Revision 10 as of 2017-05-29 15:08:11

Clear message

Connecting to the UCC VPN allows you access to internal resources that are normally firewalled off.

There are two VPN methods - the new IPsec VPN and the old PPTP VPN. The latter is deprecated.

Connecting to the VPN

Windows 7

Follow the directions from the strongSwan wiki

  • Use secure.ucc.asn.au as the Internet address

  • No need to set any advanced settings (if you do, you want IKEv2 and authentication via EAP-MSCHAPv2) .

Android

Option 1 - preferred:

  • Install the strongSwan VPN client.

  • Start the newly-installed application.
  • Add VPN Profile.
  • Profile name is "UCC".
  • Gateway is secure.ucc.asn.au.

  • Type is the default "IKEv2 EAP (Username/password)"
  • Username and password are your UCC credentials.
  • Leave "CA certificate: Select automatically" checked.
  • Save the profile.

When you connect you will get a big warning about using a third-party VPN application; this is expected.

Option 2 - less preferred as there is no mutual authentication (I think) - this means it is much more trivial to MITM the connection.

  • Create a new VPN connection (Settings - More - VPN)
  • Name is "UCC"
  • Type is "IPsec Hybrid RSA"
  • Server address is secure.ucc.asn.au

  • IPsec CA certificate - leave as "don't verify" (WTF Android, you have to manually install a CA and you can't use a system one, this is a total pain)
  • IPsec server certificate - leave as "received from server"
  • Save the profile
  • Connect using your UCC username and password.

iPhone / iPad

  • Technically could work with a deployed profile
  • Only problem is that the profile has to contain the user name, thapple.
  • If anyone really cares you can make a script that does it, ask zanchey@ for a sample
  • Might be better in OS 9

OS X

  • Works in Mac OS X System 10.11
  • Go into Sys Prefs -> Network

  • Click +, Interface: VPN, VPN Type: IKEv2, Service Name: UCC or whatever, Click Create
  • Server address: secure.ucc.asn.au, Remote ID: secure.ucc.asn.au, Local ID: your username or something personal
  • Click Apply.
  • Click Connect and it should work.

Linux

  • There is a strongSwan plugin for NetworkMangler. I haven't been able to get it to work.

Arch

Installation

To get strongSwan working on Arch with networkManager requires building strongSwan from source. The easiest way to do this is by installing the following AUR packages: strongswan, networkmanager-strongswan. For help with installing aur packages check the AUR instructions on the arch wiki.

When installing strongSwan you will need to make some changes to the PKGBUILD of strongswan package as networkManager support is not enabled by default. In the PKGBUILD you will find the "depends" and "makedepends" lined and add 'libnm-glib' to the end of both lines so that it looks like this:

depends=('curl' 'gmp' 'iproute2' 'openssl' 'sqlite' 'libcap' 'libsystemd' 'pam' 'libnm-glib')
makedepends=('curl' 'gmp' 'iproute2' 'openssl' 'sqlite' 'libcap' 'libsystemd' 'systemd' 'pam' 'libnm-glib')

You then need to edit the build() section of the PKGBUILD by appending the --enable-nm option so that the section looks like this:

 build() {
  cd "${srcdir}/${pkgname}-${pkgver}"

  ./configure --prefix=/usr \
        --sbindir=/usr/bin \
        --sysconfdir=/etc \
        --libexecdir=/usr/lib \
        --with-ipsecdir=/usr/lib/strongswan \
        --enable-sqlite \
        --enable-openssl --enable-curl \
        --enable-sql --enable-attr-sql \
        --enable-farp --enable-dhcp \
        --enable-eap-sim --enable-eap-sim-file --enable-eap-simaka-pseudonym \
        --enable-eap-simaka-reauth --enable-eap-identity --enable-eap-md5 \
        --enable-eap-gtc --enable-eap-aka --enable-eap-aka-3gpp2 \
        --enable-eap-mschapv2 --enable-eap-radius --enable-xauth-eap \
        --enable-ha --enable-vici --enable-swanctl --enable-systemd --enable-ext-auth \
        --disable-mysql --disable-ldap --enable-cmd --enable-forecast --enable-connmark \
        --enable-aesni --enable-eap-ttls --enable-radattr --enable-xauth-pam --enable-xauth-noauth \
        --enable-eap-dynamic --enable-eap-peap --enable-eap-tls --enable-chapoly --enable-unity \
        --with-capabilities=libcap --enable-newhope --enable-ntru --enable-mgf1 --enable-sha3 \
        --enable-bliss \
        --enable-nm  # <-- this line added to enable networkManager support
#       --enable-ruby-gems --enable-python-eggs
  make
}

At this point you should be able to continue installing the package as per usual and then install networkmanager-strongswan.

Configuration

  • Use networkManager to create a new "IPsec/IKEv2 (strongswan)" connection
  • Authentication is "EAP"
  • Gateway address is secure.ucc.asn.au

  • Certificate - Select "COMODO_RSA_Certification_Authority.pem" (navigate to /etc/ssl/certs)
  • Username and password are your UCC username and password
  • Select the "request an inner IP address" option
  • Save the profile
  • connect to the profile using networkManager

Technical bits

IKE/IPsec setup is done by strongSwan on Murasoi. There are similar setups for IKEv1 (Android, iOS) and IKEv2 (Windows). Most of the difficulty is in getting the certificates right, see http://serverfault.com/questions/536092/strongswan-ikev2-windows-7-agile-vpn-what-is-causing-error-13801

The XAuth/EAP authentication (IKEv1 and v2 respectively) is passed to the RADIUS server, which also handles accounting. select username, sum(acctinputoctets), sum(acctoutputoctets) from radacct where nasporttype='Virtual' group by username; will give you a nice sum of traffic over the VPN.

Clients get a IPv4 and IPv6 address from the ranges in Network.