What is a VPN?
What technologies are used in UVM's VPN system?
Why should I use a VPN?
How strong is the encryption used in the UVM VPN service?
Should I also use SSH and other "higher layer" encrypted services even if I am using the VPN tunnel?
What traffic will take the VPN?
Should I use the VPN service if I am on campus?
Should I use the VPN service if I am off campus?
When I type my password, is it encrypted, or sent over the network in clear text?
1. What is a VPN?
VPN stands for Virtual Private Network. It is a set of technologies that allow you to build secure "virtual" paths between hosts on insecure networks. The particular type of VPN Network Services is deploying is commonly known as a remote access or tunnel mode VPN. This acts very much like a classical dialup service, except you are using a data network rather than a voice network to make your "calls". Rather than dialing into a modem on the far end, you are making a connection to a VPN concentrator, which is located on the UVM network. Thus, everything you send to and receive from the UVM network is encrypted. Additionally, your machine will appear as if it were on the UVM network since you get an IP address on the remote network.
2. What technologies are used in UVM's VPN system?
UVM's VPN service is based on the open IPsec standard. This is really an "umbrella" standard that dictates everything from exchanging secure keys, to packet formats and types, to the methods of encryption that are used. Other standards such as Diffie-Hillman key exchange, Authenticated Header, Encapsulating Security Payload, Data Encryption Standard/Cypher Block Chaining (DES/CBC), and Internet Key Exchange (IKE) are used as part of the IPsec standard. IPsec is primarily defined in RFC2401.
3. Why should I use a VPN?
When you are on campus, you must use the VPN when you are using the UVM Cat's PAWS wireless network. When you are off campus, by connecting to the VPN service, you assure that the data you transmit will be secure between your host and the UVM core network. Once it arrives on campus, it is decrypted and sent in the clear. Furthermore, it allows you to gain access to resources that are restricted based on source address. While you are connected to the VPN concentrator, you appear to other hosts at UVM as if you were on the UVM network. This also allows you to gain access to external resources from off campus (such as library databases) that are based on UVM source addresses.
4. How strong is the encryption used in the UVM VPN service?
The UVM VPN service uses Triple DES (Data Encryption Standard) with a key length of 168 bits. Triple DES is considered to be a very strong encryption algorithm, and is currently immune to key space search attacks (the most common kind of attack against strong encryption) because of its key length. It also uses a technique called Cypher Block Chaining (CBC) in which each plaintext block is XORed with the previous cypher text block before encryption. This makes dictionary style attacks very difficult and increases the overall effectiveness of encryption.
5. Should I also use SSH and other "higher layer" encrypted services even if I am using the VPN tunnel? Generally yes. SSH provides end to end encryption whereas the VPN concentrator only provides encryption from your client up to the concentrator hardware itself, which is located on the UVM core network. Once the traffic is on the UVM core network, it is decrypted and sent to the UVM host in the clear.
6. What traffic will take the VPN?
On-campus connections (including the Cat's PAWS wireless network):
All traffic except for local subnet (whatever network your network card is on) traffic and DHCP will take the VPN tunnel.
Only UVM bound traffic will go over the tunnel. You can see exactly which traffic will go over this tunnel by double clicking on the "lock", clicking on the Statistics tab, and looking at the "secured routes" section using the Windows client, or typing "vpnclient stat" under the Linux/MacOS X/Solaris client.
7. Should I use the VPN service if I am on campus? Any computer connected to the campus wireless network, Cat's PAWS, must run the VPN client in order to connect to any network resources. Otherwise, it is not necessary. Note that the UVM VPN client will automatically launch and prompt you to login with your UVM Net ID and password when the UVM Cat's PAWS wireless network is detected.
8. Should I use the VPN service if I am off campus?
Anyone who needs to access resources that are restricted to UVM users MUST use the VPN client to access these resources from off campus. After connecting to your ISP, run the VPN client and enter your UVM NetID and password when prompted by the VPN gateway. (If you are using the Netlock VPN client for Mac OS 8 or 9, make sure that you specify the off campus profile on the first screen.) After successfully connecting to the VPN gateway, run the appropriate application to access the restricted resource(s). You must already have this application installed on your off campus computer.
9. When I type my password, is it encrypted, or sent over the network in clear-text?
The password is encrypted using the same strength encryption as the VPN tunnel uses. In the case of the UVM VPN, that is Triple DES (168 bit). Your password is never sent in the clear!
General Client FAQ
1. I am having problems getting my client to work, what should I do? See the VPN Troubleshooting Guide on this website. If that fails, call 656-2604 to reach the CIT Helpline or email: firstname.lastname@example.org.
2. I accidentally erased the name of the VPN concentrator I am supposed to connect to. What is it?
The name is vpn.uvm.edu.
1. Are there currently any known compatibility issues with Windows XP?
Yes, recently a bug in Windows XP has emerged which can cause installation and/or corruption problems. This is a fundamental problem with XP. It is fixed with Windows XP Service Pack 1. It is recommended that you install Service Pack 1 before installing the VPN client. Here is the announcement from Microsoft:
2. In Windows XP, when I install the client, I get a dialog box warning me that the driver is not signed. What should I do?
It is ok to continue with the installation. Just click ok to continue when prompted.
3. How do I restore my VPN configuration if I delete the UVM VPN connection?
You can restore the UVM VPN connection entry either by re-installing the software, or downloading the config file from the Client Software section of this website, and placing it in your VPN profiles directory (C:\Program Files\University of Vermont\VPN Client\Profiles).
4. In Windows 95, I get an error about Microsoft DUN (Dial Up Networking)1.2 not being installed.
This means that you are running a pre-OSR2 release of Windows 95. OSR2 or above is required for the VPN software to work properly. You may be able to update your Windows 95 system with a newer version of DUN to work properly with the VPN software.
1. Is there a client for Macintosh OS 9 or below?
Because Apple has announced end of development for MacOS 8/9, our VPN vendor has chosen to concentrate Macintosh VPN development using MacOS X. There is a third party VPN client for OS 8/9 which is available from Netlock. Because this is a third party client, it does cost money. (CIT has purchased an initial number of Netlock VPN clients which are available at no charge from the software download site: www.uvm.edu/software.) It is also not as full featured as the Cisco client, however, it should work in most circumstances.
2. Are there any known issues with the Netlock client for MacOS 8/9?
Yes, here is what we have discovered so far:
The Netlock client does not support NAT transparency which means it cannot be used behind some NAT/PAT appliances and may be blocked by firewalls. If your NAT/PAT appliance (Cable modem and DSL router/firewalls are examples of such appliances) supports IPsec pass-through, you may enable this feature and see if it allows a successful VPN connection.
Sometimes the Netlock client screen is not accurate (showing you that you're connected when you are not, etc). Click the "refresh" button on the web browser to doublecheck the client's status.
"Normal" FTP doesn't work with the Netlock client. You must configure your ftp client to use "pasv" mode for it to work properly. Refer to your ftp client documentation on how to do this.
3. Is there a GUI for the MacOS-X client?
Yes. The current version 3.7 includes a GUI installer and client application.
1. I am using Redhat 7.2 or above. I have installed the client, and when I try to use it it says I am connecting to 126.96.36.199 or 54, but goes no further.
You probably have ipchains or iptables running. This is firewall software that Redhat (any potentially other Linux vendors) activates automatically. You will need to add the proper "holes" in the filter list to allow the VPN software to operate. A good way to make sure this is your problem is to issue the following commands as root:
/etc/init.d/ipchains stop /etc/init.d/iptables stop
This will temporarily disable the firewall. If your vpn client can connect afterwards, please make the necessary changes in your ipchains/iptables config. See the installation Instructions section for more information on what must be permitted through the firewall for proper VPN operation.
Last modified March 12 2004 11:53 AM