1 / 37

OUCS VPN Service

OUCS VPN Service. Bridget Lewis OUCS. The Problem. Resources restricted by IP Address Web pages e.g. OXAM, OxLIP, bibliographic resources Resources inaccessible through firewall Full OxLIP Microsoft and Samba shares OU members may need to access resources from anywhere in the world.

biana
Download Presentation

OUCS VPN Service

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OUCS VPN Service Bridget Lewis OUCS

  2. The Problem • Resources restricted by IP Address • Web pages e.g. OXAM, OxLIP, bibliographic resources • Resources inaccessible through firewall • Full OxLIP • Microsoft and Samba shares • OU members may need to access resources from anywhere in the world

  3. Oxford University Network Anywhere else  OXAM ftp://micros.oucs/  Full OxLIP 

  4. The Solution • PCs need to appear to be within OU Network • Authentication mechanism • Encrypted traffic across WAN • Virtual Private Network (VPN)

  5. Oxford University Network Anywhere else  OXAM ftp://micros.oucs/  Full OxLIP 

  6. What is a Virtual Private Network? • Secure private communications over public internet • Private IP packets encapsulated within public packets (tunnel) • Additional header added • Authentication • Private packet may also be encrypted (desirable)

  7. Variations • VPN connection types • Client to Server, Server to Server • Types of VPN • Hardware, software, firewall • Protocols • PPTP, L2F, L2TP, IPSec

  8. How does VPN solve our Problem? • VPN connection uses ESP protocol • Allowed through firewall • TCP/IP traffic tunnelled within VPN connection • Client part of virtual network • Allocated Oxford IP address (163.1.86.xyz)

  9. VPN in Oxford • CISCO 3000 Series VPN Concentrator • Software client for various platforms • Client to Server only • IPSec • IP only (not NetBEUI, IPX etc.) • Split tunnelling disabled • NAT enabled

  10. Requirements • Existing Internet connection • Modem, LAN, cable, ADSL, ISDN etc. • Cisco client software • Windows, Mac OS X, some Linux • Or third party client • Mac OS 8, 9 • OUCS Remote Access username and passwords

  11. Cisco Clients • Windows 95, 98, Me, NT, 2000, XP • 95 requires Dial-up Networking upgrade • Cannot use Windows 2000/XP native VPN support • Mac OS X • v10.1.0 or later

  12. Cisco Clients • RedHat 6.2 or compatible • Kernel 2.2.12 or later (not 2.5) • Currently being tested and documented • Problems on 7.3 (7.2 OK) • Solaris UltraSPARC running 32-bit kernel OS v2.6 or later • Untested

  13. Non-Cisco Clients • Mac OS 8.6 to OS 9.2.x • Netlock VPN Client for Cisco • http://www.netlock.com/ • Evaluation copy available • Let us know results if you try it! • Around £80 • Untested by OUCS

  14. Installation — General • Instructions available — http://www.oucs.ox.ac.uk/network/vpn/oucs-service/ • Windows version is mostly preconfigured • Mac OS X client available • Linux client not yet available

  15. Installation — 2000/XP • When installing, will get warning about disabling IPSec policies • Default IPSec policies not restrictive • Only likely to be a problem if you have enabled more rigorous IPSec policies

  16. Installation —XP • May want to turn off driver signing before installation • Installation process will warn you about this • Otherwise be prepared to click on Continue several times • Upgrading to XP with Cisco client installed • May warn about incompatibility • It is compatible, but may be best to uninstall prior to upgrade

  17. Installation — Mac OS X • Not a GUI install! • Command line familiarity • Knowledge of paths • Edit text file • Enable root account prior to installation • Install from command line • Contrary to documentation, v3.5.1 of client allows Classic apps to use the tunnel

  18. Configuring — Windows • Need to enter initial connection password (once only) • Options/Properties/Authentication • Optional configuration • Options/Properties/Connection • Automatically connect via dial-up or… • Automatically connect via application • Stateful firewall — 3.5.1 release

  19. Configuring — NT/2000/XP • Full domain login possible • Requires VPN start before login • Options/Windows Logon Properties • Probably necessary also to set to automatically establish dialup connection

  20. Configuring — Mac OS X • Not preconfigured • Create profile from sample • Text editor • Full documentation from Cisco

  21. Connecting – General • Test from computer on OU network • Except OUCS in-house network • IP address assigned is 163.1.86.xyz • May not be easy to see as will also have IP address assigned by ISP etc. • DNS server addresses passed across

  22. Connecting – Windows • WINS addresses also assigned • Check DNS and WINS addresses using winipcfg or ipconfig /all • VPN icon displayed in system tray • Status including IP address assigned • Statistics • Disconnect

  23. Connecting – Mac OS X • Started from command line • Or use VPNConnect utility • Allows start from GUI • http://www.wiesbeck.biz/ • Also available from micros.oucs.ox.ac.uk ftp server

  24. Limitations • Split tunnelling disabled • No access to local LAN resources when VPN connection is active • Security concern • Client behaves as if within Oxford network • Client unable to access local resources e.g. servers, networked printers

  25. Limitations • Full version of OxLIP may be too slow to use over VPN over dialup • Starting full OxLIP downloads about 1.8MB data (e.g. 10 minutes over dialup) • May be similar problems accessing e.g. files on Microsoft shares • If full OxLIP is essential, broadband may be the answer

  26. Caveats • Worth reading release notes • E.g. 2000 systems may need to install Client for MS networks • Windows 98 shutdown problem • Non-DHCP 95/98 may not get WINS addresses • No network browsing with AOL 6.0 • MSN install fails with VPN installed

  27. Password Confusion 1 • Usernames/passwords to use the service • Remote Access Services account details • VPN Initial connection password • Provided when user registers to use Remote Access Services • OUCS Registration/Web registration • NB If registered to use dial-up pre-November 2001, contact OUCS Registration for VPN initial connection password

  28. Password Confusion 2 • Username/password to obtain the client software • micros.oucs FTP Server username and password for client download • OUCS Shop • NB only accessible from OU network (including dialup) — special cases contact Helpcentre

  29. Personal Firewalls • Must allow ISAKMP (UDP 500) • Initial exchange • Must allow ESP protocol (number 50) • Subsequent IPSEC traffic • VPN connection OK, but no internet response, suspect ESP not allowed • XP firewall appears OK without change

  30. Firewalls • Departmental/College firewalls • VPN connection made outside departmental/college firewall • Access to departmental/college resources dependent on firewall configuration • External organisations • May cause problems for individuals connecting from e.g. another university

  31. Web Proxy Servers • Configured by some ISPs • Freeserve • Symptom: with VPN connection, can telnet, ftp but not access web with IE • Reason: trying to use ISP web proxy server but access denied • Solution: configure exceptions to proxy for restricted web pages

  32. Miscellaneous • OUCS Dial-up users don’t generally require VPN! • Watch SMTP settings • ISP require own SMTP server • With VPN must use smtp.ox.ac.uk • Generally connection will be slower over VPN • Only use as required

  33. MTU Size • MTU = Maximum Transmission Unit • Setting determines largest packet size • Some devices fragment large packets • Some firewalls reject fragments • Slows performance • Set MTU utility to change defaults • Set to 1400 or less , 576 default for dial-up adapters • Hasn’t yet solved any problems

  34. Service Usage Figures by Month

  35. References • Cisco Documentation • http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/ • VPNConnect utility for Mac • http://www.wiesbeck.biz/ • Netlock Cisco VPN Client for Mac • http://www.netlock.com/

  36. References • Comparison of VPN Protocols: IPSec, PPTP and L2TP • http://ece.gmu.edu/courses/ECE543/reportsF01/arveal.pdf • VPN FAQ • http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html

  37. Questions?

More Related