University of Florida VPN Service
Frequently Asked
Questions (FAQ)
General Information
- What is a VPN?
VPN stands for Virtual Private Network. It is a set of technologies that
allow you to build secure "virtual" paths between hosts on insecure networks.
The particular type of VPN Network Services is deploying is commonly known as
a remote access or tunnel mode VPN. This acts very much like a classical
dialup service, except you are using a data network rather than a voice
network to make your "calls". Rather than dialing into a modem on the far
end, you are making a connection to a VPN concentrator and creating a secure
tunnel from your machine to the tunnel concentrator, which is located on the
UF network. Thus, everything you send and receive to/from the UF network is
encrypted. Additionally, your machine will appear as if it were on the UF
network. (i.e. you get an IP address on the remote network).
- What technologies are used in UF's VPN system?
UF's VPN service is based on the open IPsec standard. This is really an
"umbrella" standard that dictates everything from exchanging secure keys, to
packet formats and types, to the methods of encryption that are used. Other
standards such as Diffie-Hillman key exchange, Authenticated Header,
Encapsulating Security Payload, Data Encryption Standard/Cypher Block Chaining
(DES/CBC), and Internet Key Exchange (IKE) are used as part of the IPsec
standard. IPsec is primarily defined in RFC2401.
- Why should I use a VPN?
By connecting to the VPN service, you assure that the data you transmit will
be secure between your host and the UF core network. Once it arrives on
campus, it is decrypted and sent in the clear. Furthermore, it allows you to
gain access to resources that are restricted based on source address. While
you are connected to the VPN concentrator, you appear to other hosts at UF as
if you were on the UF network. This also allows you to gain access to
external resources from off campus (such as library databases) that are based
on UF source addresses.
- How strong is the encryption used in the UF VPN service?
The UF VPN service uses Triple DES (Data Encryption Standard) with a key
length of 168 bits. Triple DES is considered to be a very strong encryption
algorithm, and is currently immune to key space search attacks (the most
common kind of attack against strong encryption) because of its key length.
It also uses a technique called Cypher Block Chaining (CBC) in which each
plaintext block is XORed with the previous cypher text block before
encryption. This makes dictionary style attacks very difficult and increases
the overall effectiveness of encryption.
- Should I also use SSH and other "higher layer" encrypted services even
if I am using the VPN tunnel?
Generally yes. SSH provides end to end encryption whereas the VPN
concentrator only provides encryption from your client up to the concentrator
hardware itself, which is located on the UF core network. Once the traffic is
on the UF core network, it is decrypted and sent to the UF host in the clear.
- What traffic will take the VPN?
Currently, as configured, all traffic except for local subnet (whatever
network your network card is on) traffic and DHCP will take the VPN tunnel.
This means that if you are not on the UF network and connected to the VPN, all
traffic will first come to UF, and then take the appropriate route (either
local, Internet or Internet 2). This makes it appear to the world that you
are on UF's network. This is the recommended configuration if you are on the
campus network, using an ISP with a direct connection to the University (such
as GRU or Cox), or are trying to use Internet resources that require a UF IP
address (such as a Library Database). If you prefer that only UF bound
traffic go over the tunnel, you can control this by authenticating as
username@ufl.edu/campus. This will build a campus only VPN tunnel.
You can see exactly which traffic will go over this tunnel by double clicking
on the "lock", clicking on the Statistics tab, and looking at the "Secured
routes" section using the Windows client, or typing "vpnclient stat" under the
Linux/MacOS X/Solaris client. This is the recommended configuration for users
on non-peering broadband ISPs, or while traveling on foreign networks. You
can easily switch between the two on Windows by "Cloning" the UFL VPN entry
and authenticating with /campus username on the new entry.
- Should I use the VPN service if I am on campus?
If you are currently using a wireless network based on 802.11b, yes!
802.11b uses wired equivalent privacy (WEP) to provide link based
encryption of wireless transmissions. Recently, weaknesses have been
discovered in the RC4 key scheduling algorithm which allows someone to
easily recover the encryption key, and thus decrypt the wireless traffic. VPN
is an excellent replacement for WEP. Using VPN with triple DES encryption is
generally considered to be very strong encryption.
- Is the VPN service a firewall?
No. The purpose of the VPN service is to transport your traffic to the UF campus in a secure manor. Is also has the side benefit of giving you a UF IP address, which can be used in combination with network ACLs or host based filters, to identify a user as a VPN user and give them access to University resources. In its standard configuration, it does not provide mechanisms to secure the VPN client machine from attacks over the network. While you are connected to the VPN concentrator, your machine is reachable from campus using the IP address that is assigned to your client at connect time. By default, the UF VPN service uses private IP for the client IP address, thus your VPN client will only be reachable from networks off the UF campus if it is using NAT to reach off campus systems (for example, browsing web pages on the Internet). Using the "campus only" VPN tunnel, your VPN client will never be reachable via the VPN tunnel from off campus systems (see FAQ question 6).
A host based firewall is a reasonable step to prevent such attacks. Keep in mind that even if you have a home broadband firewall, because your VPN traffic is tunneled, your firewall will not provide protection for your computer while it is connected to the VPN concentrator.
- When I type my password, is it encrypted, or sent over the network in
clear-text?
The password is encrypted using the same strength encryption as the VPN tunnel
uses. In the case of the UF VPN, that is Triple DES (168 bit). Your password
is never sent in the clear!
- Is there a listserv that deals with the VPN service at UF?
Yes, while the service is still in beta, its called "vpn-l". You can
subscribe to the list by sending an email to "listserv@lists.ufl.edu" with the
body: subscribe vpn-l
- What is transparent tunneling? Why do I need it?
Transparent tunneling is a method for VPN clients to pass encrypted IPsec traffic through firewalls and network/port address translation devices (nat/pat) which are commonly found on the network. If you are behind a firewall, or are not on the UF network and have a private IP address (10.x.x.x, 172.16-31.x.x, or 192.168.x.x) you will need to use transparent tunneling. Luckily, the UF distribution of the vpn client has it turned on by default.
- I have a home network. What IP addresses should I assign my machines at home so as not to conflict with the VPN service.
The UF network uses some RFC1918 reserved (aka "Private IP") address space. This use falls into three major categories:
- 10.0.0.0/255.0.0.0 (10/8): Assigned to systems throughout the network. Is reachable via the default and campus-only tunnels. May access external systems via NAT.
- 172.16.0.0/255.240.0.0 (172.16/12): Assigned to systems throughout the network. Is not reachable via the default and campus-only tunnels. May not access external systems via NAT.
- 192.168.0.0/255.255.0.0 (192.168/16): Not routed on campus. May be used on layer 2 networks, but not centrally managed. Not reachable via VPN and may not access external systems via NAT.
We recommend using IP addresses in the 192.168/16 range. This is the default for most broadband routers. Do not use IP addresses in the 10/8 range or you will not be able to access those on-campus networks via the VPN.
General Client FAQ
- What new features are supported with the new Cisco 3.6.x client? Why
should I upgrade?
The new Cisco 3.6.x client has a number of important bug fixes, primarily
security fixes. Additionally, the client now supports auto initiation of VPN
tunnels when using UF's authenticated networks (including the campus wireless
network). This can be enabled by going to "Options->Automatic VPN Initiation"
and clicking "enable" under Windows. On the Linux/MacOS-X/Solaris client, you
will need to change the AutoInitiationEnable=0 line in the vpnclient.ini file
to =1. This file is usually located in /etc/CiscoSystemsVPNClient. All
current VPN users are encouraged to upgrade.
- I am having problems getting my client to work, what should I
do?
See the Troubleshooting guide on this
website. If that fails, call 392-HELP to reach the UF Computing Helpdesk.
- I accidentally erased the name of the VPN concentrator I am supposed to
connect to. What is it?
The name is vpn.ns.ufl.edu. Make sure your client is always set to
this name or certain redundancy and load balancing features will not work.
- What IP address will my VPN connection get?
On campus, you will have a 10.228.0.0/16 address. Once the traffic leaves campus, it will be translated into an address in the UF NAT pool.
Windows
- Does the client work with Windows Vista?
CNS, in support of the Windows Vista effort on campus has released a Beta VPN client on the software downloads page (build 590). This should only be used for Windows Vista. Because it is not yet a supported client by Cisco, neither CNS nor the Helpdesk will support it. Please do not open problem tickets on Vista client issues. CNS and the Helpdesk will formally support it once it is released by Cisco. It has several known issues:
- Split tunnels do not work due to DNS lookup failures (/campus or /dept tunnels)
- The tunnel may occasionally drop due to duplicate address detection
- The tunnel may occasionally not pass traffic due to the windows firewall.
- The VPN client must be installed as administrator (Right Click->Run As Administrator) or you will get insthelper.dll failures on installation.
- Are there currently any known compatability issues with Windows
XP?
Yes, recently a bug in Windows XP has emerged which can cause installation
and/or corruption problems. This is a fundamental problem with XP that cannot
be worked around inside the current Cisco VPN client. It is fixed with Windows
XP service pack 1. It is recommended that you install Service Pack 1 before
installing the VPN client. Here is the announcement from Microsoft:
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q325072
- I would like to authenticate to my Windows NT domain or Active Directory. How do I do that?
This is covered in the Installation and Operation Instructions under "Additional VPN configuration".
- I am having trouble de-installing my VPN client under
Windows2k/XP.
This guide
should help with removing the VPN client if the uninstall fails for some
reason.
- In Windows XP, when I install the client, I get a dialog box warning me
that the driver is not signed. What should I do?
It is ok to continue with the installation. Just click ok to continue when
prompted.
- How do I restore my VPN configuration if I delete the UFL VPN
connection or if the UFL VPN connection entry is no longer available?
You can restore the UFL VPN connection entry either by re-installing the
software, or downloading the config file from the Client Software section of this
website, and placing it in your VPN profiles directory. With Netscape or Internet Explorer, the best way to download it is to right click on the correct config file link (Windows or Linux/MacOSX/Solaris) and selecting "Save Target As..." or "Save Link Target As...". The correct location to save this file is usually c:\program files\cisco systems\vpn client\profiles.
- I am using ZoneAlarm on my system, and I get errors when I boot up.
Also the tunnel will not work, even though I told ZoneAlarm to allow the
connections
Please see the section "Using ZoneAlarm with the Windows Client" under Installation Instructions
- In Windows 95, I get an error about Microsoft DUN (Dial Up Networking)
1.2 not being installed.
This means that you are running a pre-OSR2 release of Windows 95. OSR2 or
above is required for the VPN software to work properly. You may be able to
update your Windows 95 system with a newer version of DUN to work properly
with the VPN software. Please see the following link
for more information.
Macintosh
- Is MacOS 10.2 supported?
Yes, as of the 3.7 client release, MacOS 10.2 is now supported.
- Is there a client for Macintosh OS 9 or below?
Because Apple has announced end of development for MacOS 8/9, our VPN vendor
has chosen to concentrate Macintosh VPN development using MacOS X. There is a
third party VPN client for OS 8/9 which is available from Netlock. Because
this is a third party client, it does cost money. It is also not as full
featured as the Cisco client, however, it should work in most circumstances.
- Are there any known issues with the Netlock client for MacOS
8/9?
Yes, here is what we have discovered so far:
- The Netlock client does not support NAT transparency which means it cannot
be used behind some NAT/PAT appliances and may be blocked by firewalls. If
your NAT/PAT appliance (Cable modem and DSL router/firewalls are examples of
such appliances) supports IPsec pass-through, you may enable this feature and
see if it allows a successful VPN connection.
- Sometimes the Netlock client screen is not accurate (showing you that your
connected when your not, etc). Click the "refresh" button on the web browser
to doublecheck the client's status.
- "Normal" FTP doesn't work with the Netlock client. You must configure
your ftp client to use "pasv" mode for it to work properly. Refer to your ftp
client documentation on how to do this.
- Is there a GUI for the MacOS-X client?
Yes, as of the 3.7 client release, a GUI is now available for MacOS-X.
- Can I have multiple active VPN clients behind a Cable/DSL router using MacOS 10?
This depends on the type of cable/dsl router, however, to be sure that this function will work, TCP based NAT transparency must be enabled. Unfortunately, there is currently a bug in the MacOS-X client that prevents it from working properly so we currently have the Mac client using UDP based NAT transparency. When the bug is fixed, we will move back to TCP based NAT transparency.
Linux
- I am using Redhat 7.2 or above. I have installed the client, and when
I try to use it it says I am connecting to 128.227.166.118, but goes no
further.
You probably have ipchains or iptables running. This is firewall software
that Redhat (any potentially other Linux vendors) activates automatically.
You will need add the proper "holes" in the filter list to allow the VPN
software to operate. A good way to make sure this is your problem is to issue
the following commands as root/etc/init.d/ipchains
stop
/etc/init.d/iptables stop
This will temporarily disable the
firewall. If your vpn client can connect afterwards, please make the
necessary changes in your ipchains/iptables config. See the Installation
Instructions section for more information on what must be permitted through
the firewall for proper VPN operation.
Solaris
Nothing yet!
Palm/PocketPC
- Is the Palm or PocketPC platform supported by the UF VPN
service?
Yes it is. It requires the third party movianVPN client to work.
VPN stands for Virtual Private Network. It is a set of technologies that allow you to build secure "virtual" paths between hosts on insecure networks. The particular type of VPN Network Services is deploying is commonly known as a remote access or tunnel mode VPN. This acts very much like a classical dialup service, except you are using a data network rather than a voice network to make your "calls". Rather than dialing into a modem on the far end, you are making a connection to a VPN concentrator and creating a secure tunnel from your machine to the tunnel concentrator, which is located on the UF network. Thus, everything you send and receive to/from the UF network is encrypted. Additionally, your machine will appear as if it were on the UF network. (i.e. you get an IP address on the remote network).
UF's VPN service is based on the open IPsec standard. This is really an "umbrella" standard that dictates everything from exchanging secure keys, to packet formats and types, to the methods of encryption that are used. Other standards such as Diffie-Hillman key exchange, Authenticated Header, Encapsulating Security Payload, Data Encryption Standard/Cypher Block Chaining (DES/CBC), and Internet Key Exchange (IKE) are used as part of the IPsec standard. IPsec is primarily defined in RFC2401.
By connecting to the VPN service, you assure that the data you transmit will be secure between your host and the UF core network. Once it arrives on campus, it is decrypted and sent in the clear. Furthermore, it allows you to gain access to resources that are restricted based on source address. While you are connected to the VPN concentrator, you appear to other hosts at UF as if you were on the UF network. This also allows you to gain access to external resources from off campus (such as library databases) that are based on UF source addresses.
The UF VPN service uses Triple DES (Data Encryption Standard) with a key length of 168 bits. Triple DES is considered to be a very strong encryption algorithm, and is currently immune to key space search attacks (the most common kind of attack against strong encryption) because of its key length. It also uses a technique called Cypher Block Chaining (CBC) in which each plaintext block is XORed with the previous cypher text block before encryption. This makes dictionary style attacks very difficult and increases the overall effectiveness of encryption.
Generally yes. SSH provides end to end encryption whereas the VPN concentrator only provides encryption from your client up to the concentrator hardware itself, which is located on the UF core network. Once the traffic is on the UF core network, it is decrypted and sent to the UF host in the clear.
Currently, as configured, all traffic except for local subnet (whatever network your network card is on) traffic and DHCP will take the VPN tunnel. This means that if you are not on the UF network and connected to the VPN, all traffic will first come to UF, and then take the appropriate route (either local, Internet or Internet 2). This makes it appear to the world that you are on UF's network. This is the recommended configuration if you are on the campus network, using an ISP with a direct connection to the University (such as GRU or Cox), or are trying to use Internet resources that require a UF IP address (such as a Library Database).
If you prefer that only UF bound traffic go over the tunnel, you can control this by authenticating as username@ufl.edu/campus. This will build a campus only VPN tunnel. You can see exactly which traffic will go over this tunnel by double clicking on the "lock", clicking on the Statistics tab, and looking at the "Secured routes" section using the Windows client, or typing "vpnclient stat" under the Linux/MacOS X/Solaris client. This is the recommended configuration for users on non-peering broadband ISPs, or while traveling on foreign networks. You can easily switch between the two on Windows by "Cloning" the UFL VPN entry and authenticating with /campus username on the new entry.
If you are currently using a wireless network based on 802.11b, yes! 802.11b uses wired equivalent privacy (WEP) to provide link based encryption of wireless transmissions. Recently, weaknesses have been discovered in the RC4 key scheduling algorithm which allows someone to easily recover the encryption key, and thus decrypt the wireless traffic. VPN is an excellent replacement for WEP. Using VPN with triple DES encryption is generally considered to be very strong encryption.
No. The purpose of the VPN service is to transport your traffic to the UF campus in a secure manor. Is also has the side benefit of giving you a UF IP address, which can be used in combination with network ACLs or host based filters, to identify a user as a VPN user and give them access to University resources. In its standard configuration, it does not provide mechanisms to secure the VPN client machine from attacks over the network. While you are connected to the VPN concentrator, your machine is reachable from campus using the IP address that is assigned to your client at connect time. By default, the UF VPN service uses private IP for the client IP address, thus your VPN client will only be reachable from networks off the UF campus if it is using NAT to reach off campus systems (for example, browsing web pages on the Internet). Using the "campus only" VPN tunnel, your VPN client will never be reachable via the VPN tunnel from off campus systems (see FAQ question 6).
A host based firewall is a reasonable step to prevent such attacks. Keep in mind that even if you have a home broadband firewall, because your VPN traffic is tunneled, your firewall will not provide protection for your computer while it is connected to the VPN concentrator.
The password is encrypted using the same strength encryption as the VPN tunnel uses. In the case of the UF VPN, that is Triple DES (168 bit). Your password is never sent in the clear!
Yes, while the service is still in beta, its called "vpn-l". You can subscribe to the list by sending an email to "listserv@lists.ufl.edu" with the body: subscribe vpn-l
Transparent tunneling is a method for VPN clients to pass encrypted IPsec traffic through firewalls and network/port address translation devices (nat/pat) which are commonly found on the network. If you are behind a firewall, or are not on the UF network and have a private IP address (10.x.x.x, 172.16-31.x.x, or 192.168.x.x) you will need to use transparent tunneling. Luckily, the UF distribution of the vpn client has it turned on by default.
The UF network uses some RFC1918 reserved (aka "Private IP") address space. This use falls into three major categories:
- 10.0.0.0/255.0.0.0 (10/8): Assigned to systems throughout the network. Is reachable via the default and campus-only tunnels. May access external systems via NAT.
- 172.16.0.0/255.240.0.0 (172.16/12): Assigned to systems throughout the network. Is not reachable via the default and campus-only tunnels. May not access external systems via NAT.
- 192.168.0.0/255.255.0.0 (192.168/16): Not routed on campus. May be used on layer 2 networks, but not centrally managed. Not reachable via VPN and may not access external systems via NAT.
We recommend using IP addresses in the 192.168/16 range. This is the default for most broadband routers. Do not use IP addresses in the 10/8 range or you will not be able to access those on-campus networks via the VPN.
The new Cisco 3.6.x client has a number of important bug fixes, primarily security fixes. Additionally, the client now supports auto initiation of VPN tunnels when using UF's authenticated networks (including the campus wireless network). This can be enabled by going to "Options->Automatic VPN Initiation" and clicking "enable" under Windows. On the Linux/MacOS-X/Solaris client, you will need to change the AutoInitiationEnable=0 line in the vpnclient.ini file to =1. This file is usually located in /etc/CiscoSystemsVPNClient. All current VPN users are encouraged to upgrade.
See the Troubleshooting guide on this website. If that fails, call 392-HELP to reach the UF Computing Helpdesk.
The name is vpn.ns.ufl.edu. Make sure your client is always set to this name or certain redundancy and load balancing features will not work.
On campus, you will have a 10.228.0.0/16 address. Once the traffic leaves campus, it will be translated into an address in the UF NAT pool.
CNS, in support of the Windows Vista effort on campus has released a Beta VPN client on the software downloads page (build 590). This should only be used for Windows Vista. Because it is not yet a supported client by Cisco, neither CNS nor the Helpdesk will support it. Please do not open problem tickets on Vista client issues. CNS and the Helpdesk will formally support it once it is released by Cisco. It has several known issues:
- Split tunnels do not work due to DNS lookup failures (/campus or /dept tunnels)
- The tunnel may occasionally drop due to duplicate address detection
- The tunnel may occasionally not pass traffic due to the windows firewall.
- The VPN client must be installed as administrator (Right Click->Run As Administrator) or you will get insthelper.dll failures on installation.
Yes, recently a bug in Windows XP has emerged which can cause installation and/or corruption problems. This is a fundamental problem with XP that cannot be worked around inside the current Cisco VPN client. It is fixed with Windows XP service pack 1. It is recommended that you install Service Pack 1 before installing the VPN client. Here is the announcement from Microsoft:
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q325072
This is covered in the Installation and Operation Instructions under "Additional VPN configuration".
This guide should help with removing the VPN client if the uninstall fails for some reason.
It is ok to continue with the installation. Just click ok to continue when prompted.
You can restore the UFL VPN connection entry either by re-installing the software, or downloading the config file from the Client Software section of this website, and placing it in your VPN profiles directory. With Netscape or Internet Explorer, the best way to download it is to right click on the correct config file link (Windows or Linux/MacOSX/Solaris) and selecting "Save Target As..." or "Save Link Target As...". The correct location to save this file is usually c:\program files\cisco systems\vpn client\profiles.
Please see the section "Using ZoneAlarm with the Windows Client" under Installation Instructions
This means that you are running a pre-OSR2 release of Windows 95. OSR2 or above is required for the VPN software to work properly. You may be able to update your Windows 95 system with a newer version of DUN to work properly with the VPN software. Please see the following link for more information.
Yes, as of the 3.7 client release, MacOS 10.2 is now supported.
Because Apple has announced end of development for MacOS 8/9, our VPN vendor has chosen to concentrate Macintosh VPN development using MacOS X. There is a third party VPN client for OS 8/9 which is available from Netlock. Because this is a third party client, it does cost money. It is also not as full featured as the Cisco client, however, it should work in most circumstances.
Yes, here is what we have discovered so far:
- The Netlock client does not support NAT transparency which means it cannot be used behind some NAT/PAT appliances and may be blocked by firewalls. If your NAT/PAT appliance (Cable modem and DSL router/firewalls are examples of such appliances) supports IPsec pass-through, you may enable this feature and see if it allows a successful VPN connection.
- Sometimes the Netlock client screen is not accurate (showing you that your connected when your not, etc). Click the "refresh" button on the web browser to doublecheck the client's status.
- "Normal" FTP doesn't work with the Netlock client. You must configure your ftp client to use "pasv" mode for it to work properly. Refer to your ftp client documentation on how to do this.
Yes, as of the 3.7 client release, a GUI is now available for MacOS-X.
This depends on the type of cable/dsl router, however, to be sure that this function will work, TCP based NAT transparency must be enabled. Unfortunately, there is currently a bug in the MacOS-X client that prevents it from working properly so we currently have the Mac client using UDP based NAT transparency. When the bug is fixed, we will move back to TCP based NAT transparency.
You probably have ipchains or iptables running. This is firewall software that Redhat (any potentially other Linux vendors) activates automatically. You will need add the proper "holes" in the filter list to allow the VPN software to operate. A good way to make sure this is your problem is to issue the following commands as root
/etc/init.d/ipchains
stop
/etc/init.d/iptables stop
This will temporarily disable the firewall. If your vpn client can connect afterwards, please make the necessary changes in your ipchains/iptables config. See the Installation Instructions section for more information on what must be permitted through the firewall for proper VPN operation.
Yes it is. It requires the third party movianVPN client to work.
