22.5. Virtual Private Networking
After reading the previous pages, you might assume that it's a piece of cake for business
people to connect to their corporate networks across the Internet from wherever they
happen to be: their homes, hotel rooms, or local Starbucks. But even though the steps on
the preceding pages work fine if you're dialing into your home machine, they'll probably
fail miserably when you want to connect to a corporate network. There's one enormous
obstacle in your way: Internet security.
The typical corporate network is guarded by a team of steely-eyed administrators for
whom Job Number One is preventing access by unauthorized visitors. They perform this
job primarily with the aid of a super-secure firewall that seals off the company's network
from the Internet.
So how can you tap into the network from the road? One solution is to create a hole in the
firewall for each authorized user — software that permits incoming Internet traffic only
from specified IP addresses like your Mac's. Unfortunately, this setup isn't bulletproof,
security-wise. It's also a pain for administrators to manage.
Another solution: You could dial directly into the corporate network, modem-to modem.
That's plenty secure, but it bypasses the Internet, and therefore winds up being expensive.
(Want proof? Try this simple test: Make a call from the Tokyo Hilton to the
Poughkeepsie Sheet Metal home office. Have a look at your hotel bill when you check
out.)
Fortunately, there's a third solution that's both secure and cheap: the Virtual Private
Networke, or VPN. Running a VPN allows you to create a super-secure "tunnel" from
your Mac, across the Internet, and straight into your corporate network. All data passing
through this tunnel is heavily encrypted; to the Internet eavesdropper, it looks like so
much undecipherable gobbledygook.
And it's cheap—whether you're accessing the Internet via your home DSL, a local ISP
number from a hotel, or wirelessly from your stool at Starbucks.
Remember, though, that VPN is a corporate tool, run by corporate nerds. You can't use
this feature without these pieces in place:
•
A VPN server. This is a big deal. If your tech department tells you they don't have

one, then that's that—no tunneling for you.
If they do have one, then you'll need to know the type of server it is. Mac OS X's
VPN software can connect to VPN servers that speak PPTP (Point to Point
Tunneling Protocol) and L2TP/IPsec (Layer 2 Tunneling Protocol over the IP
Security Protocol), both relatives of the PPP language spoken by modems. Most
corporate VPN servers work with at least one of these protocols.
You'll also need to know the Internet address of your VPN server (for example,

).
•
An account on the remote network that allows VPN access.Your remote network
can be set up in many different ways, but in every case, you'll still need to confirm
with your network administrator that your account on it allows VPN access.
•
All necessary account information. Make sure you have all the scraps of
connection information you'll need to dial in. That would include your user
(account) name, at the very least. You may also need an NT Domain name; VPN
servers are often part of Microsoft Windows NT networks, which won't let you in
until you know this domain name.
Some networks also may require that you type in the currently displayed password
on an RSA SecurID card,which your administrator will provide. This James
Bondish, credit card–like thing displays a password that changes every few
seconds, making it rather difficult for hackers to learn "the" password. (If your
network doesn't require a SecurID card, you'll need a standard password instead.)
Finally, if your office offers L2TP connections, you'll need yet another password
called a Shared Secret to ensure that the server you're connecting to is really the
server that you intend to connect to.
22.5.1. Setting Up the VPN Connection
If you're lucky, your company's network geek has provided you with a VPN settings file,
a little double-clickable icon that automatically opens the Network pane of System

Preferences and fills in the blanks for you. If not, you can do all that manually:
1. Open System Preferences. Click Network. Click the + button below the list of
connections at the left side.
The "Select an interface" sheet appears.
2. From the pop-up menu, choose VPN.
Now a new pop-up menu appears, called VPN Type; you're supposed to choose
either L2TP (Layer 2 Tunneling Protocol) or PPTP (Point to Point Tunneling
Protocol). Find out which system your company's network uses.

Tip: Leopard doesn't work with the third popular type, called IPSec (IP Security).
If your company uses that type, though, you can download Cisco's free IPSec
connection program for Mac OS X from cisco.com.

3. Choose the type of VPN from the VPN Type pop-up menu. Type a name for this
connection (it can be anything you want). Click Create.
You return to the main Network pane, where the settings boxes for your VPN are
waiting (Figure 22-5
).
4. Fill in the server address and account name. Click Authentication Settings to
specify your password and other security settings.
Here, for example, is where you indicate that you have one of those SecurID
cards.
5. Click OK. Turn on "Show VPN Status in menu bar.
That checkbox makes the VPN menulet appear; it's your ticket to getting
connected (Figure 22-5
, top).

Tip: If you always connect to the same VPN, you can turn on the new Leopard feature
called VPN on Demand. It autoconnects you to your corporate VPN every time you
direct your Web browser to a Web site, file server, or resource that requires the VPN

connection, saving you some steps.To set this up, click Advanced. (You can see this
button in the figure below.) Click VPN on Demand; click +. Enter the corporate VPN
domain. You're good to go—as long as you've got your network geek's permission.
(Some of them get antsy about VPN on Demand, since it could be a security risk if your
laptop is stolen.)

Figure 22-5. You're on your way to joining the corporate network—from thousands
of miles away. Virtual private networking is ideal for the paranoid (because it's very
secure) and the cheap (because you're using the Internet as a giant wire connecting
you to your home).


Close System Preferences. You're ready to connect.
22.5.2. Connecting to a VPN
Connect the way you normally do—via cable modem, DSL, office network, modem,
AirPort, or whatever. Once you're online, choose your VPN's name from the VPN
menulet. You'll be asked for your credentials: your password, for example, or the code
that's displayed on your SecurID card.
If all goes well, several status messages go by. The last one says, "Connected To" and
gives the IP address of the network equipment you've reached out and touched.
At this point, you're connected to the corporate network. You can perform the same
network-related tasks you could if you were actually in that office: check your email,
view internal corporate Web pages, access internal FTP servers, make printouts on laser
printers thousands of miles away, and so on.
You generally can't browse things, though. That is, depending on your network, you
might not be able to use your Sidebar to view a list of the other computers on the office
network, or see a list of networked printers.
In this case, to access these services, you must know their IP addresses. For example, to
connect to a shared folder on another computer, choose Go Connect to Server, type
its network address, and press Enter.


Tip: To connect to a shared folder on a Windows machine, the address looks like this:
smb://111.222.33.4/ sales-docs. Of course, you'd substitute the correct IP address for the
dummy one shown here, and insert the actual name of the shared folder. (You can also
use its DNS name instead of the IP address, if you know it, like this: smb://big-blue-
server.ferret-lan.com/sales-docs.)

When you're finished accessing the remote network, choose Disconnect from the VPN
menulet. (Accessing other Web sites can be slow while you're on a VPN.)
22.5.3. The Fine Points of VPN
For all the wonders of VPN, here are some possible complications:
•
If you're using a router at home (a little box that shares one cable modem or DSL
box with several computers),it might not be able to handle the tunneling protocols,
or it might not have that feature turned on. Check the router's manual, or ask its
manufacturer for more information. For example, the first-generation (silver)
AirPort base stations can't handle VPNs at all.
•
If the corporate network doesn't seem to like your name and password, you might
need to add your NT domain name and a backwards slash to the beginning of your
account name (like this: dom01\msmith) before trying again.
If you're able to make the connection, but experiencing trouble reaching services
by their DNS names (for example, big-blue-server.com), your Mac could be
having difficulty finding the right DNS server. Working with your network
administrator, open the Network pane of System Preferences. Click VPN, then
click Advanced, and then DNS; enter the desired DNS server addresses in the
DNS Servers box. Click OK, then Apply, and then try the VPN connection again.
•
If you're still having problems using the VPN, look at the logs (automatically kept
technical records) for clues to share with your network administrator. To view

these records, open the Console program (in Applications Utilities). Click
Show Log List, expand the /var/log section, and click ppp.log.