OUCS VPN Service Bridget Lewis OUCS

The Problem Resources restricted by IP Address Resources restricted by IP Address Web pages e.g. OXAM, OxLIP, bibliographic resources Web pages e.g. OXAM, OxLIP, bibliographic resources Resources inaccessible through firewall Resources inaccessible through firewall Full OxLIP Full OxLIP Microsoft and Samba shares Microsoft and Samba shares OU members may need to access resources from anywhere in the world OU members may need to access resources from anywhere in the world

OXAM ftp://micros.oucs/ Full OxLIP    Oxford University Network Anywhere else

The Solution PCs need to appear to be within OU Network PCs need to appear to be within OU Network Authentication mechanism Authentication mechanism Encrypted traffic across WAN Encrypted traffic across WAN Virtual Private Network (VPN) Virtual Private Network (VPN)

OXAM ftp://micros.oucs/ Full OxLIP Oxford University Network Anywhere else

What is a Virtual Private Network? Secure private communications over public internet Secure private communications over public internet Private IP packets encapsulated within public packets (tunnel) Private IP packets encapsulated within public packets (tunnel) Additional header added Additional header added Authentication Authentication Private packet may also be encrypted (desirable) Private packet may also be encrypted (desirable)

Variations VPN connection types VPN connection types Client to Server, Server to Server Client to Server, Server to Server Types of VPN Types of VPN Hardware, software, firewall Hardware, software, firewall Protocols Protocols PPTP, L2F, L2TP, IPSec PPTP, L2F, L2TP, IPSec

How does VPN solve our Problem? VPN connection uses ESP protocol VPN connection uses ESP protocol Allowed through firewall Allowed through firewall TCP/IP traffic tunnelled within VPN connection TCP/IP traffic tunnelled within VPN connection Client part of virtual network Client part of virtual network Allocated Oxford IP address ( xyz) Allocated Oxford IP address ( xyz)

VPN in Oxford CISCO 3000 Series VPN Concentrator CISCO 3000 Series VPN Concentrator Software client for various platforms Software client for various platforms Client to Server only Client to Server only IPSec IPSec IP only (not NetBEUI, IPX etc.) IP only (not NetBEUI, IPX etc.) Split tunnelling disabled Split tunnelling disabled NAT enabled NAT enabled

Requirements Existing Internet connection Existing Internet connection Modem, LAN, cable, ADSL, ISDN etc. Modem, LAN, cable, ADSL, ISDN etc. Cisco client software Cisco client software Windows, Mac OS X, some Linux Windows, Mac OS X, some Linux Or third party client Or third party client Mac OS 8, 9 Mac OS 8, 9 OUCS Remote Access username and passwords OUCS Remote Access username and passwords

Cisco Clients Windows 95, 98, Me, NT, 2000, XP Windows 95, 98, Me, NT, 2000, XP 95 requires Dial-up Networking upgrade 95 requires Dial-up Networking upgrade Cannot use Windows 2000/XP native VPN support Cannot use Windows 2000/XP native VPN support Mac OS X Mac OS X v or later v or later

Cisco Clients RedHat 6.2 or compatible RedHat 6.2 or compatible Kernel or later (not 2.5) Kernel or later (not 2.5) Currently being tested and documented Currently being tested and documented Problems on 7.3 (7.2 OK) Problems on 7.3 (7.2 OK) Solaris UltraSPARC running 32-bit kernel OS v2.6 or later Solaris UltraSPARC running 32-bit kernel OS v2.6 or later Untested Untested

Non-Cisco Clients Mac OS 8.6 to OS 9.2.x Mac OS 8.6 to OS 9.2.x Netlock VPN Client for Cisco Netlock VPN Client for Cisco Evaluation copy available Evaluation copy available Let us know results if you try it! Let us know results if you try it! Around £80 Around £80 Untested by OUCS Untested by OUCS

Installation — General Instructions available — s-service/ Instructions available — s-service/ s-service/ s-service/ Windows version is mostly preconfigured Windows version is mostly preconfigured Mac OS X client available Mac OS X client available Linux client not yet available Linux client not yet available

Installation — 2000/XP When installing, will get warning about disabling IPSec policies When installing, will get warning about disabling IPSec policies Default IPSec policies not restrictive Default IPSec policies not restrictive Only likely to be a problem if you have enabled more rigorous IPSec policies Only likely to be a problem if you have enabled more rigorous IPSec policies

Installation —XP May want to turn off driver signing before installation May want to turn off driver signing before installation Installation process will warn you about this Installation process will warn you about this Otherwise be prepared to click on Continue several times Otherwise be prepared to click on Continue several times Upgrading to XP with Cisco client installed Upgrading to XP with Cisco client installed May warn about incompatibility May warn about incompatibility It is compatible, but may be best to uninstall prior to upgrade It is compatible, but may be best to uninstall prior to upgrade

Installation — Mac OS X Not a GUI install! Not a GUI install! Command line familiarity Command line familiarity Knowledge of paths Knowledge of paths Edit text file Edit text file Enable root account prior to installation Enable root account prior to installation Install from command line Install from command line Contrary to documentation, v3.5.1 of client allows Classic apps to use the tunnel Contrary to documentation, v3.5.1 of client allows Classic apps to use the tunnel

Configuring — Windows Need to enter initial connection password (once only) Need to enter initial connection password (once only) Options/Properties/Authentication Options/Properties/Authentication Optional configuration Optional configuration Options/Properties/Connection Options/Properties/Connection Automatically connect via dial-up or… Automatically connect via dial-up or… Automatically connect via application Automatically connect via application Stateful firewall — release Stateful firewall — release

Configuring — NT/2000/XP Full domain login possible Full domain login possible Requires VPN start before login Requires VPN start before login Options/Windows Logon Properties Options/Windows Logon Properties Probably necessary also to set to automatically establish dialup connection Probably necessary also to set to automatically establish dialup connection

Configuring — Mac OS X Not preconfigured Not preconfigured Create profile from sample Create profile from sample Text editor Text editor Full documentation from Cisco Full documentation from Cisco

Connecting – General Test from computer on OU network Test from computer on OU network Except OUCS in-house network Except OUCS in-house network IP address assigned is xyz IP address assigned is xyz May not be easy to see as will also have IP address assigned by ISP etc. May not be easy to see as will also have IP address assigned by ISP etc. DNS server addresses passed across DNS server addresses passed across

Connecting – Windows WINS addresses also assigned WINS addresses also assigned Check DNS and WINS addresses using winipcfg or ipconfig /all Check DNS and WINS addresses using winipcfg or ipconfig /all VPN icon displayed in system tray VPN icon displayed in system tray Status including IP address assigned Status including IP address assigned Statistics Statistics Disconnect Disconnect

Connecting – Mac OS X Started from command line Started from command line Or use VPNConnect utility Or use VPNConnect utility Allows start from GUI Allows start from GUI Also available from micros.oucs.ox.ac.uk ftp server Also available from micros.oucs.ox.ac.uk ftp server

Limitations Split tunnelling disabled Split tunnelling disabled No access to local LAN resources when VPN connection is active No access to local LAN resources when VPN connection is active Security concern Security concern Client behaves as if within Oxford network Client behaves as if within Oxford network Client unable to access local resources e.g. servers, networked printers Client unable to access local resources e.g. servers, networked printers

Limitations Full version of OxLIP may be too slow to use over VPN over dialup Full version of OxLIP may be too slow to use over VPN over dialup Starting full OxLIP downloads about 1.8MB data (e.g. 10 minutes over dialup) Starting full OxLIP downloads about 1.8MB data (e.g. 10 minutes over dialup) May be similar problems accessing e.g. files on Microsoft shares May be similar problems accessing e.g. files on Microsoft shares If full OxLIP is essential, broadband may be the answer If full OxLIP is essential, broadband may be the answer

Caveats Worth reading release notes Worth reading release notes E.g systems may need to install Client for MS networks E.g systems may need to install Client for MS networks Windows 98 shutdown problem Windows 98 shutdown problem Non-DHCP 95/98 may not get WINS addresses Non-DHCP 95/98 may not get WINS addresses No network browsing with AOL 6.0 No network browsing with AOL 6.0 MSN install fails with VPN installed MSN install fails with VPN installed

Password Confusion 1 Usernames/passwords to use the service Usernames/passwords to use the service Remote Access Services account details Remote Access Services account details VPN Initial connection password VPN Initial connection password Provided when user registers to use Remote Access Services Provided when user registers to use Remote Access Services OUCS Registration/Web registration OUCS Registration/Web registration NB If registered to use dial-up pre-November 2001, contact OUCS Registration for VPN initial connection password NB If registered to use dial-up pre-November 2001, contact OUCS Registration for VPN initial connection password

Password Confusion 2 Username/password to obtain the client software Username/password to obtain the client software micros.oucs FTP Server username and password for client download micros.oucs FTP Server username and password for client download OUCS Shop OUCS Shop NB only accessible from OU network (including dialup) — special cases contact Helpcentre NB only accessible from OU network (including dialup) — special cases contact Helpcentre

Personal Firewalls Must allow ISAKMP (UDP 500) Must allow ISAKMP (UDP 500) Initial exchange Initial exchange Must allow ESP protocol (number 50) Must allow ESP protocol (number 50) Subsequent IPSEC traffic Subsequent IPSEC traffic VPN connection OK, but no internet response, suspect ESP not allowed VPN connection OK, but no internet response, suspect ESP not allowed XP firewall appears OK without change XP firewall appears OK without change

Firewalls Departmental/College firewalls Departmental/College firewalls VPN connection made outside departmental/college firewall VPN connection made outside departmental/college firewall Access to departmental/college resources dependent on firewall configuration Access to departmental/college resources dependent on firewall configuration External organisations External organisations May cause problems for individuals connecting from e.g. another university May cause problems for individuals connecting from e.g. another university

Web Proxy Servers Configured by some ISPs Configured by some ISPs Freeserve Freeserve Symptom: with VPN connection, can telnet, ftp but not access web with IE Symptom: with VPN connection, can telnet, ftp but not access web with IE Reason: trying to use ISP web proxy server but access denied Reason: trying to use ISP web proxy server but access denied Solution: configure exceptions to proxy for restricted web pages Solution: configure exceptions to proxy for restricted web pages

Miscellaneous OUCS Dial-up users don’t generally require VPN! OUCS Dial-up users don’t generally require VPN! Watch SMTP settings Watch SMTP settings ISP require own SMTP server ISP require own SMTP server With VPN must use smtp.ox.ac.uk With VPN must use smtp.ox.ac.uk Generally connection will be slower over VPN Generally connection will be slower over VPN Only use as required Only use as required

MTU Size MTU = Maximum Transmission Unit MTU = Maximum Transmission Unit Setting determines largest packet size Setting determines largest packet size Some devices fragment large packets Some devices fragment large packets Some firewalls reject fragments Some firewalls reject fragments Slows performance Slows performance Set MTU utility to change defaults Set MTU utility to change defaults Set to 1400 or less, 576 default for dial- up adapters Set to 1400 or less, 576 default for dial- up adapters Hasn’t yet solved any problems Hasn’t yet solved any problems

Service Usage Figures by Month

References Cisco Documentation Cisco Documentation uct/vpn/client/ uct/vpn/client/ uct/vpn/client/ uct/vpn/client/ VPNConnect utility for Mac VPNConnect utility for Mac Netlock Cisco VPN Client for Mac Netlock Cisco VPN Client for Mac

References Comparison of VPN Protocols: IPSec, PPTP and L2TP Comparison of VPN Protocols: IPSec, PPTP and L2TP 01/arveal.pdf 01/arveal.pdf 01/arveal.pdf 01/arveal.pdf VPN FAQ VPN FAQ html html html html

Questions?