6.5   TCC's VPN (Virtual Private Networking)

We've installed a VPN server (vpn.nmt.edu) to permit TCC users to:

1. connect to services as though they were on-campus (there by permitting them to use resources restricted to 129.138.0.0 addresses),
2. use the wired laptop connections in Speare 14,

Note that the TCC "test net" and our connections in Speare 14 are the only connections allowed to the VPN server from on campus. That is to say, VPN can not be used from on-campus unless you're on the TCC "test net" or in Speare 14. (On campus users already have a Tech IP, so letting them use the VPN would just waste our resources -- which makes me wonder why Speare 14 is an exception!)

To use this service you must have a valid TCC username and password.

For information on configuring Linux (Fedora), MS Windows (2000, or XP), and Macintosh OSs (Jaguar, Panther, Tiger) for use with our VPN setup see the TCC Help System link on VPN.

  Possible Problems and Their Resolution

After a review of VPN tickets Bryan Dean found that if there are problems using TCC's VPN the following should be checked.

1. Some anti-virus applications can interfere with VPN.   Norton is one example.   Some Versions of Norton can't be turned off though and must be uninstalled to properly use VPN.   If Norton services can actually turn off, or if the program can be completely closed, then VPN should be good to go.   If neither can be done then Norton anti-virus will need to be uninstalled.
2. If local firewall rules (those on the user's machine) aren't correct this may also cause a problem.   The user's firewall manual should be consulted for how to check for and correct this type of problem.
3. The VPN server may not be sending out DNS info.   To counter this be sure your machine knows about the following two DNS addresses.   You can check this by starting your VPN connection, then:
   • click on "Properties"
   • click on "Networking"
   • select "Internet Protocol (TCP/IP)" and click on Properties
   • select "Use the following DNS server addresses" and put in:
     • Preferred DNS server: 129.138.4.138  (internaldns0)
     • Alternate DNS server: 129.138.250.10
   • click OK
   • click OK
4. Note that Basic Alumni accounts are not allowed to connect to the VPN.   The solution would be to go with a "paid" (as opposed to "free") Alumni account.   Jan would need to be contacted about that (best done by phone: 575 / 835 - 5735).

  VPN from Hotels and other third party providers

From Camden Mullen, Fri Aug 31 13:35:25 2007
Subject: TicketID#20070803145012

This ticket is an example of the VPN problems related to outside ISPs.   Some ISPs, such as hotels and coffee shops do not seem to have their networks setup for PPTP and VPN, or they have crummy connectivity on their end.   Some may restrict web access to a few ports such as port 80 for web and port 20 for ssh.   I don't know the details of PPTP but I don't think it uses port 80.   If a user tickets or calls in about not being able to access VPN, it would be a good idea to find out how they are connecting and where from.   For MS Windows XP, asking the user to remake the VPN connection may help, but that solution may be hit or miss, depending on the computer and the system.   We should have a simple check setup for the UCs to look at VPN, but most of the time it seems that the problems exist on the side of the outside ISP.   Users should ask the ISP contact if they support PPTP or VPN.   A note on the webpage about this problem might help.

  VPN protocols used at TCC (can't VPN from hotel)

From Dustin Graham, Fri Oct 31 14:05:12 2008
Subject: Re: TicketID#20081031081237

Our vpn protocol is pptp, defined by RFC 2637 (see RFC 2637.   Multiple ports are necessary, and many networks do not route this traffic correctly.   Hotel networks tend to be rather locked down, and are usual suspects.   Wireless routers often ship with this functionality disabled as well.

Just to be complete, here are two related RFCs:

1. chap (auth)
2. mppe (crypt)

~Dustin Graham

On Fri, 31 Oct 2008 13:22:44 -0600
Ray Piworunas wrote:

Ticket Description: Unable o use VPN last night or this morning.

I called Rob back and he said he was trying to connect from a hotel.

I am wondering if the VPN protocol is exercised before the password on login (to vpn.nmt.edu) is accepted.   I was thinking that the hotel's service provider may be blocking the VPN protocol but Rob said his problem was that his login exchange would hang after he entered his password.   He thought that even going just that far in the process would say the VPN protocol was being used.   How about it?

Ray.

  (UNSUPPORTED) Setting up VPN for Microsoft Vista

NOTE: By TCC policy on supported software these instructions are unsupported.   TCC only supports software which it is running on its clients, and then only at the same version and revision levels.   (We are currently running MS Windows XP on our clients.)

From Joel Eidsath, Thu Feb 28 08:40:10 2008
Subject: TicketID#20080227200833
Description: Have Window Vista live in Albuquerque, need to VPN to Tech

To set up a VPN connection in Microsoft (not Blackboard) Vista:

1. Click on the MS Windows button in the lower left to bring up the start menu.   Type Network and Sharing Center in the search box.   Now click on the  Network and Sharing Center  icon that shows up from the search.
2. In the  Network and Sharing Center  window, click on  Connect to a network  in the left pane.   In the  Connect to a network  window, click  Set up a connection or network  at the bottom.
3. Scroll down to  Connect to a workplace.   Highlight it and click  Next.
4. Choose  No, I'll create a new connection  if the option is available.   Click  Next.
5. Choose  Use my Internet connection (VPN).
6. In the Internet address field type: vpn.nmt.edu
7. In the Destination name field type: TCC VPN Connection (or whatever is easy for you to remember the connection by).   Click  Next.
8. Put in your TCC user name and password in the user name and password fields.   Leave the Domain field blank.
9. Click  Connect.   If there is a problem connecting, click  Set up the connection anyway.   Problems connecting can be due to your local Internet connection.   You will not be able to connect to the VPN on campus using NMT wireless (besides, there is no point in using VPN over the wireless as you already have an on-campus connection via the wireless!).
10. To connect to the VPN the next time, click the MS Windows button in the bottom left of your screen, and then click  Connect To.   You may need to scroll up to find the connection you created.   Select your connection and click  Connect.   Enter your username and password in the next screen, leaving the Domain blank.

If you have problems:

1. Make sure that you are connected to the Internet before you try to connect through the VPN.
2. If you have problems once you are connected, then you will want to set up DNS manually.   To do this:
   1. Disconnect the VPN connection
   2. Then click on the MS Windows button in the lower left and click  Connect To.   Select your connection and click  Connect.
   3. Click  Properties  on the  Connect TCC VPN  (or whatever you named it) screen.
   4. Select the Networking tab.
   5. Select  Internet Protocol Version 4  (but do not uncheck it).
   6. Click  Properties.
   7. Select the  Use the following DNS server addresses  and type in 129.138.4.138 as the  Preferred DNS server  (as per Dustin's note of 28 Feb 08:55 that internaldns0 is the preferred DNS for on-campus connections, including VPN) and 129.138.250.10 as the  Alternate DNS server.
   8. Click  OK  and then click  OK  again (once is hardly ever enough).

From Michael Smith, Thu Feb 28 18:35:18 2008

Ok the steps are pretty much the same as above except this needs to be done:

1. Go to the VPN connection you created and right click.
2. Go to  Properties ... then go to the  Security tab.
3. Click the  Advanced (custom settings), then click on  Settings.
4. Click on  Allow these protocols  and make sure  Microsoft CHAP Version 2 (MS-CHAP v2)  is checked -- that's the only box that should be checked.
5. Get out of all that and go to the  Options tab.
6. Under  Dialing options  make sure the  Include Windows logon domain  is unchecked and then you are done.

This should work because I'm on the VPN.

Thanks for all your help guys.

Mike