographic resourcesresources

Resources inaccessible through firewallResources inaccessible through firewallFull OxLIPFull OxLIPMicrosoft and Samba sharesMicrosoft and Samba shares

OU members may need to access OU members may need to access resources from anywhere in the worldresources from anywhere in the world

OXAM

ftp://micros.oucs/

Full OxLIP

Oxford University Network Anywhere else

The SolutionThe SolutionPCs need to appear to be within OU PCs need to appear to be within OU

NetworkNetworkAuthentication mechanismAuthentication mechanismEncrypted traffic across WANEncrypted traffic across WANVirtual Private Network (VPN)Virtual Private Network (VPN)

OXAM

ftp://micros.oucs/

Full OxLIP

Oxford University Network Anywhere else

What is a Virtual Private Network?What is a Virtual Private Network?

Secure private communications over Secure private communications over public internetpublic internet

Private IP packets encapsulated within Private IP packets encapsulated within public packets (tunnel)public packets (tunnel)

Additional header addedAdditional header addedAuthenticationAuthenticationPrivate packet may also be encrypted Private packet may also be encrypted

(desirable)(desirable)

VariationsVariationsVPN connection typesVPN connection types

Client to Server, Server to ServerClient to Server, Server to ServerTypes of VPNTypes of VPN

Hardware, software, firewallHardware, software, firewallProtocolsProtocols

PPTP, L2F, L2TP, IPSecPPTP, L2F, L2TP, IPSec

How does VPN solve our Problem?How does VPN solve our Problem?

VPN connection uses ESP protocolVPN connection uses ESP protocolAllowed through firewallAllowed through firewallTCP/IP traffic tunnelled within VPN TCP/IP traffic tunnelled within VPN

connectionconnectionClient part of virtual networkClient part of virtual network

Allocated Oxford IP address (163.1.86.xyz)Allocated Oxford IP address (163.1.86.xyz)

VPN in OxfordVPN in OxfordCISCO 3000 Series VPN ConcentratorCISCO 3000 Series VPN Concentrator

Software client for various platformsSoftware client for various platformsClient to Server onlyClient to Server only IPSecIPSec

IP only (not NetBEUI, IPX etc.)IP only (not NetBEUI, IPX etc.)Split tunnelling disabledSplit tunnelling disabledNAT enabledNAT enabled

RequirementsRequirementsExisting Internet connectionExisting Internet connection

Modem, LAN, cable, ADSL, ISDN etc.Modem, LAN, cable, ADSL, ISDN etc.Cisco client softwareCisco client software

Windows, Mac OS X, some LinuxWindows, Mac OS X, some LinuxOr third party clientOr third party client

Mac OS 8, 9Mac OS 8, 9OUCS Remote Access username and OUCS Remote Access username and

passwordspasswords

Cisco ClientsCisco ClientsWindows 95, 98, Me, NT, 2000, XPWindows 95, 98, Me, NT, 2000, XP

95 requires Dial-up Networking upgrade95 requires Dial-up Networking upgradeCannot use Windows 2000/XP native VPN Cannot use Windows 2000/XP native VPN

supportsupportMac OS XMac OS X

v10.1.0 or laterv10.1.0 or later

Cisco ClientsCisco ClientsRedHat 6.2 or compatibleRedHat 6.2 or compatible

Kernel 2.2.12 or later (not 2.5)Kernel 2.2.12 or later (not 2.5)Currently being tested and documentedCurrently being tested and documentedProblems on 7.3 (7.2 OK)Problems on 7.3 (7.2 OK)

Solaris UltraSPARC running 32-bit kernel Solaris UltraSPARC running 32-bit kernel OS v2.6 or laterOS v2.6 or laterUntestedUntested

Non-Cisco ClientsNon-Cisco ClientsMac OS 8.6 to OS 9.2.xMac OS 8.6 to OS 9.2.x

Netlock VPN Client for CiscoNetlock VPN Client for Ciscohttp://www.netlock.com/http://www.netlock.com/Evaluation copy availableEvaluation copy available

Let us know results if you try it!Let us know results if you try it!Around £80Around £80Untested by OUCSUntested by OUCS

Installation — GeneralInstallation — General Instructions available — Instructions available —

http://www.oucs.ox.ac.uk/network/vpn/ouchttp://www.oucs.ox.ac.uk/network/vpn/oucs-service/s-service/

Windows version is mostly preconfiguredWindows version is mostly preconfiguredMac OS X client availableMac OS X client availableLinux client not yet availableLinux client not yet available

Installation — 2000/XPInstallation — 2000/XPWhen installing, will get warning about When installing, will get warning about

disabling IPSec policiesdisabling IPSec policiesDefault IPSec policies not restrictiveDefault IPSec policies not restrictiveOnly likely to be a problem if you have Only likely to be a problem if you have

enabled more rigorous IPSec policiesenabled more rigorous IPSec policies

Installation —XPInstallation —XP May want to turn off driver signing before May want to turn off driver signing before

installationinstallation Installation process will warn you about thisInstallation process will warn you about this Otherwise be prepared to click on Continue several Otherwise be prepared to click on Continue several

timestimes Upgrading to XP with Cisco client installedUpgrading to XP with Cisco client installed

May warn about incompatibilityMay warn about incompatibility It is compatible, but may be best to uninstall prior to It is compatible, but may be best to uninstall prior to

upgradeupgrade

Installation — Mac OS XInstallation — Mac OS X Not a GUI install!Not a GUI install!

Command line familiarityCommand line familiarity Knowledge of pathsKnowledge of paths Edit text fileEdit text file

Enable root account prior to installationEnable root account prior to installation Install from command lineInstall from command line Contrary to documentation, v3.5.1 of client Contrary to documentation, v3.5.1 of client

allows Classic apps to use the tunnelallows Classic apps to use the tunnel

Configuring — WindowsConfiguring — WindowsNeed to enter initial connection password Need to enter initial connection password

(once only)(once only)Options/Properties/AuthenticationOptions/Properties/Authentication

Optional configurationOptional configurationOptions/Properties/ConnectionOptions/Properties/ConnectionAutomatically connect via dial-up or…Automatically connect via dial-up or…Automatically connect via applicationAutomatically connect via application

Stateful firewall — 3.5.1 releaseStateful firewall — 3.5.1 release

Configuring — NT/2000/XPConfiguring — NT/2000/XPFull domain login possibleFull domain login possibleRequires VPN start before loginRequires VPN start before login

Options/Windows Logon PropertiesOptions/Windows Logon PropertiesProbably necessary also to set to Probably necessary also to set to

automatically establish dialup connectionautomatically establish dialup connection

Configuring — Mac OS XConfiguring — Mac OS XNot preconfiguredNot preconfiguredCreate profile from sampleCreate profile from sampleText editorText editorFull documentation from CiscoFull documentation from Cisco

Connecting – GeneralConnecting – GeneralTest from computer on OU networkTest from computer on OU network

Except OUCS in-house networkExcept OUCS in-house network IP address assigned is 163.1.86.xyzIP address assigned is 163.1.86.xyz

May not be easy to see as will also have IP May not be easy to see as will also have IP address assigned by ISP etc.address assigned by ISP etc.

DNS server addresses passed acrossDNS server addresses passed across

Connecting – WindowsConnecting – WindowsWINS addresses also assignedWINS addresses also assigned

Check DNS and WINS addresses using Check DNS and WINS addresses using winipcfg or ipconfig /allwinipcfg or ipconfig /all

VPN icon displayed in system trayVPN icon displayed in system trayStatus including IP address assignedStatus including IP address assignedStatisticsStatisticsDisconnectDisconnect

Connecting – Mac OS XConnecting – Mac OS XStarted from command lineStarted from command lineOr use VPNConnect utilityOr use VPNConnect utility

Allows start from GUIAllows start from GUIhttp://www.wiesbeck.biz/http://www.wiesbeck.biz/Also available from micros.oucs.ox.ac.uk ftp Also available from micros.oucs.ox.ac.uk ftp

serverserver

LimitationsLimitationsSplit tunnelling disabledSplit tunnelling disabledNo access to local LAN resources when No access to local LAN resources when

VPN connection is activeVPN connection is activeSecurity concernSecurity concernClient behaves as if within Oxford networkClient behaves as if within Oxford networkClient unable to access local resources Client unable to access local resources

e.g. servers, networked printerse.g. servers, networked printers

LimitationsLimitationsFull version of OxLIP may be too slow to Full version of OxLIP may be too slow to

use over VPN over dialup use over VPN over dialup Starting full OxLIP downloads about 1.8MB Starting full OxLIP downloads about 1.8MB

data (e.g. 10 minutes over dialup)data (e.g. 10 minutes over dialup)May be similar problems accessing e.g. May be similar problems accessing e.g.

files on Microsoft sharesfiles on Microsoft shares If full OxLIP is essential, broadband may If full OxLIP is essential, broadband may

be the answerbe the answer

CaveatsCaveatsWorth reading release notesWorth reading release notesE.g. 2000 systems may need to install E.g. 2000 systems may need to install

Client for MS networksClient for MS networksWindows 98 shutdown problemWindows 98 shutdown problemNon-DHCP 95/98 may not get WINS Non-DHCP 95/98 may not get WINS

addressesaddressesNo network browsing with AOL 6.0No network browsing with AOL 6.0MSN install fails with VPN installedMSN install fails with VPN installed

Password Confusion 1Password Confusion 1 Usernames/passwords to use the serviceUsernames/passwords to use the service

Remote Access Services account detailsRemote Access Services account details VPN Initial connection passwordVPN Initial connection password

Provided when user registers to use Remote Provided when user registers to use Remote Access ServicesAccess Services OUCS Registration/Web registrationOUCS Registration/Web registration

NB If registered to use dial-up pre-November NB If registered to use dial-up pre-November 2001, contact OUCS Registration for VPN initial 2001, contact OUCS Registration for VPN initial connection passwordconnection password

Password Confusion 2Password Confusion 2Username/password to obtain the client Username/password to obtain the client

softwaresoftwaremicros.oucs FTP Server username and micros.oucs FTP Server username and

password for client downloadpassword for client downloadOUCS ShopOUCS Shop

NB only accessible from OU network NB only accessible from OU network (including dialup) — special cases contact (including dialup) — special cases contact HelpcentreHelpcentre

Personal FirewallsPersonal FirewallsMust allow ISAKMP (UDP 500)Must allow ISAKMP (UDP 500)

Initial exchangeInitial exchangeMust allow ESP protocol (number 50)Must allow ESP protocol (number 50)

Subsequent IPSEC trafficSubsequent IPSEC trafficVPN connection OK, but no internet VPN connection OK, but no internet

response, suspect ESP not allowedresponse, suspect ESP not allowedXP firewall appears OK without changeXP firewall appears OK without change

FirewallsFirewallsDepartmental/College firewallsDepartmental/College firewalls

VPN connection made outside VPN connection made outside departmental/college firewalldepartmental/college firewall

Access to departmental/college resources Access to departmental/college resources dependent on firewall configurationdependent on firewall configuration

External organisationsExternal organisationsMay cause problems for individuals May cause problems for individuals

connecting from e.g. another universityconnecting from e.g. another university

Web Proxy ServersWeb Proxy ServersConfigured by some ISPsConfigured by some ISPs

FreeserveFreeserveSymptom: with VPN connection, can Symptom: with VPN connection, can

telnet, ftp but not access web with IEtelnet, ftp but not access web with IEReason: trying to use ISP web proxy Reason: trying to use ISP web proxy

server but access deniedserver but access deniedSolution: configure exceptions to proxy for Solution: configure exceptions to proxy for

restricted web pagesrestricted web pages

MiscellaneousMiscellaneousOUCS Dial-up users don’t generally OUCS Dial-up users don’t generally

require VPN!require VPN!Watch SMTP settingsWatch SMTP settings

ISP require own SMTP serverISP require own SMTP serverWith VPN must use smtp.ox.ac.ukWith VPN must use smtp.ox.ac.uk

Generally connection will be slower over Generally connection will be slower over VPNVPNOnly use as requiredOnly use as required

MTU SizeMTU SizeMTU = Maximum Transmission UnitMTU = Maximum Transmission Unit

Setting determines largest packet sizeSetting determines largest packet sizeSome devices fragment large packetsSome devices fragment large packets

Some firewalls reject fragmentsSome firewalls reject fragmentsSlows performanceSlows performance

Set MTU Set MTU utility to change defaultsutility to change defaultsSet to 1400 or less , 576 default for dial-up Set to 1400 or less , 576 default for dial-up

adaptersadaptersHasn’t yet solved any problemsHasn’t yet solved any problems

Service Usage Figures by MonthService Usage Figures by Month

0100200300400500600700800900

1000

Nov'01

Dec'01

Jan'02

Feb'02

Mar'02

Apr'02

May'02

UsersSuccessesFailures

ReferencesReferencesCisco DocumentationCisco Documentation

http://http://www.cisco.com/univercd/cc/td/doc/product/vpwww.cisco.com/univercd/cc/td/doc/product/vpn/clientn/client//

VPNConnect utility for MacVPNConnect utility for Machttp://http://www.wiesbeck.bizwww.wiesbeck.biz//

Netlock Cisco VPN Client for MacNetlock Cisco VPN Client for Machttp://www.netlock.com/http://www.netlock.com/

ReferencesReferencesComparison of VPN Protocols: IPSec, Comparison of VPN Protocols: IPSec,

PPTP and L2TPPPTP and L2TPhttp://ece.gmu.edu/courses/ECE543/reportsFhttp://ece.gmu.edu/courses/ECE543/reportsF

01/arveal.pdf01/arveal.pdfVPN FAQVPN FAQ

http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.htmlhtml

Questions?Questions?