What is the OIT IPSEC VPN Service?

This FAQ was last modified on: Wednesday, March 7, 2018 10:40am

 

This is a legacy FAQ entry. For the best current information about remote access via VPN, please click here

The VPN project is the implementation of a campus-wide tier-1 service to improve the security and accountability of remote access. Support is available from the OIT Technology Support Center. This document contains in-depth materials and working information that may be of interest.

Purpose

Remote access to campus resources via a Tier 1 styleVPN increases the accountability and security of campus services and as a result allows greater use of campus facilities from other locations. Funded by a Technology Fee Grant, the OIT IPSEC VPN service is initially targeted at students. It is intended that this service be available to the entire campus community.

Use

What to Expect

  • Support. Support is being provided by the OIT Technology Support Center. Feedback and constructive suggestions are appreciated.
    OIT Technology Support Center information:
    Walkin Office Hours:  Monday through Friday, 8:00 am - 6:00 pm
    Phone Support:  (404) 894-7173 Hours: 8:00 am to 5:00 pm, Monday through Friday
    Web Help Request:  http://www.remedy.gatech.edu/support 
    
  • Travel. If you are planning to travel, please be sure to install and test the VPN client before you leave campus. It is much more difficult to troubleshoot a client installation when you are away on a public network.
     
  • 64-Bit Windows. The Cisco AnyConnect VPN Client supports 64-bit versions of Windows 7, Vista, and XP. Installation instructions for Windows 7 can be found Here

     

  • The VPN service is intended to connect computers that are owned by you or Georgia Tech. Its use requires the installation of software using an account with administrator permissions and also requires the machine to have appropriate anti-virus, anti-spyware, and firewall software in place so that the machine is not a danger to the rest of the campus network community. Please don't attempt to install the client software on computers that you don't administer.
     
  • The security model in place for this VPN is very similar to that used for the Residence networks; in other words, most services available to the Residence Hall residents are available to the IPSEC VPN and vice versa. Although it may not be implemented in the initial versions, for the safety of the campus network we reserve the right to do a basic scan of client machines and to reject or terminate connections from dangerously compromised clients.
     
  • There is no guarantee that this service will work from every possible location, since unfortunately Georgia Tech can't control network configurations outside its campuses. It is known that certain hotels, airports, wireless hotspots, and internet providers have configured their networks in such a way that outgoing IPSEC VPN connections are not permitted. For this reason, you should not depend solely on the use of this service while traveling.
     
  • Installing the client software should not affect the behavior of your machine; making a connection with the client software will definitely change its behavior.
     
  • Making a connection to campus with the VPN client completely changes the network access for your computer; it is nearly the equivalent of unplugging the computer from your home and plugging it into a network jack on the Georgia Tech campus. Fortunately, disconnecting the connection with the VPN client reverses these changes.
     
  • Making or breaking a VPN connection to campus disconnects all active network connections. If you are doing such things as printing to a local network printer or are connected to a local file server, making a VPN connection will terminate those sessions.
     
  • When connecting to campus using the IPSEC VPN, your computer will receive a new (additional) IP address from Georgia Tech. All of its network traffic will be routed through campus and you will no longer have access to your local network devices such as local network printers and local file servers (there is one exception to this, see "Local Network Access").  This means that any existing network connections that you have will be closed (actually, they will just be blocked during the time the VPN connection is active -- if you disconnect quickly enough such that packet flows can resume before the connections time out, the connections will not actually terminate).
     
  • Computers that Provide Services. Any network services your client offers to other systems will likely not be available while the VPN client connection is active. We will explicitly block incoming connections to client machine services, so you will not be able to provide services via the Georgia Tech IP address assigned to your VPN session.
     
  • Virtual Machines. Some users report excellent results using VMware or other desktop virtualization product. The provision a virtual client machine and then install the Cisco VPN client software on the VM. Using the client VM to connect with the VPN client, the host system still maintains all its usual network connectivity and behavior. Data can be shared be shared between client and host through the file system or via screen copy/paste.
     
  • Platforms. VPN clients are available for Windows (2000/XP/Vista/7), Mac OS X (10.3 up),  Linux (kernel 2.6), and Solaris (10).  There are GUI interfaces available for Windows and Mac OS X; command-line interfaces are available for all platforms.
     
  • Connect Time. It is recommended that you disconnect your VPN session when you complete your work. While a session can theoretically last for days, it will be disconnected by any connectivity issues between your computer and the VPN endpoint. The VPN protocol does send occasional "keepalive" messages to make sure the network connection is still in place; if it fails to receive these messages for a short period of time, it will disconnect. This means that any significant service disruption in your wireless network, your DSL/cable provider, the internet providers, or the Georgia Tech network will cause your VPN to disconnect. It's best to disconnect in a controlled fashion when you're done with it rather than wait for a random circumstance to do it in the middle of the night.
     
  • Reliable Connection. Use of the VPN client requires a reliable network connection. The client keeps in contact with the server through a series of keepalive messages; if too many of these messages are lost, the VPN client will disconnect from the server. In other words, if you have poor connectivity before you connect the VPN, making the VPN connection will not improve your connectivity.
  • Performance. There is a certain overhead and latency introduced by the cryptography that the VPN protocol requires. While it is quite capable of performing at cable/DSL/wireless speeds, this VPN implementation is probably not suitable for high-performance networking (100Mb/sec+) or huge file transfers (1GB+). You will not see good performance and you will probably impact other users in the community. If you have high-speed connectivity between endpoints and you need to use VPN technology, OIT can help you with the selection of dedicated equipment.
     
  • LAWN. There is a pre-authorized "hole" in the LAWN gateway which permits you to connect to the VPN without need to log in to the LAWN login page. Logging directly into the VPN instead of LAWN saves a step while also providing firewall and session accountability just like LAWN. It also routes all your traffic through an encrypted tunnel over the wireless portions of the network; this greatly reduces the chance that someone can eavesdrop on the content of your traffic.  And yes, the LAWN folks know we're doing this -- they graciously provided the "hole" for us.
     
  • Dynamic DNS.  If your computer is also running a dynamic DNS client when you make a VPN connection, it will likely re-register your VPN address with the DDNS service. This is generally undesirable, especially if you have a router which makes other systems on your home network available to the internet, since changing your DDNS address will mis-route connections to those systems, too.  We recommend that you (1) temporarily stop your DDNS client when using the VPN, (2) run your DDNS client on a different computer, (3) run your client in a virtual machine, or (4) run your DDNS client on a DDNS-capable DSL/Cable router.
     
  • Licensing. The Cisco VPN Client software is licensed for use with the OIT IPSEC VPN service and can be installed on both personally-owned and institute-owned equipment. Cisco specifies this software as "unrestricted" in terms of US export compliance, but we have no information on import compliance in countries other than the US. 

Installation

  1. You should only need to install the software once on each machine.  You will need to do this installation from an account that has administrator or root access.  If you are installing the software on a portable computer, you should strongly consider testing the VPN on campus before you leave.
     
  2. Download the client software from the Georgia Tech Software Distribution Site:
    http://software.oit.gatech.edu 
     
  3. Installation is generally straightforward. Instructions for each platform are available:
    Mac OS X Instructions
    Windows 7 Instructions
    Windows 7 & later Instructions
    Linux Instructions
     
  4. If you already have the Cisco VPN Client software installed, Cisco recommends that you uninstall it before proceeding. Our experience is that the Windows installer will remove existing client (but not connection profiles); the Mac OS X installer will do a successful upgrade install.
     
  5. Before installing the client, make sure that you can access resources on the network: your mail server, the Georgia Tech web site (http://www.gatech.edu), and a public resource such as Google (http://www.google.com).  It's important to try these links before you install the client software so that you can tell if the client software has affected your machine.
     
  6. Install the client software using the instructions you downloaded. The Mac OS X and Windows installers quite straightforward and are generally a matter of accepting the license agreement and the defaults.
     
  7. After the software installation is complete, do not make a connection yet.  First, make sure you still have access to the web sites mentioned in (5) above.  You should see no change in behavior.
     
  8. When you are satisfied that your network connection continues to function properly, you may proceed to "Making the VPN Connection."

Making the VPN Connection

  1. Making the VPN connection will change your network address and hence will disconnect all of your active network connections!  It is the equivalent of putting your system to sleep and moving it to campus.  Make sure that you do not have unsaved documents that are on file servers or other active network sessions.  Quiescent file server connections, open web pages, and open email windows will generally not cause trouble, but you may receive subsequent error messages.
     
  2. When you are satisfied that you have no active network connections, start the "Cisco VPN" software application (Start>Cisco Systems VPN Client>VPN Client on Windows or Applications>VPNClient on Mac OS X).  Choose the "ipsec.vpn.gatech.edu" entry (which should have been installed along with your software) and press "Connect".  You will be asked for your GT Account and password.  On successful authentication, you should receive a connection messages and then the connection to Georgia Tech will be established.  If this doesn't occur, please see the section on "Troubleshooting."
     
  3. If you wish to verify that you are connected properly, you may do one of two things.  Open the VPN Client software again (the window will close when you make the connection) and choose the Status>Statistics... menu item; the Client address shown should begin with 143.215....  Or you can access the URL http://whatismyipaddress.com and verify that your IP address begins with the numbers 143.215....
     
  4. At this point, you may begin to use applications on your computer.  Any network activity that you generate will be shipped to the Georgia Tech campus over a secure tunnel.  Once on campus, it will be assigned a Georgia Tech network address and be routed to the appropriate destination.
     
  5. When you have finished using the VPN connection and you have ended your active network connections as in step 1, open the "Cisco VPN" application and choose the "ipsec.vpn.gatech.edu" entry if it's not already highlighted.  Then press the "Disconnect" button to terminate your connection.  Your computer's network settings are now restored to its original settings.

Local Network Access

If you are connecting from a trustworthy local network, such as you might find at your home, there is a client option that allows you to stay in contact with devices on that network after you make the VPN connection.  Use of the Local LAN Access option, for instance, would let you connect to a local printer or file server.

There are several things to consider before enabling this setting.

  • You do not want to use it when the local network isn't under the control of someone you trust, such as airports, hotels, coffee shops, etc. If you enable it for home use on your laptop, you must be sure to disable it when you travel!
  • Your local devices must be accessed via IP addresses, not DNS names.  When your VPN tunnel is connected, your DNS queries are made to the Georgia Tech DNS servers, so any local DNS entries you have will not be visible.

If you choose to enable Local LAN Access, the process is fairly simple.  You make this change when the VPN connection is disconnected. 

  1. Click on the connection profile for ipsec.vpn.gatech.edu (If you wish, you may duplicate this connection profile, rename it, and set Allow Local LAN Access on the new profile.)
     
  2. Click the Modify button to change the profile parameters.
     
  3. Choose the "Transport" tab.
     
  4. Select the checkbox labeled "Allow Local LAN Access".
     
  5. Click the Save button.

Now when you make the VPN connection with the Connect button, packets address to the local network (subnet) to which your computer is attached will not be sent through the VPN tunnel.

Varying the Protocols (IPSEC Client only)

When you are not successful in connecting with the VPN client because the network between you and Georgia Tech isn't allowing the VPN traffic to pass, there are a few setting changes that might be helpful. If you're feeling brave, you can experiment.

There are four variants of the IPSec protocol that we support for the Cisco VPN client to connect to the concentrators. Each variant requires slightly different support from the network between the VPN endpoints, so there are circumstances in which one variation may work while others fail to connect.

IPSec over UDP and NAT-T.  The default choice, the one attempted by the default connection profile, is IPsec over UDP.   This protocol wraps the IPSec packets, which may look strange to firewalls and other devices, in UDP packets and then sends them to port 4500 on the concentrator. This is usually the most satisfactory compromise because it doesn't require the network to carry ESP packets and it can self-configure to the NAT-T variant if the client is behind any form of NAT (network-address translation) device (e.g. a typical home firewall/router).  IPSec over UDP is selected in the client when Enable Transparent Tunneling and IPSec over UDP are selected in the Transport tab of the Modify button.

IPSec over TCP.  This protocol wraps the IPSec packets inside a TCP stream.  We don't recommend this variant for general use, because it often doubles the TCP stream mangement overhead (i.e. the VPN tunnel incurs all the overhead of TCP stream management, but all the TCP connections inside the VPN tunnel are also doing their own redundant stream mangement). Still, it's useful for networks that block UDP traffic or otherwise have issues with UDP.  IPSec over TCP is selected in the client when Enable Transparent Tunneling and IPSEC over TCP are selected in the Transport tab of the Modify button.  You may also specify a port number other than 10000.  Cisco uses the default port of 10000, but allows other ports to be used.  We have enabled ports 110, 143, 993, 995, and 8080 as well as 10000 for IPSEC over TCP traffic.  These are often ports that hotels and internet cafes allow through their firewalls, so it's possible that one of these ports can be used to pass thru a restrictive firewall.  If you use this protocol variant, remember to turn it off for general use or Duplicate, rename, and set IPSec over TCP for a connection profile that's not your default.

ESP. ESP is the original protocol used by IPSec. Its packets use a different protocol number (50) from TCP and UDP and as such permission for it to pass is often omitted from firewalls and routers simply because of its obscurity. The ESP protocol also requires your client to have a public IP address and a path for ESP from Georgia Tech to your client that isn't impeded by incoming firewalls. These restrictions make it much less likely that the VPN client will function on publicly available networks. However, there are locations, including on the GT-Atlanta campus, where ESP will be functional.  ESP is the most efficient variant of the protocol in terms of overhead, since the packets are not redundantly encapsulated into UDP or TCP, but the improvement isn't very large.  ESP is selected in the client by de-selecting the Enable Transparent Tunneling checkbox in the Transport tab of the Modify button.