I need to set up an Ipsec VPN

LeperousDust · 29-09-2007, 00:11

So i can do some Uni stuff. Now so i've been told the inbuilt windows one is pap and won't support IPsec, i have no clue what any of this really is or why i need it but this is what they tell me. They've pointed me towards the Cisco client 5.x and said use this, i guess its probably one of the best out there with the Cisco name and all, but before i arse around setting this up, is there anything better? What features do VPN clients have? I'm very new to this

LeperousDust · 29-09-2007, 01:20

Right OK i've tried the cisco client seems fine i think for what i need. Now i'm not going to lie but i've got no idea how i'm meant to set this up...

I need to access the Edinburgh student internal website which is accessible from within their network, but i have to VPN in to access from external sources. I have no idea how to set this up properly (even after reading the instructions) I feel like a n00b would anyone like to point me in the right direction? I want to be able to access parts of the inf website like this.

Cheers guys

LeperousDust · 29-09-2007, 11:12

Ok i seem to be OK now, got things working through the inbuilt windows client, seems OK to me, i can access what i needed too. Edinburgh tell me it's not so secure though, is this scare mongering or should i not really use this?

Burble · 29-09-2007, 11:48

It's potentially not as secure - it'd be down to them to control that though. PPTP and L2TP VPN connections can be completely unencrypted so someone sniffing packets could see what's going on. IPSec, by definition is encrypted; IPSec = IP Secured.

The encryption or lack of would be set by the Uni according to the policy they set on whatever devices the PPTP/L2TP connection is terminating on.

LeperousDust · 29-09-2007, 12:17

I see, there isn't really any sensitive information being passed around as far as i can see... It's just Uni course notes and the like that Edinburgh don't like to give away for free (obviously). When i'm connected via VPN is everything i do sent through their network then? Ie all my internet traffic? Does that mean i could technically be making my internet less secure?

/Confused

(i really have no concept of VPN's i've never bothered whatsoever)

Burble · 29-09-2007, 12:24

Again, it depends how they've got it setup.

For example, I have 2 VPN groups setup at work (using IPSec) with 1 being for normal users and the other being for my guys. The general use group is set to shove everything down the VPN tunnel - http, https, dns and so on. The other one is using split tunneling which means only stuff actually destined for the company subnets is sent down the VPN, everything else is routed normally.

There are advantages and disadvantes for both. In our case we want to force people to use the proxies so by shoving everything down the VPN tunnel they'll be hitting the firewall and getting denied if they're not using the proxy.

You can check what system you're using by opening a command prompt and looking at the routing table with 'route print' Look at the default gateway line. If it shows an IP address of your router then you're ok, if it shows something else then you're going to the internet through the VPN tunnel.

If you find everything is going down the VPN then you can manually change the routing table - 'route add 0.0.0.0 0.0.0.0 192.168.1.1' will do the trick, assuming that 192.168.1.1 is the IP of your router.

LeperousDust · 29-09-2007, 12:40

You're being ever so helpful here Burble, thanks!

This is what i get, and i assume that means it's only for the relevant Edinburgh stuff then, but apart from my routers IP i can't see what else is happening? This is all very confusing to moi, i just want to feel secure when i'm logging in to everything with all my passwords

On a side note the internet 'seems' slower when connected to the VPN, is this just me, or could this happen?

Code:

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.102   4250
          0.0.0.0          0.0.0.0         On-link      129.215.37.7     26
        127.0.0.0        255.0.0.0         On-link         127.0.0.1   4531
        127.0.0.1  255.255.255.255         On-link         127.0.0.1   4531
  127.255.255.255  255.255.255.255         On-link         127.0.0.1   4531
     129.215.37.7  255.255.255.255         On-link      129.215.37.7    281
   129.215.38.230  255.255.255.255      192.168.1.1    192.168.1.102   4251
      192.168.1.0    255.255.255.0         On-link     192.168.1.102   4506
    192.168.1.102  255.255.255.255         On-link     192.168.1.102   4506
    192.168.1.255  255.255.255.255         On-link     192.168.1.102   4506
        224.0.0.0        240.0.0.0         On-link         127.0.0.1   4531
        224.0.0.0        240.0.0.0         On-link     192.168.1.102   4508
        224.0.0.0        240.0.0.0         On-link      129.215.37.7     26
  255.255.255.255  255.255.255.255         On-link         127.0.0.1   4531
  255.255.255.255  255.255.255.255         On-link     192.168.1.102   4506
  255.255.255.255  255.255.255.255         On-link      129.215.37.7    281
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  8     18 ::/0                     On-link
  1    306 ::1/128                  On-link
  8     18 2001::/32                On-link
  8    266 2001:0:4136:e390:f5:38e4:3f57:fe99/128
                                    On-link
 32   1030 2002::/16                On-link
 32    286 2002:81d7:2507::81d7:2507/128
                                    On-link
 10    281 fe80::/64                On-link
  8    266 fe80::/64                On-link
 24    286 fe80::5efe:192.168.1.102/128
                                    On-link
  8    266 fe80::f5:38e4:3f57:fe99/128
                                    On-link
 10    281 fe80::64fe:a841:e76c:5a96/128
                                    On-link
  1    306 ff00::/8                 On-link
  8    266 ff00::/8                 On-link
 10    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

C:\Users\Alex>

Mark · 29-09-2007, 13:05

The Windows client also supports configuring split tunnelling, but it doesn't always get the routing right if you use it (doesn't for me, anyway, but fixing it is easy).

In Windows XP, the option is in connection properties, Networking tab. Select TCP/IP and click Properties, then Advanced, and uncheck the 'Use default...' option.

LeperousDust · 29-09-2007, 13:21

Cheers Mark just done that i'll see how i get on

29-09-2007, 00:11	#1
LeperousDust Bananaman Join Date: Jul 2006 Location: Liverpool/Edinburgh Posts: 4,817	I need to set up an Ipsec VPN So i can do some Uni stuff. Now so i've been told the inbuilt windows one is pap and won't support IPsec, i have no clue what any of this really is or why i need it but this is what they tell me. They've pointed me towards the Cisco client 5.x and said use this, i guess its probably one of the best out there with the Cisco name and all, but before i arse around setting this up, is there anything better? What features do VPN clients have? I'm very new to this __________________

29-09-2007, 01:20	#2
LeperousDust Bananaman Join Date: Jul 2006 Location: Liverpool/Edinburgh Posts: 4,817	Right OK i've tried the cisco client seems fine i think for what i need. Now i'm not going to lie but i've got no idea how i'm meant to set this up... I need to access the Edinburgh student internal website which is accessible from within their network, but i have to VPN in to access from external sources. I have no idea how to set this up properly (even after reading the instructions) I feel like a n00b would anyone like to point me in the right direction? I want to be able to access parts of the inf website like this. Cheers guys __________________

29-09-2007, 11:12	#3
LeperousDust Bananaman Join Date: Jul 2006 Location: Liverpool/Edinburgh Posts: 4,817	Ok i seem to be OK now, got things working through the inbuilt windows client, seems OK to me, i can access what i needed too. Edinburgh tell me it's not so secure though, is this scare mongering or should i not really use this? __________________

29-09-2007, 12:17	#5
LeperousDust Bananaman Join Date: Jul 2006 Location: Liverpool/Edinburgh Posts: 4,817	I see, there isn't really any sensitive information being passed around as far as i can see... It's just Uni course notes and the like that Edinburgh don't like to give away for free (obviously). When i'm connected via VPN is everything i do sent through their network then? Ie all my internet traffic? Does that mean i could technically be making my internet less secure? /Confused (i really have no concept of VPN's i've never bothered whatsoever) __________________

29-09-2007, 13:21	#9
LeperousDust Bananaman Join Date: Jul 2006 Location: Liverpool/Edinburgh Posts: 4,817	Cheers Mark just done that i'll see how i get on __________________

29-09-2007, 11:48	#4
Burble Rocket Fuel Join Date: Jul 2006 Posts: 7,826	It's potentially not as secure - it'd be down to them to control that though. PPTP and L2TP VPN connections can be completely unencrypted so someone sniffing packets could see what's going on. IPSec, by definition is encrypted; IPSec = IP Secured. The encryption or lack of would be set by the Uni according to the policy they set on whatever devices the PPTP/L2TP connection is terminating on.

29-09-2007, 12:24	#6
Burble Rocket Fuel Join Date: Jul 2006 Posts: 7,826	Again, it depends how they've got it setup. For example, I have 2 VPN groups setup at work (using IPSec) with 1 being for normal users and the other being for my guys. The general use group is set to shove everything down the VPN tunnel - http, https, dns and so on. The other one is using split tunneling which means only stuff actually destined for the company subnets is sent down the VPN, everything else is routed normally. There are advantages and disadvantes for both. In our case we want to force people to use the proxies so by shoving everything down the VPN tunnel they'll be hitting the firewall and getting denied if they're not using the proxy. You can check what system you're using by opening a command prompt and looking at the routing table with 'route print' Look at the default gateway line. If it shows an IP address of your router then you're ok, if it shows something else then you're going to the internet through the VPN tunnel. If you find everything is going down the VPN then you can manually change the routing table - 'route add 0.0.0.0 0.0.0.0 192.168.1.1' will do the trick, assuming that 192.168.1.1 is the IP of your router.

29-09-2007, 13:05	#8
Mark Screaming Orgasm Join Date: Jul 2006 Location: Newbury Posts: 15,194	The Windows client also supports configuring split tunnelling, but it doesn't always get the routing right if you use it (doesn't for me, anyway, but fixing it is easy). In Windows XP, the option is in connection properties, Networking tab. Select TCP/IP and click Properties, then Advanced, and uncheck the 'Use default...' option.