Download
oucs vpn service n.
Skip this Video
Loading SlideShow in 5 Seconds..
OUCS VPN Service PowerPoint Presentation
Download Presentation
OUCS VPN Service

OUCS VPN Service

2 Vues Download Presentation
Télécharger la présentation

OUCS VPN Service

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. OUCS VPN Service Bridget Lewis OUCS

  2. The Problem • Resources restricted by IP Address • Web pages e.g. OXAM, OxLIP, bibliographic resources • Resources inaccessible through firewall • Full OxLIP • Microsoft and Samba shares • OU members may need to access resources from anywhere in the world

  3. Oxford University Network Anywhere else  OXAM ftp://micros.oucs/  Full OxLIP 

  4. The Solution • PCs need to appear to be within OU Network • Authentication mechanism • Encrypted traffic across WAN • Virtual Private Network (VPN)

  5. Oxford University Network Anywhere else  OXAM ftp://micros.oucs/  Full OxLIP 

  6. What is a Virtual Private Network? • Secure private communications over public internet • Private IP packets encapsulated within public packets (tunnel) • Additional header added • Authentication • Private packet may also be encrypted (desirable)

  7. Variations • VPN connection types • Client to Server, Server to Server • Types of VPN • Hardware, software, firewall • Protocols • PPTP, L2F, L2TP, IPSec

  8. How does VPN solve our Problem? • VPN connection uses ESP protocol • Allowed through firewall • TCP/IP traffic tunnelled within VPN connection • Client part of virtual network • Allocated Oxford IP address (163.1.86.xyz)

  9. VPN in Oxford • CISCO 3000 Series VPN Concentrator • Software client for various platforms • Client to Server only • IPSec • IP only (not NetBEUI, IPX etc.) • Split tunnelling disabled • NAT enabled

  10. Requirements • Existing Internet connection • Modem, LAN, cable, ADSL, ISDN etc. • Cisco client software • Windows, Mac OS X, some Linux • Or third party client • Mac OS 8, 9 • OUCS Remote Access username and passwords

  11. Cisco Clients • Windows 95, 98, Me, NT, 2000, XP • 95 requires Dial-up Networking upgrade • Cannot use Windows 2000/XP native VPN support • Mac OS X • v10.1.0 or later

  12. Cisco Clients • RedHat 6.2 or compatible • Kernel 2.2.12 or later (not 2.5) • Currently being tested and documented • Problems on 7.3 (7.2 OK) • Solaris UltraSPARC running 32-bit kernel OS v2.6 or later • Untested

  13. Non-Cisco Clients • Mac OS 8.6 to OS 9.2.x • Netlock VPN Client for Cisco • http://www.netlock.com/ • Evaluation copy available • Let us know results if you try it! • Around £80 • Untested by OUCS

  14. Installation — General • Instructions available — http://www.oucs.ox.ac.uk/network/vpn/oucs-service/ • Windows version is mostly preconfigured • Mac OS X client available • Linux client not yet available

  15. Installation — 2000/XP • When installing, will get warning about disabling IPSec policies • Default IPSec policies not restrictive • Only likely to be a problem if you have enabled more rigorous IPSec policies

  16. Installation —XP • May want to turn off driver signing before installation • Installation process will warn you about this • Otherwise be prepared to click on Continue several times • Upgrading to XP with Cisco client installed • May warn about incompatibility • It is compatible, but may be best to uninstall prior to upgrade

  17. Installation — Mac OS X • Not a GUI install! • Command line familiarity • Knowledge of paths • Edit text file • Enable root account prior to installation • Install from command line • Contrary to documentation, v3.5.1 of client allows Classic apps to use the tunnel

  18. Configuring — Windows • Need to enter initial connection password (once only) • Options/Properties/Authentication • Optional configuration • Options/Properties/Connection • Automatically connect via dial-up or… • Automatically connect via application • Stateful firewall — 3.5.1 release

  19. Configuring — NT/2000/XP • Full domain login possible • Requires VPN start before login • Options/Windows Logon Properties • Probably necessary also to set to automatically establish dialup connection

  20. Configuring — Mac OS X • Not preconfigured • Create profile from sample • Text editor • Full documentation from Cisco

  21. Connecting – General • Test from computer on OU network • Except OUCS in-house network • IP address assigned is 163.1.86.xyz • May not be easy to see as will also have IP address assigned by ISP etc. • DNS server addresses passed across

  22. Connecting – Windows • WINS addresses also assigned • Check DNS and WINS addresses using winipcfg or ipconfig /all • VPN icon displayed in system tray • Status including IP address assigned • Statistics • Disconnect

  23. Connecting – Mac OS X • Started from command line • Or use VPNConnect utility • Allows start from GUI • http://www.wiesbeck.biz/ • Also available from micros.oucs.ox.ac.uk ftp server

  24. Limitations • Split tunnelling disabled • No access to local LAN resources when VPN connection is active • Security concern • Client behaves as if within Oxford network • Client unable to access local resources e.g. servers, networked printers

  25. Limitations • Full version of OxLIP may be too slow to use over VPN over dialup • Starting full OxLIP downloads about 1.8MB data (e.g. 10 minutes over dialup) • May be similar problems accessing e.g. files on Microsoft shares • If full OxLIP is essential, broadband may be the answer

  26. Caveats • Worth reading release notes • E.g. 2000 systems may need to install Client for MS networks • Windows 98 shutdown problem • Non-DHCP 95/98 may not get WINS addresses • No network browsing with AOL 6.0 • MSN install fails with VPN installed

  27. Password Confusion 1 • Usernames/passwords to use the service • Remote Access Services account details • VPN Initial connection password • Provided when user registers to use Remote Access Services • OUCS Registration/Web registration • NB If registered to use dial-up pre-November 2001, contact OUCS Registration for VPN initial connection password

  28. Password Confusion 2 • Username/password to obtain the client software • micros.oucs FTP Server username and password for client download • OUCS Shop • NB only accessible from OU network (including dialup) — special cases contact Helpcentre

  29. Personal Firewalls • Must allow ISAKMP (UDP 500) • Initial exchange • Must allow ESP protocol (number 50) • Subsequent IPSEC traffic • VPN connection OK, but no internet response, suspect ESP not allowed • XP firewall appears OK without change

  30. Firewalls • Departmental/College firewalls • VPN connection made outside departmental/college firewall • Access to departmental/college resources dependent on firewall configuration • External organisations • May cause problems for individuals connecting from e.g. another university

  31. Web Proxy Servers • Configured by some ISPs • Freeserve • Symptom: with VPN connection, can telnet, ftp but not access web with IE • Reason: trying to use ISP web proxy server but access denied • Solution: configure exceptions to proxy for restricted web pages

  32. Miscellaneous • OUCS Dial-up users don’t generally require VPN! • Watch SMTP settings • ISP require own SMTP server • With VPN must use smtp.ox.ac.uk • Generally connection will be slower over VPN • Only use as required

  33. MTU Size • MTU = Maximum Transmission Unit • Setting determines largest packet size • Some devices fragment large packets • Some firewalls reject fragments • Slows performance • Set MTU utility to change defaults • Set to 1400 or less , 576 default for dial-up adapters • Hasn’t yet solved any problems

  34. Service Usage Figures by Month

  35. References • Cisco Documentation • http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/ • VPNConnect utility for Mac • http://www.wiesbeck.biz/ • Netlock Cisco VPN Client for Mac • http://www.netlock.com/

  36. References • Comparison of VPN Protocols: IPSec, PPTP and L2TP • http://ece.gmu.edu/courses/ECE543/reportsF01/arveal.pdf • VPN FAQ • http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html

  37. Questions?