NACS > Support > Security > VPN

Summary: If you need to connect to UCInet from off campus, Virtual Private Network (VPN) may be the solution for you. VPN allows you to connect as if you were on campus and encrypts the information you are sending over the network.

Why use a VPN?

Network Traffic Encryption
When you connect to another site using a VPN, your traffic is encrypted so that if anyone intercepts the traffic, they cannot see what you are doing unless they can break the encryption.  Your traffic is encrypted from your computer through the network to the VPN concentrator hardware at UCI.  At that point the traffic is un-encrypted and sent out over the campus network.  If you are using software like ssh, your traffic on the campus network is still encrypted because ssh encrypts its traffic.

Access UCI Resources
When you are using a VPN connection, it will appear to systems on campus that you are also on campus - you will have a UCI IP address instead of the one you have at home (Cox, AT&T, PacBell, etc).  This allows you to connect to resources that you would not be able to from home, and bypass any port blocking at the campus border router. 

Windows File Shares
The VPN offers a way for authorized users to mount Microsoft Windows file shares from off campus. As of November 5th, 2002, a VPN is required to use "shares" from outside of UCInet because of special port blockades.

top of page

Who Needs VPN?

You need VPN if:

• You mount a Windows disk share from your work computer on your home computer.
• You need to access restricted services.
• You use network protocols like NetBIOS to a host or service on campus.

You don't need VPN if:

• You check your UCI e-mail via IMAP or POP.

Downsides to using VPN if it is not needed.

• Slows down your connection
• Uses resources others could be using
• Adds a step to connect to UCI

top of page

Where Can I Use VPN From?

VPN service can be connected from any off-campus Internet location or UCInet Mobile Access (wireless) network. It will not work from the campus dial-in modems or any host on campus.

VPN Tunnels

UCI has two types of VPN tunnels, a "split" tunnel and a "full" tunnel. 

Split Tunnel
The "split" tunnel only sends traffic destined for UCI over the VPN connection.  All other traffic goes through your normal cable modem/dsl connection.  The "split" tunnel is the one most people will want to use.

It allows you to talk directly to the Internet, but when your machine "talks" to UCI network addresses the traffic is put through the established VPN tunnel to the UCI VPN node, where it is decrypted and given a UCInet network address.

This is useful for people who need access to things at UCI which require a UCInet IP address (such as connecting to a system that restricts access to UCI hosts only), or to use services which are blocked for security reasons at the campus firewall (such as NetBIOS ports, used in mounting shared drives and other ports used by Microsoft Windows). Only traffic to/from UCI is sent through the VPN connection, so if you were to access Yahoo, it would go through your regular network connection (cable modem, dsl, etc).

Full Tunnel
The "full" tunnel sends all your internet traffic through the VPN connection, and then out to the internet through UCI's connection.

The "full" tunnel is useful for people who need to access sites off-campus that need a UCI IP address to allow access to a resource. The UCI Library has links to resources such as these. If you wanted to access the Oxford English Dictionary (OED), you can't get to it with a split tunnel because it's off campus and your off-campus packets aren't network address translated to UCI addresses. By using the "full" tunnel, this problem is circumvented. However, note that *all* your traffic is sent through the VPN connection and then out UCI's internet connection.

You should use the "full" tunnel VPN connection with care since heavy use can cause an increase in UCI's internet connection costs, and is likely slower than the split tunnel method.

top of page

Obtaining the VPN Client Software

The current VPN Client software versions are:

You can get the VPN client software one of three ways:

1. Off Campus: http://licenses.nacs.uci.edu/getvpnclient.cfm.
2. On Campus: use one of the links below (Links go directly to an ftp area that is restricted to campus hosts only.
   • Get the Windows Client (9x/ME/NT/2000/XP)
   • Get the Linux client
   • Get the Mac OS X client

3. Software on a CD: Go to the NACS Response Center in Engineering Gateway 2130 and get all three client distributions on a CD.

Caveats: 

• Linux
  • The client needs a 2.4.x kernel or a 2.2.12 or greater kernel.  It does not work with the 2.5 kernel series kernels or SMP (multiprocessor) kernels.
• Windows XP
  • If you are using the Windows XP firewall, you must turn it off before using the VPN Client. The XP firewall and the VPN client do not work well together.
  • If you have XP SP 1 installed, you may get an installation warning that the Deterministic Network Enhancer Miniport drivers are not signed. You can click on "Continue Anyway" (as many times as necessary) to continue the installation.

Other Clients There are VPN Clients available for Mac OS 9 and handheld PDAs. The client software is not free, you will have to pay for the software.

• Mac OS 9 client Information
• PDA Client Information

top of page

Installing the software

Windows: 

1. Double click on the vpnclient-win.exe file you just downloaded
2. Change the directory to C:\Temp\VPN
3. Unzip all files to that directory.
4. Go to My Computer >C:\ drive >Temp directory >VPN directory.
5. Double click on setup.exe
6. Accept all the defaults.
7. After the Installation has finished, your machine will require a reboot of your system.

Linux:

1. As root, untar the gzip'd tar file (tar xzvf).  This will create a directory called vpnclient. 
2. Go in to the vpnclient directory and type ./vpn_install. 
3. If you want the vpn driver module loaded at boot time, answer 'y' to that question. 
4. Accept the defaults for all the others.

• If you are using IPCHAINS, you may need to update /etc/sysconfig/ipchains to allow IPSec to work. Look in /etc/sysconfig/ipchains for the following line:
  -A input -p udp -s 0/0 -d 0/0 0:1023 -j REJECT
• If that line is in your ipchains config file, you'll need to add this line just before it:
  -A input -p udp -s 0/0 -d 0/0 500 -j ACCEPT
• This will allow UDP port 500 to pass thru the ipchains filters.

Mac OS X:

Note: If you installed a previous version of the VPNClient, you will need to de-install it before proceeding. As root, type ./vpn_uninstall in the directory that was created when you untarred the install file.

1. Download the VPN client installer from one of the methods above.
2. Locate the downloaded file. By default, Mac OS X puts files downloaded via web browser on the desktop.
3. If the file is named CiscoVPN, proceed to step 5.
4. If the file is named vpnclient-darwin-3.7.Rel-GUI-k9.zip, use Stuffit Expander in /Applications/Utilities to expand the file.
5. Double-click on CiscoVPN to launch the installer. Authenticate as a machine Administrator and click Next (as necessary) to proceed through the installer.
6. The installer will take several minutes to complete the installation.
   (The installer's progress bar will incorrectly indicate that it's almost done, but it takes a while.)

top of page

Starting the VPN connection

Windows:

1. Click on Start > Programs > Cisco Systems VPN Client > VPN Dialer. 
2. In the Connection Entry pull down menu, select "UCI" for the split tunnel or "UCIFull" for the full tunnel. 
3. Click on Connect. 
4. You will be asked for your username and password; use your UCInetID and password. 
5. You will see a banner message; click Continue to connect.

Linux: 

1. If you chose to not have the VPN kernel module started at boot time, you'll need to start it with /etc/init.d/vpnclient_init start. 
2. After the kernel module is loaded, you can use vpnclient connect UCI or vpnclient connect UCIFull to start the VPN connection. 
3. You will be asked for your username and password; use your UCInetID and password.  You will see a banner message and you will be asked if you want to continue. 
4. Type "y" to finish setting up the VPN connection.

Mac OS X:

1. Launch the VPNClient. (From Applications or from your Dock)
2. From the "Connection Entries" tab, choose"UCI" for a split tunnel or "UCIFull" for a full tunnel connection.
3. Click on Connect in the toolbar.
4. You will be asked for your username and password; use your UCInetID and password. 
5. You will see a banner message; click Continue to connect.

top of page

Timeouts and Limitations

Timeouts
Once you bring up your VPN client and initiate a connection, you will remain connected as long as you're actively using it. If the connection is idle for one hour, it will "timeout". If you are not going to use your computer, it is best to take down the connection yourself, to free-up a tunnel for someone else to use. In either case, when you later come back to your computer you will need to re-initiate a connection if you still need to use the VPN.

Limitations
There is a limit of 2 VPN tunnels which may be simultaneously established under one UCInetID.

Gnutella, Kaaza, and E-Donkey peer to peer (p2p) applications as well as Simple Network Management Protocol (SNMP) operations are not supported via the VPN. This means they will not work at all in Full Tunnel mode, and use of these applications/protocols will not function with campus-connected computers in Split Tunnel mode.

top of page

VPN Addresses

128.200.240.100 - 128.200.247.254
128.200.238.2 - 128.200.239.254
128.200.214.2 - 128.200.215.254
128.200.194.2 - 128.200.195.254
128.195.244.2 - 128.195.247.254
128.195.128.2 - 128.195.129.254

top of page

NACS > Support > Security > VPN
October 3, 2003

University of California, Irvine