CU-VPN Status

Campus-wide VPN ServiceMarch 21, 2007

Overview

Provides VPN service for individuals remote to campus – provides encrypted session from the end user to the VPN concentrator

Uses incumbent AAA backend services

Roughly analogous to dial-up services

Service Scenarios

Internet to campus private address space connectivity.

Encryption for traditionally non-ciphered applications (e.g. file service).

Additional access control to campus service.

Scenario: campus private address space

CampusPrivateInternet

CampusPublic

Internet

InternetCampus Internet

Public and Private address

128.84.0.016128.253.0.0/16132.236.0.0/16

10.84.0.01610.253.0.0/1610.236.0.0/16

Scenario: campus private address space

CampusPrivateInternet

CampusPublic

Internet

Internet

Home/Remote Connectivity

No access to Private Servers

128.84.0.016128.253.0.0/16132.236.0.0/16

10.84.0.01610.253.0.0/1610.236.0.0/16

X

Scenario: campus private address space

CampusPrivateInternet

CampusPublic

Internet

Internet

Home/Remote Connectivity

VPN access to Private Servers

128.84.0.016128.253.0.0/16132.236.0.0/16

10.84.0.01610.253.0.0/1610.236.0.0/16

VPNServer

Scenario: encrypting non-encrypted services

CampusPrivateInternet

CampusPublic

Internet

Internet

Home/Remote Connectivity

Encryption of Web and FileService

128.84.0.016128.253.0.0/16132.236.0.0/16

10.84.0.01610.253.0.0/1610.236.0.0/16

VPNServer

Initial Goals

Windows and OSX support. Cisco VPN client software (IPSec). Login with campus NetID. Basic Login and Traffic accounting. Network Quarantine support. Dual, load-balancing servers. On-campus testing through RedRover

IPSec VPN Tunnels

IPSec requires Cisco VPN client. Native VPN clients not supported.

Split-tunnel routing. Tunnels campus-only traffic; all other remote traffic routes normally.

3rd Party client required to insure split-tunneling, streamline support

CU-VPN Pilot

Started December 2006 Twelve participating departments Responses positive, particularly

where no remote-access solution in place

Wrap-up early-April for general availability

Cisco VPN Client Screen

Service Timeline

General availability mid-April All members of the Cornell

community have access Phase 2 feature development to begin

June 1