370 likes | 594 Views
OUCS VPN Service. Bridget Lewis OUCS. The Problem. Resources restricted by IP Address Web pages e.g. OXAM, OxLIP, bibliographic resources Resources inaccessible through firewall Full OxLIP Microsoft and Samba shares OU members may need to access resources from anywhere in the world.
E N D
OUCS VPN Service Bridget Lewis OUCS
The Problem • Resources restricted by IP Address • Web pages e.g. OXAM, OxLIP, bibliographic resources • Resources inaccessible through firewall • Full OxLIP • Microsoft and Samba shares • OU members may need to access resources from anywhere in the world
Oxford University Network Anywhere else OXAM ftp://micros.oucs/ Full OxLIP
The Solution • PCs need to appear to be within OU Network • Authentication mechanism • Encrypted traffic across WAN • Virtual Private Network (VPN)
Oxford University Network Anywhere else OXAM ftp://micros.oucs/ Full OxLIP
What is a Virtual Private Network? • Secure private communications over public internet • Private IP packets encapsulated within public packets (tunnel) • Additional header added • Authentication • Private packet may also be encrypted (desirable)
Variations • VPN connection types • Client to Server, Server to Server • Types of VPN • Hardware, software, firewall • Protocols • PPTP, L2F, L2TP, IPSec
How does VPN solve our Problem? • VPN connection uses ESP protocol • Allowed through firewall • TCP/IP traffic tunnelled within VPN connection • Client part of virtual network • Allocated Oxford IP address (163.1.86.xyz)
VPN in Oxford • CISCO 3000 Series VPN Concentrator • Software client for various platforms • Client to Server only • IPSec • IP only (not NetBEUI, IPX etc.) • Split tunnelling disabled • NAT enabled
Requirements • Existing Internet connection • Modem, LAN, cable, ADSL, ISDN etc. • Cisco client software • Windows, Mac OS X, some Linux • Or third party client • Mac OS 8, 9 • OUCS Remote Access username and passwords
Cisco Clients • Windows 95, 98, Me, NT, 2000, XP • 95 requires Dial-up Networking upgrade • Cannot use Windows 2000/XP native VPN support • Mac OS X • v10.1.0 or later
Cisco Clients • RedHat 6.2 or compatible • Kernel 2.2.12 or later (not 2.5) • Currently being tested and documented • Problems on 7.3 (7.2 OK) • Solaris UltraSPARC running 32-bit kernel OS v2.6 or later • Untested
Non-Cisco Clients • Mac OS 8.6 to OS 9.2.x • Netlock VPN Client for Cisco • http://www.netlock.com/ • Evaluation copy available • Let us know results if you try it! • Around £80 • Untested by OUCS
Installation — General • Instructions available — http://www.oucs.ox.ac.uk/network/vpn/oucs-service/ • Windows version is mostly preconfigured • Mac OS X client available • Linux client not yet available
Installation — 2000/XP • When installing, will get warning about disabling IPSec policies • Default IPSec policies not restrictive • Only likely to be a problem if you have enabled more rigorous IPSec policies
Installation —XP • May want to turn off driver signing before installation • Installation process will warn you about this • Otherwise be prepared to click on Continue several times • Upgrading to XP with Cisco client installed • May warn about incompatibility • It is compatible, but may be best to uninstall prior to upgrade
Installation — Mac OS X • Not a GUI install! • Command line familiarity • Knowledge of paths • Edit text file • Enable root account prior to installation • Install from command line • Contrary to documentation, v3.5.1 of client allows Classic apps to use the tunnel
Configuring — Windows • Need to enter initial connection password (once only) • Options/Properties/Authentication • Optional configuration • Options/Properties/Connection • Automatically connect via dial-up or… • Automatically connect via application • Stateful firewall — 3.5.1 release
Configuring — NT/2000/XP • Full domain login possible • Requires VPN start before login • Options/Windows Logon Properties • Probably necessary also to set to automatically establish dialup connection
Configuring — Mac OS X • Not preconfigured • Create profile from sample • Text editor • Full documentation from Cisco
Connecting – General • Test from computer on OU network • Except OUCS in-house network • IP address assigned is 163.1.86.xyz • May not be easy to see as will also have IP address assigned by ISP etc. • DNS server addresses passed across
Connecting – Windows • WINS addresses also assigned • Check DNS and WINS addresses using winipcfg or ipconfig /all • VPN icon displayed in system tray • Status including IP address assigned • Statistics • Disconnect
Connecting – Mac OS X • Started from command line • Or use VPNConnect utility • Allows start from GUI • http://www.wiesbeck.biz/ • Also available from micros.oucs.ox.ac.uk ftp server
Limitations • Split tunnelling disabled • No access to local LAN resources when VPN connection is active • Security concern • Client behaves as if within Oxford network • Client unable to access local resources e.g. servers, networked printers
Limitations • Full version of OxLIP may be too slow to use over VPN over dialup • Starting full OxLIP downloads about 1.8MB data (e.g. 10 minutes over dialup) • May be similar problems accessing e.g. files on Microsoft shares • If full OxLIP is essential, broadband may be the answer
Caveats • Worth reading release notes • E.g. 2000 systems may need to install Client for MS networks • Windows 98 shutdown problem • Non-DHCP 95/98 may not get WINS addresses • No network browsing with AOL 6.0 • MSN install fails with VPN installed
Password Confusion 1 • Usernames/passwords to use the service • Remote Access Services account details • VPN Initial connection password • Provided when user registers to use Remote Access Services • OUCS Registration/Web registration • NB If registered to use dial-up pre-November 2001, contact OUCS Registration for VPN initial connection password
Password Confusion 2 • Username/password to obtain the client software • micros.oucs FTP Server username and password for client download • OUCS Shop • NB only accessible from OU network (including dialup) — special cases contact Helpcentre
Personal Firewalls • Must allow ISAKMP (UDP 500) • Initial exchange • Must allow ESP protocol (number 50) • Subsequent IPSEC traffic • VPN connection OK, but no internet response, suspect ESP not allowed • XP firewall appears OK without change
Firewalls • Departmental/College firewalls • VPN connection made outside departmental/college firewall • Access to departmental/college resources dependent on firewall configuration • External organisations • May cause problems for individuals connecting from e.g. another university
Web Proxy Servers • Configured by some ISPs • Freeserve • Symptom: with VPN connection, can telnet, ftp but not access web with IE • Reason: trying to use ISP web proxy server but access denied • Solution: configure exceptions to proxy for restricted web pages
Miscellaneous • OUCS Dial-up users don’t generally require VPN! • Watch SMTP settings • ISP require own SMTP server • With VPN must use smtp.ox.ac.uk • Generally connection will be slower over VPN • Only use as required
MTU Size • MTU = Maximum Transmission Unit • Setting determines largest packet size • Some devices fragment large packets • Some firewalls reject fragments • Slows performance • Set MTU utility to change defaults • Set to 1400 or less , 576 default for dial-up adapters • Hasn’t yet solved any problems
References • Cisco Documentation • http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/ • VPNConnect utility for Mac • http://www.wiesbeck.biz/ • Netlock Cisco VPN Client for Mac • http://www.netlock.com/
References • Comparison of VPN Protocols: IPSec, PPTP and L2TP • http://ece.gmu.edu/courses/ECE543/reportsF01/arveal.pdf • VPN FAQ • http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html