Iowa State University IT

Using a Virtual Private Network (VPN) with the Iowa State Network (Macintosh)

published by Information Technology Services

Handout MNG 336 - June 2006

Introduction

A virtual private network (VPN) enables you to log in safely and securely to the Iowa State network. A VPN connection uses encryption and careful controls to provide a "tunnel" through most network restrictions. Once you have logged into the Iowa State VPN, your computer becomes a "virtual" campus computer and has access to campus network services.

When you are logged in, the Cisco VPN client functions as a virtual network connection. All network traffic destined for Iowa State is routed over this virtual network connection. All other network traffic is routed through your normal network connection.

1 System Requirements

Information Technology Services (ITS) uses Cisco Systems, Inc. VPN equipment. To use the Iowa State VPN, you must install the Cisco VPN client.

The Cisco VPN Client requires Mac OS X 10.1.5 or higher.

Note: Although Mac OS X 10.3 (Panther) has a VPN client available in the OS, that VPN client is not compatible with the Cisco VPN server.

2 Downloading the Cisco VPN Client

The Cisco VPN Client is one of Iowa State's site-licensed software packages. You will need your Iowa State Net-ID and password to download this software. Iowa State faculty, staff, and students can download the Cisco VPN Client installer from:

http://tech.it.iastate.edu/macosx/downloads.shtml

Click "Apple Macintosh Site-Licensed Software", then "Mac OS X". Download the Cisco VPN client.

3 Installing VPN

  1. If the downloaded disk image was not automatically mounted, double-click on the disk image to mount it.
  2. Then double-click the Cisco VPN Client.mpkg file to run the installer.
  3. Click "Continue", then "Continue", and finally "Agree".
  4. Select your hard drive. Click "Continue" and then "Install".
  5. You will be asked for an administrator password.
  6. When the installer is done, click "Close".

4 Configuring VPN

ITS has put together a VPN Configuration installer that will install the necessary configuration files for using VPN at Iowa State.

Download ITS's VPN Configuration installer at http://tech.ait.iastate.edu/macosx/downloads/VPNConfig.dmg.

  1. If the downloaded image was not mounted, double-click in the image to mount it.
  2. Double-click on VPNConfig.pkg to run the installer.
  3. Click "Continue" and select your hard drive. Click "Continue" and then "Install".
  4. You will need to enter an administrative password.
  5. When the configuration is done installing, click "Restart".

5 Using VPN Certificates

The Iowa State VPN service uses certificates to secure the channel between you and the VPN server. In order to use the Iowa State VPN service, you must first get VPN certificates for each machine on which you have installed the VPN client. There are two certificates you need: the "root" certificate, and a certificate specific to your Iowa State Net-ID.

5.1 Creating Certificates

Follow these steps for each machine where you use the VPN client.

  1. Go to https://asw.iastate.edu/ and log in.
  2. Click "Manage User" and then "Manage VPN Certificates".
  3. If you have never created a certificate before, you will see a button marked "Create My ITS VPN Certificate". Click it and then click "Next".
  4. Click "Get the Root ITS VPN CA Certificate". This will download a file called root.pem.
  5. Click "Fetch My ITS VPN Certificate". This will download a file called netid-import.crt, where netid is your Iowa State Net-ID.

5.2 Installing Certificates

Follow these steps for each machine where you use the VPN client.

  1. Open your Applications folder and double-click on "VPNClient".
  2. Select the Certificates tab and click the "Import" button.
  3. In the window that pops up, click "Browse" and navigate to where you downloaded the root.pem file. Click "Open", then "Import". Click "OK" in the window that says the certificate was successfully imported.
  4. Click the "Import" button once again. In the window that pops up, click "Browse" and navigate to the file you downloaded called netid-import.crt (where netid is your Iowa State Net-ID). Click "Open", then "Import". Click "OK" in the window that says the certificate was successfully imported.

Select the Connection Entries tab, highlight "Iowa State University VPN", and click "Modify". Under Authentication, set the "Name" to your name under Certificate Authentication (do this even if it already says your name, otherwise if you have downloaded and replaced certificates it will not work).

5.3 Revoking Certificates

Revoke certificates only if needed.

A lost or compromised VPN certificate does not mean you have revealed your Iowa State Net-ID password directly, but it does present a small chance that someone could use the certificate to listen to you logging into the VPN server and get your Iowa State Net-ID password that way. If for some reason you lose your VPN certificate or it is compromised in some way, you can revoke it to invalidate it by logging on at https://asw.iastate.edu, clicking "Manage User" and then "Manage VPN Certificates". Click on "Revoke My ITS VPN Certificate".

After revoking your certificate, you will have to create a new one and then download and install it on each of the machines where you use the VPN service. Instructions on doing that are listed below.

5.4 Removing Certificates

Remove certificates only if needed.

  1. In the VPNClient application, select the Certificates tab.
  2. Under the Certificates menu, select "Show CA/RA Certificates".
  3. Highlight the certificate with your name on it and click "Delete". It will ask you to enter the certificate password, leave the box empty and click "OK". It will ask you to verify the deletion, click "Delete". Do the same for the Solution Center certificate.

5.5 Certificate Expiration

Your user certificate will expire one year after it was created. Unfortunately the VPN client does not report any usable error when your certificate expires; it just gives an error saying, "the remote peer is no longer responding". If you see error messages like this, you can check when your certificate expires by opening the VPN client and selecting the Certificates tab. Under Validity, it will say whether the certificate is invalid.

If your certificate is invalid, follow the steps in section 5.4 to delete it, and then follow the steps in sections 5.1 and 5.2 to create a new certificate. If your certificate page goes directly to where you can download certificates, revoke it by following the steps in section 5.3 and make a new one (Acropolis will remove old certificates once a day, but if your certificate expires before that removal happens on that day it will still be listed). Then follow the steps for installing the certificate listed in sections 5.1 and 5.2.

Note that when your certificate expires, you will have to download and replace it on each machine where you use the VPN Client.

6 Using the VPN

6.1 Connecting

  1. Open your Applications folder and double-click "VPNClient".
  2. Highlight "Iowa State University VPN" and click "Connect".
  3. Leave blank the box that asks for your certificate password and click "OK".
  4. Enter your Iowa State Net-ID in the Username field and your password in the Password field. Click "OK".
  5. A welcome message may appear. If so, click "Continue" to dismiss it.
  6. The bottom of the VPN client window will indicate that you are connected to the VPN server.

Note: Quitting the program will disconnect the VPN connection. You can hide the VPNClient window, however.

6.2 Disconnecting

In the VPNClient window, highlight "Iowa State University VPN" and click "Disconnect". The bottom of the VPNClient window will change to Not Connected.

7 Questions and Answers

How does a VPN provide security?

The VPN software encrypts all network traffic destined for Iowa State University and sends it as a single stream of data to the Iowa State VPN server. The VPN server deciphers the data and places your network traffic onto the Iowa State network. The encrypted data can only be deciphered by the VPN server.

Why would I want to use the Iowa State VPN?

A VPN connection is desirable for several reasons:

What happens to my network traffic? Does all of it go through the VPN?

No. When you are connected to the VPN, the traffic is split. Traffic not destined for Iowa State travels over your regular network connection and is not encrypted. Only Iowa State network traffic uses the VPN.

Does my network setup change?

Yes, a second "virtual" network adapter is automatically added to your system. To your computer, it acts like a second network device has been added. This second virtual network adapter carries all of the VPN traffic. There is no need to modify the settings in this second network adapter.

Will my cable or DSL router work with VPN?

This is a connection-sharing issue. Whether VPN will work or not depends on the capabilities of your hardware.

Some popular cable or DSL routers are only capable of sustaining one IPSec connection at a time. Since the Iowa State VPN uses the IPSec protocol, this means that only one attached computer can use the VPN at a time. If you find that only one of your computers can use the VPN at a time, then it is likely that your cable or DSL router is in this class. Check the manufacturer's web support site for more information.

If you are buying a new cable or DSL router, look for a model that is designed specifically for VPN use and is capable of supporting multiple IPSec sessions. Most router companies offer equipment capable of this.

I live in an apartment complex that includes Internet access. Will the Iowa State VPN work from my apartment?

It depends on what router equipment has been installed in your apartment complex. Testing indicated potential problems with computers sharing a network connection (NAT/PAT). Certain older routers will not allow multiple VPN connections to be made. The routers in your apartment complex would need to be upgraded to address that case.

I am able to successfully use the Iowa State VPN but the next time I try to connect, the connection fails. What's going on?

The VPN creates a new IP number each time it is activated; the authentication process stores this information on the local computer. If a second VPN connection is started, the process sometimes finds the information from the first connection, which causes a conflict. To fix this, log out of SideCar (i.e., destroying Kerberos tickets) before starting a second connection.

What does the error message "The Remote Peer is no longer responding" mean?

The VPN client does not report any usable error message when your certificate expires or is otherwise invalid. It just gives the error message above. If you see this error message, you can check when your certificate expires by opening the VPN client and selecting the Certificates tab. Under Validity, it will say the certificate is invalid.

To fix this, follow the steps in section 5.5 of this document. Note that when your certificate expires, you will have to download and replace it on each machine where you use the VPN client.

What ports are blocked to incoming traffic on the Iowa State campus network?

As of 18 November 2003, additional blocked ports include 135-139, 445, 593, 4444 (TCP).

Will this affect my ability to access my Iowa State email?

No, Iowa State email is directed through ports that are not blocked.

What port does the Iowa State VPN use?

The Iowa State VPN uses UDP traffic on port 10000 for communications.

What IP numbers does the Iowa State VPN use?

The IP numbers the Iowa State VPN uses are of the form 10.15.xxx.xxx.


Using a Virtual Private Network (VPN) with the Iowa State Network (Macintosh) was written by Rod Eldridge and updated by Thomas Kula.

For more assistance, contact the Solution Center by phone at 515.294.4000, on the web at http://www.it.iastate.edu/help/, by email at

solution (at) iastate (dot) edu
), or in person at 195 Durham Center.