Printer-friendlyRemote access to campus resources via coarse-grained VPN (i.e. all of your network traffic comes to campus) increases the accountability and security of campus services and as a result allows greater use of campus facilities from other locations. Funded in part by a Technology Fee Grant, the VPN service was initially targeted at students. It is intended that this service be available to the entire campus community.
The VPN service is based on technology from Cisco. It is implemented using a fail-over cluster of ASA 5500 series appliances in two geographically separated, redundant data centers. It is theoretically capable of servicing 5000-10000 simultaneous users although we've never approached that in reality.
For more details on the client behavior and best practices, take a look at the What to Expect page.
The VPN project pages are the working repository for the VPN service and have considerably more detailed technical and historical information. They also may be more outdated. You'll need your GT account login.
You'll find pointers to the Cisco documentation site in the Useful Links page.
Using Alternate VPN Clients
There are VPN client applications and versions other than the one installed automatically as described in Getting Started. To find the available installers, there are two places to look:
Log in to http://software.oit.gatech.edu and select your platform. Depending on what platform you select, you may find the following options in the software list:
VPN Client Software: Cisco AnyConnect VPN Client - this is the Cisco AnyConnect VPN Client. It is fully compatible with 32 and 64-bit versions of Windows XP, Vista, and 7, Mac OS X, and some versions of Linux. If you are just starting out, you will probably want to use this client. It is likely to work in more remote locations although it's top speed is a bit slower than the IPSEC client. Installation requires that you have administrator or root access on your machine. It rides on top of the SSL protocol that your web browser uses to access secure sites.
VPN Client Software: OIT IPSEC VPN Client - this is the original Cisco VPN Client. It is compatible with 32-bit versions of Windows 2000, XP; Mac OS X back to 10.4; and some versions of Unix and Linux. Installation requires that you have administrator or root access on your machine. However, we recommend that you use the newer AnyConnect client unless you have a specific need for this client. The client uses one of several protocols, including its default of IPSEC over UDP, but these are more easily blocked by network owners (such as some hotels) that believe they should restrict VPN use.
VPN Client Software: OS X 10.6 Integrated IPSEC VPN Client Profile - This is a profile to be used with the integrated Cisco IPSEC VPN Client found in Mac OS X 10.6.
There are other VPN clients available from within the VPN project pages. The VPN Client Software page has past, present, and future versions of Cisco VPN software. This is where you'll find some of the more obscure versions, such as the 64-bit IPSEC Windows client, as well as new versions that we're attempting to qualify for use on campus. To be clear, no versions downloaded form share-it are fully supported by OIT. They are considered development, beta, or otherwise experimental.
Protocol Information
When you are not successful in connecting with the VPN client because the network between you and Georgia Tech isn't allowing the VPN traffic to pass, there are a few setting changes that might be helpful. If you're feeling brave, you can experiment as well as trying both clients.
Cisco AnyConnect Client
The AnyConnect client is usually the most successful in evading defenses. It makes it makes its traffic appear to be an SSL web connection to a secure web page (https:// to port 443 on the concentrator). If it can reach the concentrator on this port, it starts an SSL (https) connection, makes the security association, and then starts passing traffic. At that point, it attempts to negotiate a DTLS connection (which is really just SSL over UDP instead of TCP). If the network passes the UDP traffic and the negotiation is sucessful, it will switch from SSL to DTLS because DTLS is a bit more efficient. If DTLS can't be negotiated, the client continues to use SSL for the connection. There really aren't any dials or switches to change the AnyConnect client behavior.
Cisco VPN Client (IPSEC)
The older Cisco VPN Client is based on the IPSEC protocol and uses several variants to make the secure connection. It can provide a little bit higher performance, but it is more easily blocked by intermediate networks. Specifically, there are four variants of the IPSec protocol that we support for the Cisco VPN client to connect to the concentrators. Each variant requires slightly different support from the network between the VPN endpoints, so there are circumstances in which one variation may work while others fail to connect.
IPSec over UDP and NAT-T. The default choice, the one attempted by the default connection profile, is IPsec over UDP. This protocol wraps the IPSec packets, which may look strange to firewalls and other devices, in UDP packets and then sends them to port 4500 on the concentrator. This is usually the most satisfactory compromise because it doesn't require the network to carry ESP packets and it can self-configure to the NAT-T variant if the client is behind any form of NAT (network-address translation) device (e.g. a typical home firewall/router). IPSec over UDP is selected in the client when Enable Transparent Tunneling and IPSec over UDP are selected in the Transport tab of the Modify button.
IPSec over TCP. This protocol wraps the IPSec packets inside a TCP stream. We don't recommend this variant for general use, because it often doubles the TCP stream mangement overhead (i.e. the VPN tunnel incurs all the overhead of TCP stream management, but all the TCP connections inside the VPN tunnel are also doing their own redundant stream mangement). Still, it's useful for networks that block UDP traffic or otherwise have issues with UDP. IPSec over TCP is selected in the client when Enable Transparent Tunneling and IPSEC over TCP are selected in the Transport tab of the Modify button. You may also specify a port number other than 10000. Cisco uses the default port of 10000, but allows other ports to be used. We have enabled ports 110, 143, 993, 995, and 8080 as well as 10000 for IPSEC over TCP traffic. These are often ports that hotels and internet cafes allow through their firewalls, so it's possible that one of these ports can be used to pass thru a restrictive firewall. If you use this protocol variant, remember to turn it off for general use or Duplicate, rename, and set IPSec over TCP for a connection profile that's not your default.
ESP. ESP is the original protocol used by IPSec. Its packets use a different protocol number (50) from TCP and UDP and as such permission for it to pass is often omitted from firewalls and routers simply because of its obscurity. The ESP protocol also requires your client to have a public IP address and a path for ESP from Georgia Tech to your client that isn't impeded by incoming firewalls. These restrictions make it much less likely that the VPN client will function on publicly available networks. However, there are locations, including on the GT-Atlanta campus, where ESP will be functional. ESP is the most efficient variant of the protocol in terms of overhead, since the packets are not redundantly encapsulated into UDP or TCP, but the improvement isn't very large. ESP is selected in the client by de-selecting the Enable Transparent Tunneling checkbox in the Transport tab of the Modify button.