Please read the following recommendations before using the VPN: Recommendations
:: General Information
What is a VPN?
VPN stands for Virtual Private Network. A VPN allows you to
build secure "virtual" paths between hosts through a
non-secure network. It behaves much like a classical dialup
service, except that a data network (rather than a voice
network) is used to make "calls." Instead of dialing into a
remote modem, you are making a connection to a VPN
concentrator located on the UTSA network. A secure
encrypted tunnel is established from your machine to the VPN
concentrator. Thus, everything you send to or receive from
the UTSA network is very secure. Additionally, your machine
will appear as if it is on the UTSA network (that is, you
will be assigned an IP address by the UTSA network).
What technologies are
used in the VPN system?
UTSA's VPN service is based on the IPSec standard. IPSec is
defined within RFC2401, which is available on the Internet.
Why should I use a VPN?
By connecting to the VPN service, you assure that the data
you transmit will be secure between your host and the
resources on the UTSA network. Once it arrives on campus, it
is decrypted and sent to the appropriate system.
Furthermore, since your PC appears as it is part of the UTSA
network, it allows you to gain access to resources that are
restricted based on source address (such as Library
resources).
How secure is the
encryption used in the VPN service?
The VPN service uses Triple DES (Data Encryption Standard)
with a key length of 168 bits. Triple DES is considered to
be a very strong encryption algorithm because of its key
length.
Should I also use SSH
and other "higher layer" encrypted services even if I am
using the VPN tunnel?
Generally, yes. SSH provides host-to-host encryption
whereas the VPN concentrator only provides encryption from
your client up to the concentrator hardware itself, which is
located on the UTSA network. Once the traffic is on the
UTSA network, it is decrypted and sent to the UTSA host.
Is the VPN service a
firewall?
No. The purpose of the VPN service is to transport your
traffic to the UTSA network in a secure manner. The VPN
client does not provide a mechanism to secure the VPN client
machine from attacks over the network. While you are
connected to the VPN concentrator, your machine is
accessible from campus using the IP address that is assigned
to your client at connect time. A host-based firewall is a
reasonable solution to help prevent attacks. Keep in mind
that because your VPN traffic is tunneled, your broadband
firewall will not provide protection for your computer while
it is connected to the VPN concentrator.
When I type my logon
password, is it encrypted or sent over the network in
clear-text?
The password is encrypted using the same encryption method
that the VPN tunnel uses.
What is transparent
tunneling? Why do I need it?
Transparent tunneling is a method for VPN clients to pass
encrypted IPSec traffic through firewalls and network/port
address translation devices (NAT/PAT). If you are not on
the UTSA network, or if you have a private IP address
(10.x.x.x, 172.16-31.x.x, or 192.168.x.x), you will need to
use transparent tunneling. The VPN client distribution has
it enabled by default. You will need to ensure that if you
are using a router at home that it has IPSec tunneling
enabled. Reference the documentation that came with your
router or visit the manufacturer’s Web site for instructions
on how to enable IPSec tunneling.
I have a home network.
What IP addresses should I assign my machines at home so
that I do not conflict with the VPN service?
OIT recommends using IP addresses in the “192.168” range.
This is the default for most broadband routers.
:: Windows Vista is supported with most
functionality enabled. (See below for support details)
Advisory:
Windows Vista does NOT support the following:
* Upgrades from Windows XP to Vista.
* Start Before Logon
* SmartCard Authentication
* Integrated Firewall
* InstallShield
* 64bit support
* AutoUpdate
* Online Help - Provided only in English
Known Issues:
CSCsi25954 unity vista: certificate authentication
via smartcards are not supported
CSCsi25985 unity vista: user not prompted to
reconnect after sleep or hibernation
CSCsi26001 unity xp-vista: reauth on rekey with
saved password causes disconnect
CSCsi26020 unity vista: firewall tab under stats
still shows
CSCsi26050 unity vista: installshield packge does
not work on vista
CSCsi26069 unity vista: error 1721 when installing
client on vista 64bit
CSCsi26086 unity vista: upgrading from xp to vista
not supported
CSCsi26106 unity vista: reason 442: failed to enable
virtual adapter
CSCsi26159 unity vista: bsod during
install/uninstall/sleep with active ras
CSCsi26229 unity vista: integrated firewall not
installed on vista
CSCsi35107 unity vista: start before login “sbl” not
functioning
:: General Client FAQ
I accidentally erased
the name of the VPN concentrator I am supposed to connect
with. What is it?
The name is vpn.utsa.edu. Make sure your client is always
set to this name. You will receive an IP address from the 129.115 address pool.
:: Windows
Are there any known
compatibility issues with Windows XP?
Yes, recently a bug in Windows XP has emerged which can
cause installation and/or corruption problems. This is a
fundamental problem with XP that cannot be worked around
inside the current Cisco VPN client. It has been fixed in
Windows XP Service Pack 1. It is recommended that you
install Service Pack 1 before installing the VPN client.
Here is the announcement from Microsoft: http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q325072
In Windows XP, when I
install the client, I get a dialog box warning me that the
driver is not signed. What should I do?
It is safe to continue with the installation. Click OK to
Continue when prompted.
How do I restore my VPN
configuration if I delete the UTSA VPN connection or if the
UTSA VPN connection entry is no longer available?
You can restore the UTSA VPN connection entry by
reinstalling the software.
I am using ZoneAlarm on
my system and the tunnel will not work, even though I told
ZoneAlarm to allow the connections. ZoneAlarm requires
minor configuration changes in order to work with the VPN
service. To configure ZoneAlarm to work with the VPN client:
Go to the "Security" button on the ZoneAlarm configuration
window. Click the "Advanced" button.
- Click Add->IP Range. The description is "UTSA NETWORK" (or something
similar). The range is from 129.115.1.1 – 129.115.254.254. Click OK.
- Click Add->IP Address. The description is "Localhost" and the address
is 127.0.0.1. Click OK.
- These steps will move those two entries into the "Trusted Zone." Make
sure your local zone is set no higher than “Medium.”
- Launch the VPN dialer, and proceed to make a VPN connection.
ZoneAlarm will pop up several (a total of four) times asking you if the
connection should be allowed. Each time the popup window appears, check the boxes for “Yes” and
"Remember this answer the next time I use this program."
:: Macintosh
Is MacOS 10.2 supported?
Yes, as of the 3.7 client release, MacOS 10.2 is supported.
Is there a client for
Macintosh OS 9 or below?
Because Apple has announced the end of development for MacOS
8/9, our VPN vendor has chosen to concentrate Macintosh VPN
development using MacOS X. There is a third-party VPN client
for OS 8/9 which is available from Netlock. Because this is
a third-party client, it is not as full-featured as the
Cisco client and must be purchased separately.
Are there any known
issues with the Netlock client for MacOS 8/9?
Yes. Here is what we have discovered so far:
The Netlock client does not support NAT transparency which
means that it cannot be used behind some NAT/PAT appliances,
and may be blocked by firewalls. If your NAT/PAT appliance
(for example, a cable modem or DSL router/firewall) supports
IPSec pass-through, you may enable this feature to see if it
allows a successful VPN connection.
At times the Netlock client display screen is not accurate –
it may say that you are connected when you are not, etc.
Click the "Refresh" button on the Web browser to
double-check the client's status.
"Normal" FTP does not work with the Netlock client. You must
configure your FTP client to use "pasv" mode for it to work
properly. Refer to your FTP client documentation for the
proper procedure.
Is there a GUI for the
MacOS-X client?
Yes, as of the 3.7 client release, a GUI is now available
for MacOS-X.
:: VPN connectivity
problems with Zone Alarm/Firewall
If a ZoneLabs
product such as ZoneAlarm or ZoneAlarm Pro is installed on
the PC and the VPN Client is installed or upgraded,
ZoneAlarm blocks the VPN Client service (cvpnd.exe). The VPN
Client's splash screen appears, but the GUI does not.
ZoneAlarm does not ask the user whether to allow the VPN
Client to access the Internet. Additionally, the following
error appears after about two minutes:
"The necessary VPN sub-system is not available. You can not
connect to the remote VPN server."
Workaround:
Step 1 Open the ZoneLabs product and select "Program Control".
Step 2 Click on the "Programs" Tab.
Step 3 Cisco Systems VPN Client's Access permission is a ?. Click under
"Trusted" and select "Allow". The ? mark changes change to a
Check mark.
Step 4 Reboot the PC.
Step 5 When the PC boots back up, the client will launch normally.
|
