you are at: Home Business Users Network Engineering VPN Requests

VPN Requests

VPN Requests

General Information

The ipsec termination is named 'vpn.state.vt.us' [170.222.128.10].

We are currently supporting the following ipsec transform protocols (in all sensible combinations): AH & ESP (and both), DES & 3DES, MD5-HMAC & SHA1-HMAC.

We are not supporting L2F, L2TP or PPTP.

We currently support IKE (ISAKMP) negotiation using pre-shared keys and DH group 2, 3DES and SHA1; if necessary, we can also support DH group 1, DES-CBC and MD5. We will support any security association lifetime up to 4,608,000 kb (10 mb/sec for one hour) and 28,800 seconds (eight hours). We are not yet able to support perfect forward security (PFS), but we are working on getting it working.

If you have very specific data encryption, authentication, anti-replay or other security requirements, it is your responsibility to configure your systems to negotiate transforms that satisfy those requirements.

Policy currently prevents us from using certificate-based authentication.

Requesting Application Configuration and User Accounts

Using the concept of an application group will greatly simplify administration of VPN access, since members can easily be added to an existing group by creating individual accounts. Users with existing VPN accounts can be given access to additional application groups simply by providing them with the group name and its shared secret key. (The downside of this scheme, until we receive permission to use certificates, is that removing members of multiple groups from any group requires that the shared secret of that group be changed.)

Note that each user will use both an individual id and password and an application group name and shared key for authentication.

The application group name will be used to identify the set of services in the agency/department that members of the group may access. Examples of reasonable application group names are 'CIT_mvs1_ftp-tn' and 'Tax_act60_ftp'. Note that the Cisco systems that we are using impose a 16-character limit on group names.

Application group destinations may overlap, and individuals may belong to multiple application groups, but it is not possible for an individual to simultaneously connect to multiple groups. Please plan your application groups carefully, based on the access required by your users.

VPN Request Process

VPN Requests should be sent to security@govnet.state.vt.us

Please provide the following information for each application group:

  1. Security plan for remote end(s) submitted to DII-Network Engineering (Govnet)
    (see Format for submitting security plan to GOVnet)
  2. Desired name for the application group;
  3. Destination specification, for each destination in the group:
    1. IP address;
    2. for each application at that destination
      1. transport layer protocol [usually tcp or udp];
      2. application layer protocol(s) or ip port(s);
  4. whether you wish for users to have simultaneous access to their local networks;
  5. maximum number of simultaneous connections (users) in the application group [powers of 2 are nice];
  6. name of each user in the application group, if a Govnet authentication account is needed.

Users with existing Govnet State or NGO dial-in accounts may use their existing credentials; they do not need a separate VPN account. If your user does not have nor otherwise need a dial-in account, please contact account-request@govnet.state.vt.us and request a VPN-only account.

Note that each user will use both an individual id and password and an application group name and shared key for authentication.

An example of a reasonable request is:

  1. [on file]
  2. CIT_mvs1_ftp-tn
  3. 159.105.21.130 using tcp for ftp and telnet
  4. no local LAN access
  5. 16
  6. none needed (all users have existing Govnet dial-in accounts)
  7. Windows and Linux software needed

When we receive your request, we will create a shared secret key for the application group, and we will configure our VPN end point to provide access to that application group's services. If you request simultaneous LAN access for the group, we will configure split tunneling. We will also create any individual user accounts that you request. Note that each user will use both an individual id and password and an application group name and shared key for authentication.

You will be notified when the application group has been created, and you will be given its shared secret key. (Note: if you cannot receive PGP-encrypted email messages, you will have to arrange for another way to receive the application group's shared secret key.) You will also be notified when each user account has been created and given its user id and password. You are responsible for key distribution and/or pre-configuration of the client software. Note that each user will use both an individual id and password and an application group name and shared key for authentication.

The Cisco VPN "client" software can be downloaded here.

Documentation for the Cisco VPN Client is available here.

You can add users at any time by requesting individual VPN accounts. You provide users with access to an application group by giving them the group name and its shared secret key or by providing them with pre-configured VPN software. Note that each user will use both an individual id and password and an application group name and shared key for authentication.