The Official Web site for the Office of Information Technology - UTSA

This document should be rendered in an HTML format with cascading style sheets and JavaScript turned on.

Office of Information Technology Home Page

Skip to Main Content

Skip to Navigation

Please take a few minutes to read our Accessibility Page which will make your visit through this Web site easier.

Copyright (c) 2010. The University of Texas at San Antonio. All rights reserved.

OIT Home > OITConnect > Network & Internet > Learn More About VPN

Learn More About VPN

Overview

A Virtual Private Network (VPN) is a method of joining a private network across an existing public network by building an encrypted tunnel between the two hosts. The VPN tunnel allows you to transfer information and to access remote resources.

Who Should Use VPN?

Any UTSA faculty or staff member accessing sensitive data via a portable computer or from an off-campus location is required to use the VPN.

To find out if you are handling sensitive data and to learn more about accessing the UTSA network, refer to the Information Security Data Classification Standard and the Network Access Standard.

Additionally, any UTSA faculty, staff who would like to access the UTSA network from off-campus or from a portable computer on-campus could use the UTSA VPN.

If using a portable computing device - such as a laptop - and VPN, please follow the Information Security Portable Computing Standard.

Security

VPN Security

By connecting to the VPN service, you ensure that the means by which data is transmitted between your host and the resources on the UTSA network are secure. Once the data arrives on campus, it is decrypted and sent to the appropriate system.

Furthermore, since your machine appears as it is part of the UTSA network, it allows you to gain access to resources that are restricted based on source address (such as Library resources).

The transmission between the two hosts is secure. However, you should always follow UTSA Acceptable Use Policies and Information Resource Standards to ensure the security and integrity of UTSA data.

Encryption

The VPN service uses Triple DES (Data Encryption Standard) with a key length of 168 bits. Triple DES is considered to be a very strong encryption algorithm because of its key length.

The password you type in to log in to the VPN is not sent over the network in clear-text. The password is encrypted using the same encryption method that the VPN tunnel uses.

SSH and Other "higher layer" Encrypted Services

Using SSH is recommended. Once SSH provides host-to-host encryption whereas the VPN concentrator only provides encryption from your client up to the concentrator hardware itself, which is located on the UTSA network.

Once the traffic is on the UTSA network, it is decrypted and sent to the UTSA host.

VPN is Not a Firewall

The purpose of the VPN service is to transport traffic to the UTSA network in a secure manner. The VPN client does not provide a mechanism to secure the VPN client machine from attacks over the network.

While you are connected to the VPN concentrator, your machine is accessible from campus using the IP address that is assigned to your client at connect time. A host-based firewall is a reasonable solution to help prevent attacks.

Keep in mind that because your VPN traffic is tunneled, your broadband firewall will not provide protection for your computer while it is connected to the VPN concentrator.

Transparent tunneling

Transparent tunneling is a method for VPN clients to pass encrypted IPSec traffic through firewalls and network/port address translation devices (NAT/PAT). If you are not on the UTSA network, or if you have a private IP address (10.x.x.x, 172.16-31.x.x, or 192.168.x.x), you will need to use transparent tunneling.

The VPN client distribution has it enabled by default. You will need to ensure that if you are using a router at home that it has IPSec tunneling enabled. Reference the documentation that came with your router or visit the manufacturer’s Web site for instructions on how to enable IPSec tunneling.

Technical Information

VPN Configuration for Windows 2000/XP (Client VPN only)

Extract all files from the compressed file (.zip or zipped file) to a regular Windows folder before executing the VPN client set-up program (VPNclient_setup.msi).

Failure to extract all files first will result in the necessary UTSA connection profiles not installed with the VPN program. Do not run the VPN set-up program from the compressed or zipped file (even though Windows will let you).

For questions on connecting to or using the VPN, please contact OITConnect.

IP Addresses for Home Networks

OIT recommends using IP addresses in the "192.168" range. This is the default for most broadband routers.

VPN Concentrator Name

The VPN concentrator name is VPN.utsa.edu. Make sure your client is always set to this name. You will receive an IP address from the 129.115 address pool.

Windows Vista Compatibility

Windows Vista does NOT support the following:

  • Upgrades from Windows XP to Vista.
  • Start Before Logon
  • SmartCard Authentication
  • Integrated Firewall
  • Install Shield
  • 64bit support
  • AutoUpdate
  • Online Help - Provided only in English

Windows Vista 64-bit Support:

Users running the 64-bit operating system on Windows Vista should only use the SSL VPN (the on-campus or off-campus Web version). The VPN client version will not function when running Windows Vista.

Compatibility issues with Windows XP

Recently a bug in Windows XP has emerged which can cause installation and/or corruption problems.

This is a fundamental problem with XP that cannot be worked around inside the current Cisco VPN client. It has been fixed in Windows XP Service Pack 1.

OIT recommends that you install the latest Windows update before installing the VPN client.  Here is the announcement from Microsoft: http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q325072.

Zone Alarm and VPN

ZoneAlarm requires minor configuration changes in order to work with the VPN service.

To configure ZoneAlarm to work with the VPN client:

  1. Go to the Security button on the ZoneAlarm configuration window.

  2. Click Advanced.

  3. Click Add > IP Range. The description is "UTSA NETWORK" (or something similar). The range is from 129.115.1.1 - 129.115.254.254.

  4. Click OK.

  5. Click Add > IP Address. The description is "Localhost" and the address is 127.0.0.1.

  6. Click OK. These steps will move those two entries into the "Trusted Zone." Make sure your local zone is set no higher than "Medium."

  7. Launch the VPN dialer, and proceed to make a VPN connection. ZoneAlarm will pop up several (a total of four) times asking you if the connection should be allowed. Each time the popup window appears, check the boxes for Yes and Remember this answer the next time I use this program.

VPN Connectivity Problems with Zone Alarm/Firewall

If a ZoneLabs product such as ZoneAlarm or ZoneAlarm Pro is installed on the PC and the VPN Client is installed or upgraded, ZoneAlarm blocks the VPN Client service (cVPNd.exe).

The VPN Client's splash screen appears, but the GUI does not. ZoneAlarm does not ask the user whether to allow the VPN Client to access the Internet.

Additionally, the following error appears after about two minutes:

"The necessary VPN sub-system is not available. You cannot connect to the remote VPN server."

To work around this problem, do the following:

  1. Open the ZoneLabs product and select Program Control.
  2. Click on the Programs tab.
  3. Cisco Systems VPN Client's Access permission is a question mark (?). Click under Trusted and select Allow. The (?) changes change to a check mark.
  4. Restart the PC.
  5. When the PC boots up, the client will launch normally.

Mac OS 9 or Older Mac Operating Systems

Because Apple has announced the end of development for Mac OS 8/9, our VPN vendor has chosen to concentrate Macintosh VPN development using Mac OS X.

There is a third-party VPN client for OS 8/9 which is available from Netlock. Because this is a third-party client, it is not as full-featured as the Cisco client and must be purchased separately.

Netlock Client for Mac OS 8/9

Support Issues with Netlock Client:

  • The Netlock client does not support NAT transparency which means that it cannot be used behind some NAT/PAT appliances, and may be blocked by firewalls. If your NAT/PAT appliance (for example, a cable modem or DSL router/firewall) supports IPSec pass-through, you may enable this feature to see if it allows a successful VPN connection.
  • At times the Netlock client display screen is not accurate - it may say that you are connected when you are not, etc.  Click the "Refresh" button on the Web browser to double-check the client's status.
  • "Normal" FTP does not work with the Netlock client. You must configure your FTP client to use "pasv" mode for it to work properly.  Refer to your FTP client documentation for the proper procedure.

VPN Help

For questions on connecting to or using the VPN, please contact OITConnect.

Related Topics