SEARCH:



University of Florida VPN Service

Frequently Asked Questions (FAQ)

General Information

  1. What is a VPN?
    VPN stands for Virtual Private Network. It is a set of technologies that allow you to build secure "virtual" paths between hosts on insecure networks. The particular type of VPN Network Services is deploying is commonly known as a remote access or tunnel mode VPN. This acts very much like a classical dialup service, except you are using a data network rather than a voice network to make your "calls". Rather than dialing into a modem on the far end, you are making a connection to a VPN concentrator and creating a secure tunnel from your machine to the tunnel concentrator, which is located on the UF network. Thus, everything you send and receive to/from the UF network is encrypted. Additionally, your machine will appear as if it were on the UF network. (i.e. you get an IP address on the remote network).
  2. What technologies are used in UF's VPN system?
    UF's VPN service is based on the open IPsec standard. This is really an "umbrella" standard that dictates everything from exchanging secure keys, to packet formats and types, to the methods of encryption that are used. Other standards such as Diffie-Hillman key exchange, Authenticated Header, Encapsulating Security Payload, Data Encryption Standard/Cypher Block Chaining (DES/CBC), Advanced Encryption Standard (AES) and Internet Key Exchange (IKE) are used as part of the IPsec standard. IPsec is primarily defined in RFC2401.
  3. Why should I use a VPN?
    By connecting to the VPN service, you assure that the data you transmit will be secure between your host and the UF core network. Once it arrives on campus, it is decrypted and sent in the clear. Furthermore, it allows you to gain access to resources that are restricted based on source address. While you are connected to the VPN concentrator, you appear to other hosts at UF as if you were on the UF network. This also allows you to gain access to external resources from off campus (such as library databases) that are based on UF source addresses.
  4. How strong is the encryption used in the UF VPN service?
    The UF VPN service uses either Triple DES (Data Encryption Standard) with a key length of 168 bits or AES-256. AES-256 is the current state-of-the-art in high grade encryption technology and is the recommended method of encryption. Triple DES is considered to be a very strong encryption algorithm, and is currently immune to key space search attacks (the most common kind of attack against strong encryption) because of its key length. It also uses a technique called Cypher Block Chaining (CBC) in which each plaintext block is XORed with the previous cypher text block before encryption. This makes dictionary style attacks very difficult and increases the overall effectiveness of encryption.
  5. Should I also use SSH and other "higher layer" encrypted services even if I am using the VPN tunnel?
    Generally yes. SSH provides end to end encryption whereas the VPN concentrator only provides encryption from your client up to the concentrator hardware itself, which is located on the UF core network. Once the traffic is on the UF core network, it is decrypted and sent to the UF host in the clear.
  6. What traffic will take the VPN?
    By default, all traffic except for local subnet (whatever network your network card is on) traffic and DHCP will take the VPN tunnel. This is known as a full tunnel. If you are not on the UF network and connected to the VPN, all traffic will first come to UF, and then take the appropriate route (either local, Internet or Internet 2). This makes it appear to the world that you are on UF's network. This is the recommended configuration if you are on the campus wireless network, using an ISP with a direct connection to the University (such as GRU or Cox), or are trying to use Internet resources that require a UF IP address (such as a Library Database). There are other tunnel types as well. For more info, please see the Available Tunnel Types section of the Installation and Operations Guide.
  7. Should I use the VPN service if I am on campus?
    If you are currently using a wireless network based on 802.11b, yes! 802.11b uses wired equivalent privacy (WEP) to provide link based encryption of wireless transmissions. Recently, weaknesses have been discovered in the RC4 key scheduling algorithm which allows someone to easily recover the encryption key, and thus decrypt the wireless traffic. VPN is an excellent replacement for WEP. Using VPN with triple DES encryption is generally considered to be very strong encryption.
  8. Is the VPN service a firewall?
    No. The purpose of the VPN service is to transport your traffic to the UF campus in a secure manor. Is also has the side benefit of giving you a UF IP address, which can be used in combination with network ACLs or host based filters, to identify a user as a VPN user and give them access to University resources. In its standard configuration, it does not provide mechanisms to secure the VPN client machine from attacks over the network. While you are connected to the VPN concentrator, your machine is reachable from campus using the IP address that is assigned to your client at connect time. By default, the UF VPN service uses private IP for the client IP address, thus your VPN client will only be reachable from networks off the UF campus if it is using NAT to reach off campus systems (for example, browsing web pages on the Internet). Using the "campus only" VPN tunnel, your VPN client will never be reachable via the VPN tunnel from off campus systems (see FAQ question 6). A host based firewall is a reasonable step to prevent such attacks. Keep in mind that even if you have a home broadband firewall, because your VPN traffic is tunneled, your firewall will not provide protection for your computer while it is connected to the VPN concentrator.
  9. When I type my password, is it encrypted, or sent over the network in clear-text?
    The password is encrypted using the same strength encryption as the VPN tunnel uses. In the case of the UF VPN, that is Triple DES (168 bit) or AES-256. Your password is never sent in the clear!
  10. Is there a listserv that deals with the VPN service at UF?
    Yes, while the service is still in beta, its called "vpn-l". You can subscribe to the list by sending an email to "listserv@lists.ufl.edu" with the body: subscribe vpn-l
  11. What is transparent tunneling? Why do I need it?
    Transparent tunneling is a method for VPN clients to pass encrypted IPsec traffic through firewalls and network/port address translation devices (nat/pat) which are commonly found on the network. If you are behind a firewall, or are not on the UF network and have a private IP address (10.x.x.x, 172.16-31.x.x, or 192.168.x.x) you will need to use transparent tunneling. Luckily, the UF distribution of the vpn client has it turned on by default.
  12. I have a home network. What IP addresses should I assign my machines at home so as not to conflict with the VPN service.
    The UF network uses some RFC1918 reserved (aka "Private IP") address space. This use falls into three major categories:
    • 10.0.0.0/255.0.0.0 (10/8): Assigned to systems throughout the network. Is reachable via the default and campus-only tunnels. May access external systems via NAT.
    • 172.16.0.0/255.240.0.0 (172.16/12): Assigned to systems throughout the network. Is not reachable via the default and campus-only tunnels. May not access external systems via NAT.
    • 192.168.0.0/255.255.0.0 (192.168/16): Not routed on campus. May be used on layer 2 networks, but not centrally managed. Not reachable via VPN and may not access external systems via NAT.
    We recommend using IP addresses in the 192.168/16 range. This is the default for most broadband routers. Do not use IP addresses in the 10/8 range or you will not be able to access those on-campus networks via the VPN.
  13. What is a Departmental VPN tunnel? How do I get one? A Departmental VPN tunnel is a service offered by CNS to departments with 16 or more VPN users. CNS will assign the department a subnet within the range 10.228/16 and a tunnel name. The department/division/college will provide CNS a list of gatorlink users to map, or the name of a UF Active Directory group which contains the users. When those users log in to the VPN with username@ufl.edu/[dept name] They will receive a VPN address in the range agreed upon. This is useful to limit departmental resources to specific users rather than the entire VPN user community. To have a Departmental VPN tunnel created, the subnet manager should open a CNS ticket by going to the Network Services website.
  14. How is the Departmental VPN membership managed?
    There are currently two modes in which the membership may be managed:
    • Manually by opening requests with CNS and having specific GLIDs added or removed from the group.
    • Automatically by providing CNS the name of between 1 and 8 groups which contain the user population to be mapped to the tunnel. As changes are made to UFAD, the VPN membership is instantly updated.

General Client FAQ

  1. Why should I use the Cisco client over the built in L2TP/IPsec client
    The Cisco client supports the following features not found with the L2TP/IPsec client:
    1. Campus only tunnels (Gatorlink or Departmental).
    2. Mutual Group Authentication (further prevents a "man in the middle attack."
    3. More advanced signaling to the VPN concentrator which helps in problem resolution.
    4. Local client logging.
    5. Automatic tunnel initiation.
    6. AES-256 encryption.
  2. I am having problems getting my client to work, what should I do?
    See the Troubleshooting guide on this website. If that fails, call 392-HELP to reach the UF Computing Helpdesk.
  3. I accidentally erased the name of the VPN concentrator I am supposed to connect to. What is it?
    The name is vpn.ufl.edu. Make sure your client is always set to this name or certain redundancy and load balancing features will not work.
  4. What IP address will my VPN connection get?
    On campus, you will have a 10.228.0.0/16 address. Once the traffic leaves campus, it will be translated into an address in the UF NAT pool. Departmental VPN tunnels will get an address in a pre-arranged subnet, but it will still start with 10.228.

Windows

  1. Does the client work with Windows Vista?
    Yes, but only the 32bit version of the client. For 64bit Vista users, the L2TP/IPsec client built into Windows is the current recommended solution. The Vista 32bit client has the following known limitations:
    • The client does not support Fast User Switching.
    • The VPN client must be installed as administrator (Right Click->Run As Administrator) or you will get insthelper.dll failures on installation.
  2. I would like to authenticate to my Windows NT domain or Active Directory. How do I do that?
    This is covered in the Installation and Operation Instructions under "Additional VPN configuration".
  3. I am having trouble de-installing my VPN client under Windows2k/XP.
    This guide should help with removing the VPN client if the uninstall fails for some reason.
  4. In Windows XP, when I install the client, I get a dialog box warning me that the driver is not signed. What should I do?
    It is ok to continue with the installation. Just click ok to continue when prompted.
  5. How do I restore my VPN configuration if I delete the UFL VPN connection or if the UFL VPN connection entry is no longer available?
    You can restore the UFL VPN connection entry either by re-installing the software, or downloading the config file from the Client Software section of this website, and placing it in your VPN profiles directory. With Netscape or Internet Explorer, the best way to download it is to right click on the correct config file link (Windows or Linux/MacOSX/Solaris) and selecting "Save Target As..." or "Save Link Target As...". The correct location to save this file is usually c:\program files\cisco systems\vpn client\profiles.

Macintosh

  1. What platforms are supported for the Macintosh
    The Cisco client supports MacOSX 10.4 and 10.5 for both Intel and PowerPC architectures. In addition, the built in L2TP/IPsec client also works but has the same limitations as the Windows L2TP client.
  2. Is there a client for Macintosh OS 9 or below?
    Because Apple has announced end of development for MacOS 8/9, our VPN vendor has chosen to concentrate Macintosh VPN development using MacOS X. There is a third party VPN client for OS 8/9 which is available from Netlock. Because this is a third party client, it does cost money. It is also not as full featured as the Cisco client, however, it should work in most circumstances.
  3. Are there any known issues with the Netlock client for MacOS 8/9?
    Yes, here is what we have discovered so far:
    • The Netlock client does not support NAT transparency which means it cannot be used behind some NAT/PAT appliances and may be blocked by firewalls. If your NAT/PAT appliance (Cable modem and DSL router/firewalls are examples of such appliances) supports IPsec pass-through, you may enable this feature and see if it allows a successful VPN connection.
    • Sometimes the Netlock client screen is not accurate (showing you that your connected when your not, etc). Click the "refresh" button on the web browser to doublecheck the client's status.
    • "Normal" FTP doesn't work with the Netlock client. You must configure your ftp client to use "pasv" mode for it to work properly. Refer to your ftp client documentation on how to do this.

Linux

  1. I am using Linux. I have installed the client, and when I try to use it it says I am connecting to 128.227.166.118, but goes no further.
    You probably have ipchains or iptables running. This is firewall software that Redhat (any potentially other Linux vendors) activates automatically. You will need add the proper "holes" in the filter list to allow the VPN software to operate. A good way to make sure this is your problem is to issue the following commands as root
    • /etc/init.d/ipchains stop
    • /etc/init.d/iptables stop
    This will temporarily disable the firewall. If your vpn client can connect afterward, please make the necessary changes in your ipchains/iptables config. See the Installation Instructions section for more information on what must be permitted through the firewall for proper VPN operation.

Mobile Clients

  1. Does the IPhone work with the Gatorlink VPN system
    IPhone version 2.0 and above is known to work using the built in Cisco VPN client.
  2. Is the Palm or PocketPC platform supported by the UF VPN service?
    The built in PocketPC/Windows Mobile L2TP over IPsec client does work but its difficult to use. Other clients are known to work including the Anthasoft but they are not directly supported by CNS or the UF Helpdesk.