Revision 4 as of 2015-07-10 13:55:14

Clear message

Connecting to the UCC VPN allows you access to internal resources that are normally firewalled off.

There are two VPN methods - the new IPsec VPN and the old PPTP VPN. The latter is deprecated.

Connecting to the VPN

Windows 7

Follow the directions from the strongSwan wiki

  • Use secure.ucc.asn.au as the Internet address

  • No need to set any advanced settings (if you do, you want IKEv2 and authentication via EAP-MSCHAPv2) .

Android

Option 1 - preferred:

  • Install the strongSwan VPN client.

  • Start the newly-installed application.
  • Add VPN Profile.
  • Profile name is "UCC".
  • Gateway is secure.ucc.asn.au.

  • Type is the default "IKEv2 EAP (Username/password)"
  • Username and password are your UCC credentials.
  • Leave "CA certificate: Select automatically" checked.
  • Save the profile.

When you connect you will get a big warning about using a third-party VPN application; this is expected.

Option 2 - less preferred as there is no mutual authentication (I think) - this means it is much more trivial to MITM the connection.

  • Create a new VPN connection (Settings - More - VPN)
  • Name is "UCC"
  • Type is "IPsec Hybrid RSA"
  • Server address is secure.ucc.asn.au

  • IPsec CA certificate - leave as "don't verify" (WTF Android, you have to manually install a CA and you can't use a system one, this is a total pain)
  • IPsec server certificate - leave as "received from server"
  • Save the profile
  • Connect using your UCC username and password.

iPhone / iPad

  • Technically could work with a deployed profile
  • Only problem is that the profile has to contain the user name, thapple.
  • If anyone really cares you can make a script that does it, ask [email protected] for a sample
  • Might be better in OS 9

OS X

  • Might work in El Captain My Captain (OS X 10.11)

Linux

  • There is a strongSwan plugin for NetworkMangler. I haven't been able to get it to work.

Technical bits

IKE/IPsec setup is done by strongSwan on Murasoi. There are similar setups for IKEv1 (Android, iOS) and IKEv2 (Windows). Most of the difficulty is in getting the certificates right, see http://serverfault.com/questions/536092/strongswan-ikev2-windows-7-agile-vpn-what-is-causing-error-13801

The XAuth/EAP authentication (IKEv1 and v2 respectively) is passed to the RADIUS server, which also handles accounting. select username, sum(acctinputoctets), sum(acctoutputoctets) from radacct where nasporttype='Virtual' group by username; will give you a nice sum of traffic over the VPN.

Clients get a IPv4 and IPv6 address from the ranges in Network.