OIT VPN Services include a VPN (Virtual Private Network) service that uses the Microsoft Point-to-Point Tunneling Protocol (PPTP).
OIT PPTP VPN Service is available based upon OIT Windows accounts and passwords. To use the OIT PPTP VPN Service, you must have an OIT Windows account.
There is no charge for using OIT PPTP VPN Service.
The name of the OIT PPTP VPN server is vpn.princeton.edu. You will need to configure your VPN client to connect to this VPN server.
Your account name is your OIT netid; you may optionally preceed it with "PRINCETON\".
Your password is your OIT Windows password.
The OIT Help Desk publishes instructions for configuring a number of operating systems to use OIT PPTP VPN Service. See their Virtual Private Networking (VPN): Frequently asked questions.
If your configuration is not covered by the Help Desk's documentation, you are on your own in obtaining appropriate client software and configuring it for use. You may need to consult Technical Specifications below to learn some of the parameters you will need.
These are among the most common difficulties clients may experience.
Often NAT routers (Network Address Translators) interfere with VPN traffic. Problems caused by NATs are most common experienced by VPN clients.
If your computer can connect to OIT PPTP VPN Service when it is not behind a NAT, but cannot (or sometimes cannot) when is it behind a NAT, it's very likely that the NAT is the cause of the problem.
NATs can interfere with a variety of traffic. PPTP traffic is often difficult for NATs to handle.
Often NATs that are also performing Port Address Translation (e.g. sharing one IP addresses among a numer of clients) may not be able to support multiple clients simultaneously connecting to the same VPN server. Other common problems are that only the first VPN connection attempt works, and then no later attempts work until some indetermine time has passed (for the NAT to do some cleanup in memory) or the NAT is rebooted.
In all these cases, the solution is to remove the NAT. OIT does not support or recommend the use of NATs. We do not attempt to "fix" anything that doesn't work as a result of the use of a NAT.
The VPN server does not provide IPX (Novell Netware) service. If your VPN client is configured to require that IPX be available via the VPN connection, it will refuse to connect to the VPN server.
If you experience this difficulty, reconfigure your VPN client software so it does not require that IPX be available via the VPN connection.
When configured with a blank username or password, some VPN clients try connecting to the VPN server first with the blank value(s), figuring that if that fails, they can prompt you for your username and/or password and try again.
The VPN server only permits you to try a single incorrect username/password combinations before disconnecting you. When your client tries to use blank value(s) and fails, the VPN disconnects you; it does not give your VPN client a chance to prompt you for new values to retry.
The solution is to enter a username and password into your VPN client's connection window before telling it to connect to the VPN server. You should not need to save the password (it doesn't need to be stored on the client's disk); you need only enter it in the connection window before telling the client to connect.
Firewalls are sometimes configured to block VPN traffic.
If your computer can connect to OIT PPTP VPN Service from some locations (e.g. OIT networks on-campus), but not from other locations (e.g. a private network, or while connected to the Internet connection elsewhere), there may be a firewall in your path, configured to block VPN traffic.
To be able to establish a connection between your VPN client and the OIT PPTP VPN Server, the path between your client and the server needs to allow the following traffic: TCP traffic between your client and the server's TCP port 1732 (PPTP), and GRE traffic (IP protocol 47) between your client and the server.
Some Internet Service Providers, schools, companies, and private networks choose to block PPTP VPN traffic. If you are connecting to the network from one of these sites, you may not be able to connect to the OIT PPTP VPN Service.
When you try to connect to the VPN server and specify a bad account or password, the VPN server will (correctly) deny access to you. If you attempted to authenticate using MS-CHAPv2, the error it usually returns to your VPN client is typically MS-CHAP error 691, a.k.a. "Authentication Failure."
However, in a few cases the error it returns to your VPN client may be MS-CHAP error 649, a.k.a. "No Dial-In Permissions." This simply means that the account you specified happens to be one that is not an OIT netid, but does happen to be one present in some other Princeton domain group (e.g. some departmental Windows domain). Although the specific error is a little different, the essential meaning is the same: the account/password combination you provided to the VPN server is not acceptable.
Below are technical specifications of OIT PPTP VPN Service. Although most people will not need these details, they may be helpful to those using the service from less common VPN clients.
There is a 4-hour idle session timeout. (Some clients may generate or receive traffic that prevents a session from appearing to be idle. Therefore you should disconnect yourself when you are done using the service, rather than assume the service will eventually disconnect you on its own.)
If a client becomes unreachable, the server will terminate the client's session in 60-120 seconds.
As one of the purposes of VPN service is to provide some degree of security for the data as it crosses a portion of the network, it would be a reasonable expectation on the part of customers that VPN is in fact secure.
In reality, the degree of security actually offered by PPTP-based VPN service may be less than some customers might expect.
Security researchers have reported that Microsoft PPTP has a number of weaknesses that could allow someone to compromise the very security it is intended to provide. These weaknesses could allow an attacker to discover the password you use to connect to the VPN server (your OIT Windows password), and to decrypt your traffic as it crosses the network between your VPN client and the VPN server.
Very technical descriptions of these weaknesses in Microsoft PPTP are available here and here.
Tools are freely available to exploit weaknesses in MS-CHAPv1. If you allow your PPTP VPN client to connect using MS-CHAPv1, attackers can use these tools to discovery your password.
As of late 2004, at least one tool is freely available to exploit weaknesses in MS-CHAPv2. If you connect using MS-CHAPv2 and are using a weak password, attackers can use this tool to discover your password. As this tool relies on a dictionary search, it should be possible to defend against it by selecting an extremely strong OIT Windows password.
Taking the following actions can make it harder for an attacker to take advantage of these weaknesses:
Microsoft PPTP uses your Windows password for more than authenticating you at connection time; it also uses your Windows password to construct the encryption keys used to secure your data as it travels over the VPN connection. As one result, a poorly selected password seriously weakens PPTP's encryption.
MS-CHAPv1 has a number of very serious weaknesses that make it inadequate for use in an environment where security is important. OIT's PPTP VPN service continues to support it as an alternative to MS-CHAPv2 only to provide backward compatibility for customers who choose to use obsolete VPN clients.
Modern VPN clients that support MS-CHAPv2 typically continue to support MS-CHAPv1, and will fall back to using MS-CHAPv1 if they believe the VPN server is unable to support MS-CHAPv2. An attacker can take advantage of this behavior to force your VPN client to fall back to MS-CHAPv1, and then exploit the weaknesses in MS-CHAPv1. To protect yourself from this vulnerability, ensure your VPN client is configured so that it only authenticates with MS-CHAPv2, and will refuse to fall back to MS-CHAPv1.
Similarly, ensure your VPN client requires the VPN connection to use 128-bit encryption, and will refuse to fall back to 40-bit encryption.
Unfortunately, VPN client documentation usually does not show how to reconfigure the VPN client to refuse to use MS-CHAPv1 and 40-bit encryption. It's possible some VPN clients do not provide a way to perform this reconfiguration at all.
There are also some security concerns you should be aware of that are not due to weaknesses in Microsoft PPTP itself, but in the way common VPN clients behave.
After establishing a PPTP VPN connection to a VPN server, if the VPN client software loses its connection from the VPN server, some clients may do so without alerting you to the fact that the VPN connection is down. Assuming your computer still has a network connection, your traffic may continue to flow over that connection directly (unencrypted), rather than being sent via an encrypted tunnel to the VPN server. Because the VPN client failed to alert you to the change, you may not realize that your sensitive traffic is no longer protected by a VPN connection.
This is due to the way the VPN client convinces the operating system to use the VPN server; it's typically done by manipulating the client operating system's IP routing table. When the VPN client establishes a VPN connection, the VPN client typically modifies the operating system's IP routing table, to make the 'default' IP route point to the VPN server. As a result, the operating system uses the VPN connection for outgoing IP traffic when it has no better route to the IP destination. If the operating system has a better route for some IP destinations, it sends that traffic via the better route, instead of sending the traffic via the VPN connection.
Since the computer is directly attached to some IP network (subnet), the computer knows that its own physical network interface is a better route to destinations on that particular network (subnet). For example, if your computer knows it is directly attached to IP network 192.168.10.0 - 192.168.0.255, any traffic your computer wants to send to an IP address in that range will be sent directly, without using the VPN connection.
It is possible your computer will have additional routes "better than default" in its routing table, either because you manually inserted them, or because it has learned them via a dynamic routing protocol.
The use of peer-to-peer (P2P) software over the VPN connection is not supported. OIT blocks or limits the ability of P2P software to function over OIT PPTP VPN Service.