Presentation is loading. Please wait.

Presentation is loading. Please wait.

OUCS VPN Service Bridget Lewis OUCS. The Problem Resources restricted by IP Address Resources restricted by IP Address Web pages e.g. OXAM, OxLIP, bibliographic.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "OUCS VPN Service Bridget Lewis OUCS. The Problem Resources restricted by IP Address Resources restricted by IP Address Web pages e.g. OXAM, OxLIP, bibliographic."— Presentation transcript:

1 OUCS VPN Service Bridget Lewis OUCS

2 The Problem Resources restricted by IP Address Resources restricted by IP Address Web pages e.g. OXAM, OxLIP, bibliographic resources Web pages e.g. OXAM, OxLIP, bibliographic resources Resources inaccessible through firewall Resources inaccessible through firewall Full OxLIP Full OxLIP Microsoft and Samba shares Microsoft and Samba shares OU members may need to access resources from anywhere in the world OU members may need to access resources from anywhere in the world

3 OXAM ftp://micros.oucs/ Full OxLIP    Oxford University Network Anywhere else

4 The Solution PCs need to appear to be within OU Network PCs need to appear to be within OU Network Authentication mechanism Authentication mechanism Encrypted traffic across WAN Encrypted traffic across WAN Virtual Private Network (VPN) Virtual Private Network (VPN)

5 OXAM ftp://micros.oucs/ Full OxLIP Oxford University Network Anywhere else

6 What is a Virtual Private Network? Secure private communications over public internet Secure private communications over public internet Private IP packets encapsulated within public packets (tunnel) Private IP packets encapsulated within public packets (tunnel) Additional header added Additional header added Authentication Authentication Private packet may also be encrypted (desirable) Private packet may also be encrypted (desirable)

7 Variations VPN connection types VPN connection types Client to Server, Server to Server Client to Server, Server to Server Types of VPN Types of VPN Hardware, software, firewall Hardware, software, firewall Protocols Protocols PPTP, L2F, L2TP, IPSec PPTP, L2F, L2TP, IPSec

8 How does VPN solve our Problem? VPN connection uses ESP protocol VPN connection uses ESP protocol Allowed through firewall Allowed through firewall TCP/IP traffic tunnelled within VPN connection TCP/IP traffic tunnelled within VPN connection Client part of virtual network Client part of virtual network Allocated Oxford IP address (163.1.86.xyz) Allocated Oxford IP address (163.1.86.xyz)

9 VPN in Oxford CISCO 3000 Series VPN Concentrator CISCO 3000 Series VPN Concentrator Software client for various platforms Software client for various platforms Client to Server only Client to Server only IPSec IPSec IP only (not NetBEUI, IPX etc.) IP only (not NetBEUI, IPX etc.) Split tunnelling disabled Split tunnelling disabled NAT enabled NAT enabled

10 Requirements Existing Internet connection Existing Internet connection Modem, LAN, cable, ADSL, ISDN etc. Modem, LAN, cable, ADSL, ISDN etc. Cisco client software Cisco client software Windows, Mac OS X, some Linux Windows, Mac OS X, some Linux Or third party client Or third party client Mac OS 8, 9 Mac OS 8, 9 OUCS Remote Access username and passwords OUCS Remote Access username and passwords

11 Cisco Clients Windows 95, 98, Me, NT, 2000, XP Windows 95, 98, Me, NT, 2000, XP 95 requires Dial-up Networking upgrade 95 requires Dial-up Networking upgrade Cannot use Windows 2000/XP native VPN support Cannot use Windows 2000/XP native VPN support Mac OS X Mac OS X v10.1.0 or later v10.1.0 or later

12 Cisco Clients RedHat 6.2 or compatible RedHat 6.2 or compatible Kernel 2.2.12 or later (not 2.5) Kernel 2.2.12 or later (not 2.5) Currently being tested and documented Currently being tested and documented Problems on 7.3 (7.2 OK) Problems on 7.3 (7.2 OK) Solaris UltraSPARC running 32-bit kernel OS v2.6 or later Solaris UltraSPARC running 32-bit kernel OS v2.6 or later Untested Untested

13 Non-Cisco Clients Mac OS 8.6 to OS 9.2.x Mac OS 8.6 to OS 9.2.x Netlock VPN Client for Cisco Netlock VPN Client for Cisco http://www.netlock.com/ http://www.netlock.com/ http://www.netlock.com/ Evaluation copy available Evaluation copy available Let us know results if you try it! Let us know results if you try it! Around £80 Around £80 Untested by OUCS Untested by OUCS

14 Installation — General Instructions available — http://www.oucs.ox.ac.uk/network/vpn/ouc s-service/ Instructions available — http://www.oucs.ox.ac.uk/network/vpn/ouc s-service/ http://www.oucs.ox.ac.uk/network/vpn/ouc s-service/ http://www.oucs.ox.ac.uk/network/vpn/ouc s-service/ Windows version is mostly preconfigured Windows version is mostly preconfigured Mac OS X client available Mac OS X client available Linux client not yet available Linux client not yet available

15 Installation — 2000/XP When installing, will get warning about disabling IPSec policies When installing, will get warning about disabling IPSec policies Default IPSec policies not restrictive Default IPSec policies not restrictive Only likely to be a problem if you have enabled more rigorous IPSec policies Only likely to be a problem if you have enabled more rigorous IPSec policies

16 Installation —XP May want to turn off driver signing before installation May want to turn off driver signing before installation Installation process will warn you about this Installation process will warn you about this Otherwise be prepared to click on Continue several times Otherwise be prepared to click on Continue several times Upgrading to XP with Cisco client installed Upgrading to XP with Cisco client installed May warn about incompatibility May warn about incompatibility It is compatible, but may be best to uninstall prior to upgrade It is compatible, but may be best to uninstall prior to upgrade

17 Installation — Mac OS X Not a GUI install! Not a GUI install! Command line familiarity Command line familiarity Knowledge of paths Knowledge of paths Edit text file Edit text file Enable root account prior to installation Enable root account prior to installation Install from command line Install from command line Contrary to documentation, v3.5.1 of client allows Classic apps to use the tunnel Contrary to documentation, v3.5.1 of client allows Classic apps to use the tunnel

18 Configuring — Windows Need to enter initial connection password (once only) Need to enter initial connection password (once only) Options/Properties/Authentication Options/Properties/Authentication Optional configuration Optional configuration Options/Properties/Connection Options/Properties/Connection Automatically connect via dial-up or… Automatically connect via dial-up or… Automatically connect via application Automatically connect via application Stateful firewall — 3.5.1 release Stateful firewall — 3.5.1 release

19 Configuring — NT/2000/XP Full domain login possible Full domain login possible Requires VPN start before login Requires VPN start before login Options/Windows Logon Properties Options/Windows Logon Properties Probably necessary also to set to automatically establish dialup connection Probably necessary also to set to automatically establish dialup connection

20 Configuring — Mac OS X Not preconfigured Not preconfigured Create profile from sample Create profile from sample Text editor Text editor Full documentation from Cisco Full documentation from Cisco

21 Connecting – General Test from computer on OU network Test from computer on OU network Except OUCS in-house network Except OUCS in-house network IP address assigned is 163.1.86.xyz IP address assigned is 163.1.86.xyz May not be easy to see as will also have IP address assigned by ISP etc. May not be easy to see as will also have IP address assigned by ISP etc. DNS server addresses passed across DNS server addresses passed across

22 Connecting – Windows WINS addresses also assigned WINS addresses also assigned Check DNS and WINS addresses using winipcfg or ipconfig /all Check DNS and WINS addresses using winipcfg or ipconfig /all VPN icon displayed in system tray VPN icon displayed in system tray Status including IP address assigned Status including IP address assigned Statistics Statistics Disconnect Disconnect

23 Connecting – Mac OS X Started from command line Started from command line Or use VPNConnect utility Or use VPNConnect utility Allows start from GUI Allows start from GUI http://www.wiesbeck.biz/ http://www.wiesbeck.biz/ http://www.wiesbeck.biz/ Also available from micros.oucs.ox.ac.uk ftp server Also available from micros.oucs.ox.ac.uk ftp server

24 Limitations Split tunnelling disabled Split tunnelling disabled No access to local LAN resources when VPN connection is active No access to local LAN resources when VPN connection is active Security concern Security concern Client behaves as if within Oxford network Client behaves as if within Oxford network Client unable to access local resources e.g. servers, networked printers Client unable to access local resources e.g. servers, networked printers

25 Limitations Full version of OxLIP may be too slow to use over VPN over dialup Full version of OxLIP may be too slow to use over VPN over dialup Starting full OxLIP downloads about 1.8MB data (e.g. 10 minutes over dialup) Starting full OxLIP downloads about 1.8MB data (e.g. 10 minutes over dialup) May be similar problems accessing e.g. files on Microsoft shares May be similar problems accessing e.g. files on Microsoft shares If full OxLIP is essential, broadband may be the answer If full OxLIP is essential, broadband may be the answer

26 Caveats Worth reading release notes Worth reading release notes E.g. 2000 systems may need to install Client for MS networks E.g. 2000 systems may need to install Client for MS networks Windows 98 shutdown problem Windows 98 shutdown problem Non-DHCP 95/98 may not get WINS addresses Non-DHCP 95/98 may not get WINS addresses No network browsing with AOL 6.0 No network browsing with AOL 6.0 MSN install fails with VPN installed MSN install fails with VPN installed

27 Password Confusion 1 Usernames/passwords to use the service Usernames/passwords to use the service Remote Access Services account details Remote Access Services account details VPN Initial connection password VPN Initial connection password Provided when user registers to use Remote Access Services Provided when user registers to use Remote Access Services OUCS Registration/Web registration OUCS Registration/Web registration NB If registered to use dial-up pre-November 2001, contact OUCS Registration for VPN initial connection password NB If registered to use dial-up pre-November 2001, contact OUCS Registration for VPN initial connection password

28 Password Confusion 2 Username/password to obtain the client software Username/password to obtain the client software micros.oucs FTP Server username and password for client download micros.oucs FTP Server username and password for client download OUCS Shop OUCS Shop NB only accessible from OU network (including dialup) — special cases contact Helpcentre NB only accessible from OU network (including dialup) — special cases contact Helpcentre

29 Personal Firewalls Must allow ISAKMP (UDP 500) Must allow ISAKMP (UDP 500) Initial exchange Initial exchange Must allow ESP protocol (number 50) Must allow ESP protocol (number 50) Subsequent IPSEC traffic Subsequent IPSEC traffic VPN connection OK, but no internet response, suspect ESP not allowed VPN connection OK, but no internet response, suspect ESP not allowed XP firewall appears OK without change XP firewall appears OK without change

30 Firewalls Departmental/College firewalls Departmental/College firewalls VPN connection made outside departmental/college firewall VPN connection made outside departmental/college firewall Access to departmental/college resources dependent on firewall configuration Access to departmental/college resources dependent on firewall configuration External organisations External organisations May cause problems for individuals connecting from e.g. another university May cause problems for individuals connecting from e.g. another university

31 Web Proxy Servers Configured by some ISPs Configured by some ISPs Freeserve Freeserve Symptom: with VPN connection, can telnet, ftp but not access web with IE Symptom: with VPN connection, can telnet, ftp but not access web with IE Reason: trying to use ISP web proxy server but access denied Reason: trying to use ISP web proxy server but access denied Solution: configure exceptions to proxy for restricted web pages Solution: configure exceptions to proxy for restricted web pages

32 Miscellaneous OUCS Dial-up users don’t generally require VPN! OUCS Dial-up users don’t generally require VPN! Watch SMTP settings Watch SMTP settings ISP require own SMTP server ISP require own SMTP server With VPN must use smtp.ox.ac.uk With VPN must use smtp.ox.ac.uk Generally connection will be slower over VPN Generally connection will be slower over VPN Only use as required Only use as required

33 MTU Size MTU = Maximum Transmission Unit MTU = Maximum Transmission Unit Setting determines largest packet size Setting determines largest packet size Some devices fragment large packets Some devices fragment large packets Some firewalls reject fragments Some firewalls reject fragments Slows performance Slows performance Set MTU utility to change defaults Set MTU utility to change defaults Set to 1400 or less, 576 default for dial- up adapters Set to 1400 or less, 576 default for dial- up adapters Hasn’t yet solved any problems Hasn’t yet solved any problems

34 Service Usage Figures by Month

35 References Cisco Documentation Cisco Documentation http://www.cisco.com/univercd/cc/td/doc/prod uct/vpn/client/ http://www.cisco.com/univercd/cc/td/doc/prod uct/vpn/client/ http://www.cisco.com/univercd/cc/td/doc/prod uct/vpn/client/ http://www.cisco.com/univercd/cc/td/doc/prod uct/vpn/client/ VPNConnect utility for Mac VPNConnect utility for Mac http://www.wiesbeck.biz/ http://www.wiesbeck.biz/ http://www.wiesbeck.biz/ Netlock Cisco VPN Client for Mac Netlock Cisco VPN Client for Mac http://www.netlock.com/ http://www.netlock.com/ http://www.netlock.com/

36 References Comparison of VPN Protocols: IPSec, PPTP and L2TP Comparison of VPN Protocols: IPSec, PPTP and L2TP http://ece.gmu.edu/courses/ECE543/reportsF 01/arveal.pdf http://ece.gmu.edu/courses/ECE543/reportsF 01/arveal.pdf http://ece.gmu.edu/courses/ECE543/reportsF 01/arveal.pdf http://ece.gmu.edu/courses/ECE543/reportsF 01/arveal.pdf VPN FAQ VPN FAQ http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ. html http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ. html http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ. html http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ. html

37 Questions?

Download ppt "OUCS VPN Service Bridget Lewis OUCS. The Problem Resources restricted by IP Address Resources restricted by IP Address Web pages e.g. OXAM, OxLIP, bibliographic."

Similar presentations

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access.
Hardware Firewalls: Advanced Feature © N. Ganesan, Ph.D.

Hardware Firewalls: Advanced Feature © N. Ganesan, Ph.D.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 14: Troubleshooting Remote Connections.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 14: Troubleshooting Remote Connections.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Implementing Secure Converged Wide Area Networks (ISCW)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Implementing Secure Converged Wide Area Networks (ISCW)
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.
Chapter 8: Configuring Network Connectivity. Installing Network Adapters Network adapter cards connect a computer to a network. Installation –Plug and.

Chapter 8: Configuring Network Connectivity. Installing Network Adapters Network adapter cards connect a computer to a network. Installation –Plug and.
Understanding Networks I. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.

Understanding Networks I. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.
MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 10 Configuring Remote Access.

MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 10 Configuring Remote Access.
Computer Network (MASQ/NAT/PROXY)

Computer Network (MASQ/NAT/PROXY)
Network Address Translation, Remote Access and Virtual Private Networks BSAD 146 Dave Novak Sources: Network+ Guide to Networks, Dean 2013.

Network Address Translation, Remote Access and Virtual Private Networks BSAD 146 Dave Novak Sources: Network+ Guide to Networks, Dean 2013.
Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Virtual Private Network (VPN) © N. Ganesan, Ph.D..
Fermilab VPN Service What is a VPN ?.

Fermilab VPN Service What is a VPN ?.
Module 11: Supporting Remote Users. Overview Establishing Remote Access Connections Connecting to Virtual Private Networks Configuring Authentication.

Module 11: Supporting Remote Users. Overview Establishing Remote Access Connections Connecting to Virtual Private Networks Configuring Authentication.
Guide to MCSE 70-270, Second Edition, Enhanced1 Objectives Understand remote access under Windows XP Configure various remote access connection types for.

Guide to MCSE , Second Edition, Enhanced1 Objectives Understand remote access under Windows XP Configure various remote access connection types for.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 10: Remote Access.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 10: Remote Access.

Similar presentations

Ads by Google