VPN - ICTF
advertisement
OUCS VPN Service Bridget Lewis OUCS The Problem Resources restricted by IP Address Web pages e.g. OXAM, OxLIP, bibliographic resources Resources inaccessible through firewall Full OxLIP Microsoft and Samba shares OU members may need to access resources from anywhere in the world Oxford University Network OXAM Anywhere else ftp://micros.oucs/ Full OxLIP The Solution PCs need to appear to be within OU Network Authentication mechanism Encrypted traffic across WAN Virtual Private Network (VPN) Oxford University Network OXAM Anywhere else ftp://micros.oucs/ Full OxLIP What is a Virtual Private Network? Secure private communications over public internet Private IP packets encapsulated within public packets (tunnel) Additional header added Authentication Private packet may also be encrypted (desirable) Variations VPN connection types Types of VPN Client to Server, Server to Server Hardware, software, firewall Protocols PPTP, L2F, L2TP, IPSec How does VPN solve our Problem? VPN connection uses ESP protocol Allowed through firewall TCP/IP traffic tunnelled within VPN connection Client part of virtual network Allocated Oxford IP address (163.1.86.xyz) VPN in Oxford CISCO 3000 Series VPN Concentrator Software client for various platforms Client to Server only IPSec IP only (not NetBEUI, IPX etc.) Split tunnelling disabled NAT enabled Requirements Existing Internet connection Cisco client software Windows, Mac OS X, some Linux Or third party client Modem, LAN, cable, ADSL, ISDN etc. Mac OS 8, 9 OUCS Remote Access username and passwords Cisco Clients Windows 95, 98, Me, NT, 2000, XP 95 requires Dial-up Networking upgrade Cannot use Windows 2000/XP native VPN support Mac OS X v10.1.0 or later Cisco Clients RedHat 6.2 or compatible Kernel 2.2.12 or later (not 2.5) Currently being tested and documented Problems on 7.3 (7.2 OK) Solaris UltraSPARC running 32-bit kernel OS v2.6 or later Untested Non-Cisco Clients Mac OS 8.6 to OS 9.2.x Netlock VPN Client for Cisco http://www.netlock.com/ Evaluation copy available Let us know results if you try it! Around £80 Untested by OUCS Installation — General Instructions available — http://www.oucs.ox.ac.uk/network/vpn/ouc s-service/ Windows version is mostly preconfigured Mac OS X client available Linux client not yet available Installation — 2000/XP When installing, will get warning about disabling IPSec policies Default IPSec policies not restrictive Only likely to be a problem if you have enabled more rigorous IPSec policies Installation —XP May want to turn off driver signing before installation Installation process will warn you about this Otherwise be prepared to click on Continue several times Upgrading to XP with Cisco client installed May warn about incompatibility It is compatible, but may be best to uninstall prior to upgrade Installation — Mac OS X Not a GUI install! Command line familiarity Knowledge of paths Edit text file Enable root account prior to installation Install from command line Contrary to documentation, v3.5.1 of client allows Classic apps to use the tunnel Configuring — Windows Need to enter initial connection password (once only) Options/Properties/Authentication Optional configuration Options/Properties/Connection Automatically connect via dial-up or… Automatically connect via application Stateful firewall — 3.5.1 release Configuring — NT/2000/XP Full domain login possible Requires VPN start before login Options/Windows Logon Properties Probably necessary also to set to automatically establish dialup connection Configuring — Mac OS X Not preconfigured Create profile from sample Text editor Full documentation from Cisco Connecting – General Test from computer on OU network IP address assigned is 163.1.86.xyz Except OUCS in-house network May not be easy to see as will also have IP address assigned by ISP etc. DNS server addresses passed across Connecting – Windows WINS addresses also assigned Check DNS and WINS addresses using winipcfg or ipconfig /all VPN icon displayed in system tray Status including IP address assigned Statistics Disconnect Connecting – Mac OS X Started from command line Or use VPNConnect utility Allows start from GUI http://www.wiesbeck.biz/ Also available from micros.oucs.ox.ac.uk ftp server Limitations Split tunnelling disabled No access to local LAN resources when VPN connection is active Security concern Client behaves as if within Oxford network Client unable to access local resources e.g. servers, networked printers Limitations Full version of OxLIP may be too slow to use over VPN over dialup Starting full OxLIP downloads about 1.8MB data (e.g. 10 minutes over dialup) May be similar problems accessing e.g. files on Microsoft shares If full OxLIP is essential, broadband may be the answer Caveats Worth reading release notes E.g. 2000 systems may need to install Client for MS networks Windows 98 shutdown problem Non-DHCP 95/98 may not get WINS addresses No network browsing with AOL 6.0 MSN install fails with VPN installed Password Confusion 1 Usernames/passwords to use the service Provided when user registers to use Remote Access Services Remote Access Services account details VPN Initial connection password OUCS Registration/Web registration NB If registered to use dial-up pre-November 2001, contact OUCS Registration for VPN initial connection password Password Confusion 2 Username/password to obtain the client software micros.oucs FTP Server username and password for client download OUCS Shop NB only accessible from OU network (including dialup) — special cases contact Helpcentre Personal Firewalls Must allow ISAKMP (UDP 500) Initial exchange Must allow ESP protocol (number 50) Subsequent IPSEC traffic VPN connection OK, but no internet response, suspect ESP not allowed XP firewall appears OK without change Firewalls Departmental/College firewalls VPN connection made outside departmental/college firewall Access to departmental/college resources dependent on firewall configuration External organisations May cause problems for individuals connecting from e.g. another university Web Proxy Servers Configured by some ISPs Freeserve Symptom: with VPN connection, can telnet, ftp but not access web with IE Reason: trying to use ISP web proxy server but access denied Solution: configure exceptions to proxy for restricted web pages Miscellaneous OUCS Dial-up users don’t generally require VPN! Watch SMTP settings ISP require own SMTP server With VPN must use smtp.ox.ac.uk Generally connection will be slower over VPN Only use as required MTU Size MTU = Maximum Transmission Unit Setting determines largest packet size Some devices fragment large packets Some firewalls reject fragments Slows performance Set MTU utility to change defaults Set to 1400 or less , 576 default for dialup adapters Hasn’t yet solved any problems Service Usage Figures by Month 1000 900 800 700 600 500 400 300 200 100 0 Users Successes Failures Nov '01 Dec '01 Jan '02 Feb '02 Mar '02 Apr '02 May '02 References Cisco Documentation VPNConnect utility for Mac http://www.cisco.com/univercd/cc/td/doc/produ ct/vpn/client/ http://www.wiesbeck.biz/ Netlock Cisco VPN Client for Mac http://www.netlock.com/ References Comparison of VPN Protocols: IPSec, PPTP and L2TP http://ece.gmu.edu/courses/ECE543/reportsF 01/arveal.pdf VPN FAQ http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ. html Questions?
