Cisco VPN Client

Document Sample
Cisco VPN Client Powered By Docstoc
					                                         vpn-cisco-pdf


Cisco VPN Client
Note: If you are currently using Cisco VPN, the application will
continue to work. However, once your certificate expires, we
recommend upgrading to Cisco AnyConnect VPN
(http://cms-staging.andrew.cmu.edu/computing/doc/network/vpn/vpn-anyconnect/
index.html) .



(http://www.cmu.edu/computing/doc/network/vpn/vpn-
anyconnect/index.html)
This document contains the following sections:

  •   Introduction
  •   Step 1: Download & Install
  •   Step 2: Register VPN Certificate
  •   Step 3: Import the VPN Certificate
      (http://www.cmu.edu/computing/doc/network/vpn/vpn-cisco/import.html)
  •   Step 4: Create Connection
  •   Step 5: UDP Connection
  •   Step 6: Firewall
  •   Step 7: Configure: Windows XP ONLY
  •   Step 8: Advanced Configuration: Windows ONLY
  •   Step 9: Establish a Connection

For information related to this topic refer to:

  • Virtual Private Networking Overview
    (http://www.cmu.edu/computing/doc/network/vpn/overview.html)
  • Cisco AnyConnect VPN
    (http://www.cmu.edu/computing/doc/network/vpn/vpn-anyconnect/index.html)
  • WebVPN (http://www.cmu.edu/computing/doc/network/vpn/vpn-web/index.html)
  • Computing Off Campus [PDF]
    (http://www.cmu.edu/computing/doc/network/connect/remote.pdf)
  • Support Statement
    (http://www.cmu.edu/computing/doc/network/vpn/support-vpn.html)
  • Cisco VPN Client: Frequently Asked Questions
    (http://www.cmu.edu/computing/doc/network/vpn/faq-vpn.html)




                                             -1-
                                           vpn-cisco-pdf


Cisco VPN Introduction
Note: If you are considering installing Cisco VPN Client for the first time, we
recommend upgrading to Cisco AnyConnect VPN
(http://cms-staging.andrew.cmu.edu/computing/doc/network/vpn/vpn-anyconnect/
index.html) instead, as it does not require you to download certificates or register on
NetReg.
The Cisco VPN Client is desktop software that secures traffic between your machine
and restricted services. With the Cisco VPN Client software running in the background,
all restricted traffic is automatically routed using Advanced Encryption Standards (AES)
or DES3 (triple Data Encryption Standards).
For most of the VPN networking we provide, communication to off-campus sites or
unrestricted campus services is routed directly through the public Internet, not tunneled
through the Cisco VPN Client. The software does not need to be started or stopped
as you move between restricted and unrestricted sites. This ensures that unrestricted
services are not slowed by the Cisco VPN Client software.
This service requires installation of the Cisco VPN Client software and registration for a
certificate through NetReg (http://netreg.net.cmu.edu) .
Most of the VPN networks provide you with a Carnegie Mellon local IP address in the
172.31.*.* range. This allows you access to restricted services that are part of the
Carnegie Mellon network, however, it will not allow you access to services that are
outside the Carnegie Mellon network.
For external restricted sites, use the VPN-Library network when you register, or use
the WebVPN (http://www.cmu.edu/computing/doc/network/vpn/vpn-web/index.html)
service.
Last Updated 06/23/10




                                               -2-
                                          vpn-cisco-pdf


Step 4: Create and Configure a TCP Connection
Follow this step if you will use the Cisco VPN Client from an off-campus location.
If you only use VPN with a wireless connection on-campus, skip to Step 5: UDP
Connection.

 1. From the Cisco VPN Client, select Connection Entries > New.
 2. The Create New VPN Connection dialog box displays.

 3. Complete the fields as follows
    Connection Entry: Type a name for this VPN connection (e.g., Library_tcp or
    General_tcp). Do not include any spaces!
    Description: Type a description for this connection.
    Host: Type server.vpn.cmu.edu.
 4. On the Authentication tab, select the Certificate Authentication option.
 5. In the Name field, select the name of the certificate you imported earlier from the
    drop-down list.
 6. Select the Transport tab.
 7. Under Enable Transparent Tunneling, select IPSec over TCP.

 8. Click Save.
 9. Repeat this step for each subnet that you are registered under on the NetReg
    page (e.g., VPN - General Users, VPN - Library). When you are finished, you will
    have a "tcp" connection entry for each registered VPN subnet (e.g., General_tcp,
    Library_tcp).

Step 5: UDP Connection
Last Updated: 8/28/09




                                              -3-
                                          vpn-cisco-pdf


Step 5: Create and configure a UDP connection
Follow this step if you plan to use the Cisco VPN Client from an off-campus location
or with a wireless connection on campus. If you are using VPN from an off-campus
location, you should create and configure both a tcp and a udp connection entry
for EACH registered VPN subnet (e.g., General_tcp, General_udp, Library_tcp,
Library_udp).

 1. Select Connection Entries > New.
 2. The Create New VPN Connection dialog box displays.

 3. Complete the fields as follows
    Connection Entry: Type a name for this VPN connection (e.g., General_udp,
    Library_udp). Do not include any spaces!
    Description: Type a description for this connection.
    Host: Type server.vpn.cmu.edu.
 4. On the Authentication tab, select the Certificate Authentication option.
 5. In the Name field, select the name of the certificate you imported earlier from the
    drop-down list.
 6. Select the Transport tab.
 7. Under Enable Transparent Tunneling, select IPSec over UDP (NAT/PAT).

 8. Click Save. The Connection Entries tab redisplays.
 9. Repeat this step for each subnet that you are registered under on the NetReg
    page (e.g., VPN - General Users, VPN - Library). When you are finished, you will
    have a "udp" connection entry for each registered VPN subnet (e.g., General_udp,
    Library_udp).
    Note: If you are using VPN from an off-campus location, you should now have
    both a tcp and a udp connection entry for each registered VPN subnet (e.g.,
    General_tcp, General_udp, Library_tcp, Library_udp).
    If you are using a Mac, your configuration process is complete. Continue
    with the steps to Establish a VPN connection.

Windows - Step 6: Configure Firewall
          Mac - Step 9: Establish a Connection
Last Updated: 1/29/09




                                              -4-
                                           vpn-cisco-pdf


Step 6: Configure Windows Firewall
This step MUST be completed for ALL Windows XP SP2 and
Windows Vista connections.
If you are using a Mac, please skip this step!
 1. Select Start > Control Panel.
 2. Windows XP (category view)
      • Click Network and Internet Connections and then click Windows Firewall.
        The Windows Firewall dialog box displays.
    Windows Vista
      • Click Network and Internet and then click Windows Firewall. The Windows
        Firewall windows displays.
      • On the left of the window, click Allow a program through Windows Firewall.
        Click Continue to grant windows permission to continue.
 3. Select the Exceptions tab and click Add Program.

 4. Click Browse and locate the cvpnd.exe file.
       • By default, this file is located in the Program Files-Cisco Systems-VPN
         Client folder. If you chose to install the Cisco VPN Client in another directory,
         navigate to that location.
       • If your machine is not setup to display file extensions, the file name will display
         as cvpnd.
 5. Select the cvpnd.exe file and click Open.
 6. Click OK. The Exceptions tab redisplays with cvpnd listed under Programs and
    Services (Program or port for Windows Vista machines).

 7. Click OK to close the Windows Firewall window.

Step 7: Windows XP ONLY
Last Updated: 1/29/09




                                               -5-
                                          vpn-cisco-pdf


Step 7: Windows XP ONLY
Configure VPN Client to launch before Windows log on
If you are using a Windows Vista or Mac, please skip this step!
Some Windows XP machines that use Active Directory will need to connect to the VPN
server BEFORE logging into Windows. THIS IS THE CASE ONLY IF you are using
folder redirection AND, you are using a VPN connection from OFF CAMPUS.

  • If you have a Windows machine and this scenario applies to you, follow the
    instructions to Configure Cisco VPN client to connect before logging into Windows.
    Note: If you're not sure whether you're using folder redirection, follow the steps to
    verify your configuration.
  • If you use a Mac or if this does NOT describe your connection usage, please
    continue with the steps to Establish a VPN Connection.

Step 8: Advanced Configuration Windows ONLY
Last Updated: 1/29/09




                                              -6-
                                           vpn-cisco-pdf


Step 8: VPN Client Advanced Configuration-Windows
Only
Configure the VPN Client to launch before Windows Log On
Some Windows XP machines that use Active Directory will need to connect to the VPN
server BEFORE logging into Windows. THIS IS THE CASE ONLY IF you are using
folder redirection AND, you are using a VPN connection from OFF CAMPUS.

  • If this scenario applies to you, follow the instructions to Configure VPN client to
    connect before logging into Windows.
    Note: If you're not sure whether you're using folder redirection, follow the steps to
    verify your configuration.
  • If this does NOT describe your connection usage, please continue with the
    steps to Establish a VPN Connection.

Verify configuration for FOLDER REDIRECTION
 1. From the Start menu, right-click on My Documents.
 2. Select Properties.
 3. On the Target tab, look under Target folder location,
      • If the Target is C:\xxx, you are NOT using folder redirection and do NOT
        need to configure your VPN client to connect before windows log in. Your
        configuration process is complete. Continue with the Establish a VPN
        Connection section.
      • If the Target is \\server name, you ARE using folder redirection. Complete the
        steps to Configure your client to connect before logging into Windows.


Configure VPN client to connect before logging into Windows XP
ONLY COMPLETE THE FOLLOWING STEPS IF:

  • You determined that you ARE using folder redirection
  • AND, you are using an off-campus connection.

This will allow you to connect to the VPN server before logging into Windows.
Otherwise, your machine will not have access to the Carnegie Mellon servers in order to
retrieve the contents of the redirected server folders.

 1. From the Cisco VPN Client, select Options > Windows Logon Properties.
 2. The Windows Login Properties dialog box displays.
      • Select the Enable start before logon option.
      • Deselect the option to Disconnect VPN connection when logging off.
        IMPORTANT! Your configuration for folder redirection requires that your
        machine writes back to files on the server when you log off. For this reason,
        your VPN connection must be maintained when you log out of Windows.
        After you have logged out, YOU MUST SHUTDOWN YOUR COMPUTER TO
        DISCONNECT THE VPN CONNECTION.
                                               -7-
                                           vpn-cisco-pdf


 3. Click OK to save the changes and close the Properties dialog box. Your
    configuration process is complete. Continue with the steps to Establish a VPN
    connection before Windows log in.

Establish a VPN Connection before Windows log in
for machines using folder redirection

  • You must first have an active INTERNET CONNECTION (i.e., DSL, cable modem).
  • Because you configured your machine to Enable start before logon, your login
    screen now contains a VPN connection dialog box.
    Note: As you boot your machine, you may see a warning message asking you to
    "wait for Windows networking to start". It may take a moment for the Cisco VPN
    client to load.

 1. Establish a VPN connection
       • Select the VPN connection entry from the Connection Entries drop-down list
         and click Connect.
       • You are asked to enter your Certificate Password before connecting to the
         service.
         Note: This is the "connection" password you created when you imported the
         certificate into the Cisco VPN Client. It is NOT the password you selected in
         NetReg.
           o If you created a connection password earlier when you imported your
              certificate, enter the password now.
           o If you DID NOT assign a connection password during the "Import
              Certificate" process, this dialog box still displays. Leave the password field
              blank and click OK to dismiss the dialog box.
       • The VPN connection is established and the VPN Client dialog box disappears.
 2. Log on to Windows
    Once the VPN connection is established, enter your Andrew password in the Log
    On to Windows dialog box. Click OK. You are now safe to start any applications
    that require the use of the VPN service
    IMPORTANT! Your configuration for folder redirection requires that your machine
    writes back to files on the server when you log off. For this reason, your VPN
    connection must be maintained when you log out of Windows. After you have
    logged out, YOU MUST SHUTDOWN YOUR COMPUTER TO DISCONNECT THE
    VPN CONNECTION.


Once you are able to establish a VPN connection, your configuration process
is complete. Please see the VPN Certificates: Understanding and Managing
(http://www.cmu.edu/computing/doc/network/vpn/vpn-certs/manage.html) document
to better understand the VPN certificates and how to manage the certificates on your
machine.

Step 9: Establish a Connection
Last updated: 1/29/09
                                               -8-
                                         vpn-cisco-pdf


Step 9: Establish a VPN Connection
In steps 4 and 5, you created and configured both a TCP and UPD connection entry for
each VPN subnet that you will be using (i.e., VPN-General Users, VPN-Library). The
table below will help you to decide which connection entry to use. In general,

  • when using a wireless connection on-campus, always use a UDP connection.
  • when off-campus, try the TCP connection first and if you have a problem
    connecting try the UDP connection. If you are using VPN from home, you will soon
    determine which connection type works best with your Internet service provider
    and can then set it as your default connection. When travelling, the best connection
    type may vary from one location to the next.

                 Off-campus                              On-campus
                 At home           On the Road           Wireless       Wired
Library          VPN-Library /     VPN-Library /         VPN not needed VPN not needed
Licensed         TCP or UDP        TCP or UDP<
Resources
Windows File     VPN-General       VPN-General           VPN not needed VPN not needed
Shares           Users* /          Users* /
                 TCP or UDP        TCP or UDP
ACIS Services    VPN-General       VPN-General         VPN-General    VPN needed in
(SIS,            Users /           Users /             Users / UDP    some cases
DecisionCast,    TCP or UDP        TCP or UDP
HRIS)
*You may also use the VPN-Library subnet to access these services. However, the
Library subnet tunnels ALL Internet traffic through the VPN and may be slower than
the General subnet (the General subnet only uses the VPN tunnel to access campus
services).
You must connect using the Cisco VPN Client BEFORE you start an application
that requires the use of the VPN tunnel (i.e., those that require the added security
of encrypted networking).
Note for Windows machines: If you determined that your computer uses folder
redirection, follow the steps for connecting before Windows login.

 1. CONNECT TO THE INTERNET as you normally would (i.e., DSL, cable modem,
    dialup). You MUST have an Internet connection before you try to establish a VPN
    connection.
 2. Launch the Cisco VPN Client application.
    Windows: Start > All Programs > Cisco Systems VPN Client > VPN Client
    Mac: Applications > VPN Client
 3. Select the Connection Entries tab.
 4. You will see a TCP connection entry and a UDP connection entry (e.g.,
    General_tcp, General_udp, Library_tcp, Library_udp). Use the chart at the
    beginning of this section to determine which connection entry is suitable for your
    location and the service you plan to use. Select the appropriate connection entry
    and click Connect.
                                             -9-
                                          vpn-cisco-pdf


    Note: Once you determine which connection entry works best from your remote
    location (i.e., tcp or udp), make that entry the default (select Connection Entries >
    Set as Default Connection Entry).
 5. OPTIONAL: If you assigned a password to this connection entry, you are asked to
    enter your Certificate Password now before connecting to the service.
    Note: This is the optional "connection" password you created when you imported
    the certificate into the Cisco VPN Client. It is NOT the password you selected in
    NetReg.
       • If you created a connection password when you imported your certificate, enter
         the connection password now.
       • If you DID NOT assign a connection password during the "Import Certificate"
         process, this dialog box may still display on some operating systems. If so,
         leave the password field blank and click OK to dismiss the dialog box.
 6. A VPN connection is established. It is now safe to start any applications that require
    the use of the VPN service. If you are unable to connect, try the second connection
    type (e.g. if you connected using a tcp connection entry, try the udp entry).
    New VPN registrations normally take between 15 and 45 minutes from the
    time of creation to become fully active. If you experience connection problems
    with a newly registered connection, please wait 15 minutes and try again. If
    you still cannot connect after 45 minutes from the time of registration, please
    contact the Computing Services Help Center at x8-HELP(4357) or send email to
    advisor@andrew.cmu.edu (mailto:advisor@andrew.cmu.edu) .
    Note: Although your Internet connection will not be interrupted when the VPN
    connection is initiated, you may lose your connection with services that are running
    (e.g., Outlook, Entourage, Andrew Calendar). These services may need to be
    relaunched.

      • Windows: A padlock icon appears in your status bar. This padlock is
        "open" when you are disconnected from the VPN service and "closed"
        when you are connected.

        VPN disconnected               VPN connected
      • Mac: When connected, a padlock icon appears next to the Connection
        Entry name within the Cisco VPN Client window. There is no indicator
        when the service is disconnected.

        Once you are able to establish a VPN connection,
        your configuration process is complete. Please see
        the VPN Certificates: Understanding and Managing
        (http://www.cmu.edu/computing/doc/network/vpn/vpn-certs/index.html)
        document to better understand the VPN certificates and how to manage
        the certificates on your machine.

While you are connected
For most of the VPN networks, communication to off-campus sites or unrestricted
campus services is routed directly through the public Internet, not tunneled through
the Cisco VPN Client. The software does not need to be started/stopped as you move
                                             - 10 -
                                           vpn-cisco-pdf

between restricted and unrestricted sites. This ensures that unrestricted services are
not slowed by the Cisco VPN Client software.
If you registered for the VPN-Library network, all of your Internet traffic will be tunneled
through the Cisco VPN Client. This allows you to access restricted databases that the
Libraries subscribe to, but which are not hosted on campus. Because the databases
are outside of the Carnegie Mellon network, all of your Internet traffic needs to go
through the VPN, so that it can be properly handled. However, this also means that your
unrestricted Internet communication may be slowed because it is routed through the
VPN. We recommend that you disconnect your connection with the Cisco VPN Client
when you do not need to access restricted Library services.
Last Updated: 6/9/09




                                               - 11 -