Cisco VPN Client
Upcoming SlideShare
Loading in...5
×
 

Cisco VPN Client

on

  • 4,523 views

 

Statistics

Views

Total Views
4,523
Views on SlideShare
4,523
Embed Views
0

Actions

Likes
0
Downloads
18
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Cisco VPN Client Cisco VPN Client Document Transcript

  • vpn-cisco-pdf Cisco VPN Client This document contains the following sections: • Introduction • Step 1: Download & Install • Step 2: Register VPN Certificate • Step 3: Import the VPN Certificate • Step 4: Create Connection • Step 5: UDP Connection • Step 6: Firewall • Step 7: Configure: Windows XP ONLY • Step 8: Advanced Configuration: Windows ONLY • Step 9: Establish a Connection For information related to this topic refer to: • Virtual Private Networking Overview (http://www.cmu.edu/computing/doc/network/vpn/overview.html) • WebVPN (http://www.cmu.edu/computing/doc/network/vpn/vpn-web/index.html) • Computing Off Campus [PDF] (http://www.cmu.edu/computing/doc/network/connect/remote.pdf) • Support Statement (http://www.cmu.edu/computing/doc/network/vpn/support-vpn.html) • Cisco VPN Client: Frequently Asked Questions (http://www.cmu.edu/computing/doc/network/vpn/faq-vpn.html) -1-
  • vpn-cisco-pdf Cisco VPN Introduction The Cisco VPN Client is desktop software that secures traffic between your machine and restricted services. With the Cisco VPN Client software running in the background, all restricted traffic is automatically routed using Advanced Encryption Standards (AES) or DES3 (triple Data Encryption Standards). For most of the VPN networking we provide, communication to off-campus sites or unrestricted campus services is routed directly through the public Internet, not tunneled through the Cisco VPN Client. The software does not need to be started or stopped as you move between restricted and unrestricted sites. This ensures that unrestricted services are not slowed by the Cisco VPN Client software. This service requires installation of the Cisco VPN Client software and registration for a certificate through NetReg (http://netreg.net.cmu.edu) . Most of the VPN networks provide you with a Carnegie Mellon local IP address in the 172.31.*.* range. This allows you access to restricted services that are part of the Carnegie Mellon network, however, it will not allow you access to services that are outside the Carnegie Mellon network. For external restricted sites, use the VPN-Library network when you register, or use the WebVPN (http://www.cmu.edu/computing/doc/network/vpn/vpn-web/index.html) service. Last Updated 6/9/09 -2-
  • vpn-cisco-pdf Installation and Configuration Steps Step 1: Download and Install the Cisco VPN Client Installation notes: • Mac OS X 10.4+ requires Cisco VPN Client 4.9. • Windows XP machines should be updated with Service Pack 2. • The current VPN Client 5.0.6 is Windows 7, Windows Vista and Windows XP compatible. • You will temporarily lose your network connection. You must reboot the system to reconnect. Instructions: 1. Be sure to uninstall any previous versions of VPN before you begin. 2. Download the Cisco VPN Client (http://www.cmu.edu/computing/software/all/cisco-vpn/index.html) from the Software page. 3. Windows (7, Vista and XP): • Save the file to your desktop or a local folder. • Navigate to the saved location and double-click on the vpnclient-win-msi-5.0.05.0290-k9 file to unzip it. You will be prompted to specify the folder to place the files into upon extraction. • If the installation does not start automatically, select Start > My Computer (Vista: Start > Computer) and navigate to the folder with the extracted installation files (12 files). • Double-click the vpnclient_setup.msi file to launch the Cisco VPN Client installer. Note: The file extension (.msi) may or may not be displayed depending on your Windows XP options. • Follow the installation instructions on your screen. Note: If you have an older version of the Cisco VPN Client installed, you will be prompted to uninstall the software before running the new installation. Mac: • Double-click the CiscoVPNClient drive image mounted on your desktop. • Double-click the CiscoVPNClient.mpkg file to launch the installer. • Follow the installation instructions on your screen. 4. When the installation is complete you must restart your machine. -3-
  • vpn-cisco-pdf Step 2: Register and Download VPN Certificate Last Updated: 2/15/10 -4-
  • vpn-cisco-pdf Step 2: Register and Download VPN Certificate Please see the VPN Certificates: Understanding and Managing (http://www.cmu.edu/computing/doc/network/vpn/vpn-certs/index.html) document for more information on how the VPN service uses certificates for authentication. 1. Go to http://netreg.net.cmu.edu/ (http://netreg.net.cmu.edu/) 2. Review the information provided on the Network Registration page and select Enter at the bottom of the screen. Note: You may get a "connection failed" screen as a result of an invalid security certificate. If this is the case, you should be provided a link to "add an exception" at the bottom of that message. Select it and follow those steps to gain access to the Network Registration page. 3. Log in on the WebISO screen using your Andrew userID and password. The Network Registration page displays any machines currently registered under your Andrew userID. 4. Click Register New Machine. 5. From the Select the Network drop-down list, select the appropriate VPN network (e.g., VPN-General Users, VPN-Library) and click Continue. -OR- From the Select the Subnet drop-down list, select the appropriate VPN subnet (e.g., VPN-General Users, VPN-Library) and click Continue. Which Subnet do I need? If you need to access: Register in subnet: - Library licensed resources VPN - Library* (ArtSTOR, NetLibrary ebooks, and AP Photo Archive) - Windows file shares VPN - General Users - ACIS services (SIS, DecisionCast, HRIS) VPN - General Users *VPN-Library Subnet : When you are connected using the VPN-Library network ALL of your Internet traffic is tunneled through the VPN connection. This may reduce performance. If you need to use VPN to access Windows file shares and/or ACIS services, we recommend that you also register within the VPN-General Users subnet. -5-
  • vpn-cisco-pdf Note: If you are not sure which subnet to register in, please check with your system administrator. 6. In the Hostname field, type a unique hostname for this "machine". We recommend the naming convention of hostnamevpn (e.g., VPNHomeGeneral). Note: This hostname must be unique. You cannot use the same hostname that you assigned to a wired or wireless machine registration. Do not use any special characters or symbols. 7. Click Continue at the bottom of the page. 8. The Registered Machines page will redisplay with the VPN registration that you JUST added highlighted at the top (xxx.user.vpn.cmu.local or for the VPN-Library network xxx.library.vpn.cmu.edu). Click on the new registration name (i.e., vpnhomegeneral.user.vpn.cmu.local). 9. Under the Machine Information title bar, click the Manage Certificates link. 10. The following message displays, click on the Generate new certificate link preceding this message. -6-
  • vpn-cisco-pdf 11. The Certificate Authority page displays with your connection hostname (e.g., smithhomevpn) and the number of days until expiration. This defaults to the maximum of 365 days. Click Issue Certificate. 12. Once the certificate is issued, information about it displays. Under the Download Certificate column, click the Download Certificate link. 13. Enter an "import" password to encrypt the certificate. You will be asked to enter this password when you import the certificate into the Cisco VPN Client. Do not use your Andrew password here. 14. Re-enter the password and then click Download Certificate. 15. The File Download dialog box displays. Click Save to save the file to your machine. Note: We recommend that you create a VPN Certificates directory to store your certificate downloads (i.e., from the Save As dialog box, click the Create New Folder icon). 16. Once your certificate has been downloaded, click Signoff at the top of the NetReg page to signoff and exit the NetReg system. -7-
  • vpn-cisco-pdf Note: New VPN registrations normally take between 15 and 45 minutes from the time of creation to become fully active. If you experience connection problems with a newly registered connection, please wait 15 minutes and try again. If you still cannot connect after 45 minutes from the time of registration, please contact the Computing Services Help Center at x8-HELP(4357) or send email to advisor@andrew.cmu.edu (mailto:advisor@andrew.cmu.edu) . Step 3: Import the VPN Certificate Last Updated: 1/28/09 -8-
  • vpn-cisco-pdf Step 3: Import the VPN certificate Please see the VPN Certificates: Understanding and Managing (http://www.cmu.edu/computing/doc/network/vpn/vpn-certs/index.html) document for more information on how the VPN service uses certificates for authentication. 1. Start the Cisco VPN Client. Windows: Start > All Programs > Cisco Systems VPN Client > VPN Client Mac: Applications > VPN Client 2. Select Certificates > Import. Note: The Import button may not give you access to all of the import options. 3. The Import Certificates dialog box displays. Windows: • Select Import from File and click Browse. • Navigate to the directory where you downloaded your certificate from the NetReg page. Select the certificate file (xxx.user.vpn.cmu.local or for the VPN-Library network xxx.library.vpn.cmu.edu). • In the Import Password field, type the password that you assigned to the certificate in NetReg. OPTIONAL CONNECTION PASSWORD: o If your computer is used in a "shared" environment (e.g., a shared workspace, shared with your children or spouse, etc.) type a "connection" password in the New Password field. Note: This password does not replace the NetReg certificate"import" password. The "connection" password will be requested each time you connect to the VPN service. Make a mental note of the password you select. You will need to contact the Help Center if you forget this password. o Retype the password in the Confirm Password field. • Click Import. • A Certificate successfully imported prompt should display. Click OK. -9-
  • vpn-cisco-pdf Mac: • Click in the Import Path field and click Browse. • Navigate to the directory where you downloaded your certificate from the NetReg pages. Select the certificate file (xxx.user.vpn.cmu.local.p12 or for the VPN-Library network, xxx.library.vpn.cmu.edu.p12). • In the Import Password field, type the password that you assigned to the certificate in NetReg. OPTIONAL CONNECTION PASSWORD: o If your computer is used in a "shared" environment (e.g., a shared workspace, shared with your children or spouse, etc.) type a "connection" password in the New Password field. o Note: This password does not replace the NetReg certificate "import" password. The "connection" password will be requested each time you connect to the VPN service. Make a mental note of the password you select. You will need to contact the Help Center if you forget this password. o Retype the password in the Confirm Password field. • Click Import. • A Certificate successfully imported prompt should display. Click OK. - 10 -
  • vpn-cisco-pdf • The certificate is now listed on the Certificate tab within the VPN Client window. NOTE: If you are following the steps for renewing a certificate, your process is now complete. You do not need to continue to create and configure a VPN connection, as you have already done so in the past. All other users, please continue with Step 4. Step 4: Create & Configure a VPN Connection Last Updated: 1/29/09 - 11 -
  • vpn-cisco-pdf Step 4: Create and Configure a TCP Connection Follow this step if you will use the Cisco VPN Client from an off-campus location. If you only use VPN with a wireless connection on-campus, skip to Step 5: UDP Connection. 1. From the Cisco VPN Client, select Connection Entries > New. 2. The Create New VPN Connection dialog box displays. 3. Complete the fields as follows Connection Entry: Type a name for this VPN connection (e.g., Library_tcp or General_tcp). Do not include any spaces! Description: Type a description for this connection. Host: Type server.vpn.cmu.edu. 4. On the Authentication tab, select the Certificate Authentication option. 5. In the Name field, select the name of the certificate you imported earlier from the drop-down list. 6. Select the Transport tab. 7. Under Enable Transparent Tunneling, select IPSec over TCP. - 12 -
  • vpn-cisco-pdf 8. Click Save. 9. Repeat this step for each subnet that you are registered under on the NetReg page (e.g., VPN - General Users, VPN - Library). When you are finished, you will have a "tcp" connection entry for each registered VPN subnet (e.g., General_tcp, Library_tcp). Step 5: UDP Connection Last Updated: 8/28/09 - 13 -
  • vpn-cisco-pdf Step 5: Create and configure a UDP connection Follow this step if you plan to use the Cisco VPN Client from an off-campus location or with a wireless connection on campus. If you are using VPN from an off-campus location, you should create and configure both a tcp and a udp connection entry for EACH registered VPN subnet (e.g., General_tcp, General_udp, Library_tcp, Library_udp). 1. Select Connection Entries > New. 2. The Create New VPN Connection dialog box displays. 3. Complete the fields as follows Connection Entry: Type a name for this VPN connection (e.g., General_udp, Library_udp). Do not include any spaces! Description: Type a description for this connection. Host: Type server.vpn.cmu.edu. 4. On the Authentication tab, select the Certificate Authentication option. 5. In the Name field, select the name of the certificate you imported earlier from the drop-down list. 6. Select the Transport tab. 7. Under Enable Transparent Tunneling, select IPSec over UDP (NAT/PAT). - 14 -
  • vpn-cisco-pdf 8. Click Save. The Connection Entries tab redisplays. 9. Repeat this step for each subnet that you are registered under on the NetReg page (e.g., VPN - General Users, VPN - Library). When you are finished, you will have a "udp" connection entry for each registered VPN subnet (e.g., General_udp, Library_udp). Note: If you are using VPN from an off-campus location, you should now have both a tcp and a udp connection entry for each registered VPN subnet (e.g., General_tcp, General_udp, Library_tcp, Library_udp). If you are using a Mac, your configuration process is complete. Continue with the steps to Establish a VPN connection. Windows - Step 6: Configure Firewall Mac - Step 9: Establish a Connection Last Updated: 1/29/09 - 15 -
  • vpn-cisco-pdf Step 6: Configure Windows Firewall This step MUST be completed for ALL Windows XP SP2 and Windows Vista connections. If you are using a Mac, please skip this step! 1. Select Start > Control Panel. 2. Windows XP (category view) • Click Network and Internet Connections and then click Windows Firewall. The Windows Firewall dialog box displays. Windows Vista • Click Network and Internet and then click Windows Firewall. The Windows Firewall windows displays. • On the left of the window, click Allow a program through Windows Firewall. Click Continue to grant windows permission to continue. 3. Select the Exceptions tab and click Add Program. 4. Click Browse and locate the cvpnd.exe file. - 16 -
  • vpn-cisco-pdf • By default, this file is located in the Program Files-Cisco Systems-VPN Client folder. If you chose to install the Cisco VPN Client in another directory, navigate to that location. • If your machine is not setup to display file extensions, the file name will display as cvpnd. 5. Select the cvpnd.exe file and click Open. 6. Click OK. The Exceptions tab redisplays with cvpnd listed under Programs and Services (Program or port for Windows Vista machines). 7. Click OK to close the Windows Firewall window. Step 7: Windows XP ONLY Last Updated: 1/29/09 - 17 -
  • vpn-cisco-pdf Step 7: Windows XP ONLY Configure VPN Client to launch before Windows log on If you are using a Windows Vista or Mac, please skip this step! Some Windows XP machines that use Active Directory will need to connect to the VPN server BEFORE logging into Windows. THIS IS THE CASE ONLY IF you are using folder redirection AND, you are using a VPN connection from OFF CAMPUS. • If you have a Windows machine and this scenario applies to you, follow the instructions to Configure Cisco VPN client to connect before logging into Windows. Note: If you're not sure whether you're using folder redirection, follow the steps to verify your configuration. • If you use a Mac or if this does NOT describe your connection usage, please continue with the steps to Establish a VPN Connection. Step 8: Advanced Configuration Windows ONLY Last Updated: 1/29/09 - 18 -
  • vpn-cisco-pdf Step 8: VPN Client Advanced Configuration-Windows Only Configure the VPN Client to launch before Windows Log On Some Windows XP machines that use Active Directory will need to connect to the VPN server BEFORE logging into Windows. THIS IS THE CASE ONLY IF you are using folder redirection AND, you are using a VPN connection from OFF CAMPUS. • If this scenario applies to you, follow the instructions to Configure VPN client to connect before logging into Windows. Note: If you're not sure whether you're using folder redirection, follow the steps to verify your configuration. • If this does NOT describe your connection usage, please continue with the steps to Establish a VPN Connection. Verify configuration for FOLDER REDIRECTION 1. From the Start menu, right-click on My Documents. 2. Select Properties. 3. On the Target tab, look under Target folder location, • If the Target is C:xxx, you are NOT using folder redirection and do NOT need to configure your VPN client to connect before windows log in. Your configuration process is complete. Continue with the Establish a VPN Connection section. • If the Target is server name, you ARE using folder redirection. Complete the steps to Configure your client to connect before logging into Windows. - 19 -
  • vpn-cisco-pdf Configure VPN client to connect before logging into Windows XP ONLY COMPLETE THE FOLLOWING STEPS IF: • You determined that you ARE using folder redirection • AND, you are using an off-campus connection. This will allow you to connect to the VPN server before logging into Windows. Otherwise, your machine will not have access to the Carnegie Mellon servers in order to retrieve the contents of the redirected server folders. 1. From the Cisco VPN Client, select Options > Windows Logon Properties. 2. The Windows Login Properties dialog box displays. • Select the Enable start before logon option. • Deselect the option to Disconnect VPN connection when logging off. IMPORTANT! Your configuration for folder redirection requires that your machine writes back to files on the server when you log off. For this reason, your VPN connection must be maintained when you log out of Windows. - 20 -
  • vpn-cisco-pdf After you have logged out, YOU MUST SHUTDOWN YOUR COMPUTER TO DISCONNECT THE VPN CONNECTION. 3. Click OK to save the changes and close the Properties dialog box. Your configuration process is complete. Continue with the steps to Establish a VPN connection before Windows log in. Establish a VPN Connection before Windows log in for machines using folder redirection • You must first have an active INTERNET CONNECTION (i.e., DSL, cable modem). • Because you configured your machine to Enable start before logon, your login screen now contains a VPN connection dialog box. Note: As you boot your machine, you may see a warning message asking you to "wait for Windows networking to start". It may take a moment for the Cisco VPN client to load. 1. Establish a VPN connection • Select the VPN connection entry from the Connection Entries drop-down list and click Connect. • You are asked to enter your Certificate Password before connecting to the service. Note: This is the "connection" password you created when you imported the certificate into the Cisco VPN Client. It is NOT the password you selected in NetReg. o If you created a connection password earlier when you imported your certificate, enter the password now. o If you DID NOT assign a connection password during the "Import Certificate" process, this dialog box still displays. Leave the password field blank and click OK to dismiss the dialog box. • The VPN connection is established and the VPN Client dialog box disappears. 2. Log on to Windows Once the VPN connection is established, enter your Andrew password in the Log On to Windows dialog box. Click OK. You are now safe to start any applications that require the use of the VPN service - 21 -
  • vpn-cisco-pdf IMPORTANT! Your configuration for folder redirection requires that your machine writes back to files on the server when you log off. For this reason, your VPN connection must be maintained when you log out of Windows. After you have logged out, YOU MUST SHUTDOWN YOUR COMPUTER TO DISCONNECT THE VPN CONNECTION. Once you are able to establish a VPN connection, your configuration process is complete. Please see the VPN Certificates: Understanding and Managing (http://www.cmu.edu/computing/doc/network/vpn/vpn-certs/manage.html) document to better understand the VPN certificates and how to manage the certificates on your machine. Step 9: Establish a Connection Last updated: 1/29/09 - 22 -
  • vpn-cisco-pdf Step 9: Establish a VPN Connection In steps 4 and 5, you created and configured both a TCP and UPD connection entry for each VPN subnet that you will be using (i.e., VPN-General Users, VPN-Library). The table below will help you to decide which connection entry to use. In general, • when using a wireless connection on-campus, always use a UDP connection. • when off-campus, try the TCP connection first and if you have a problem connecting try the UDP connection. If you are using VPN from home, you will soon determine which connection type works best with your Internet service provider and can then set it as your default connection. When travelling, the best connection type may vary from one location to the next. Off-campus On-campus At home On the Road Wireless Wired Library VPN-Library / VPN-Library / VPN not needed VPN not needed Licensed TCP or UDP TCP or UDP< Resources Windows File VPN-General VPN-General VPN not needed VPN not needed Shares Users* / Users* / TCP or UDP TCP or UDP ACIS Services VPN-General VPN-General VPN-General VPN needed in (SIS, Users / Users / Users / UDP some cases DecisionCast, TCP or UDP TCP or UDP HRIS) *You may also use the VPN-Library subnet to access these services. However, the Library subnet tunnels ALL Internet traffic through the VPN and may be slower than the General subnet (the General subnet only uses the VPN tunnel to access campus services). You must connect using the Cisco VPN Client BEFORE you start an application that requires the use of the VPN tunnel (i.e., those that require the added security of encrypted networking). Note for Windows machines: If you determined that your computer uses folder redirection, follow the steps for connecting before Windows login. 1. CONNECT TO THE INTERNET as you normally would (i.e., DSL, cable modem, dialup). You MUST have an Internet connection before you try to establish a VPN connection. 2. Launch the Cisco VPN Client application. Windows: Start > All Programs > Cisco Systems VPN Client > VPN Client Mac: Applications > VPN Client 3. Select the Connection Entries tab. 4. You will see a TCP connection entry and a UDP connection entry (e.g., General_tcp, General_udp, Library_tcp, Library_udp). Use the chart at the beginning of this section to determine which connection entry is suitable for your location and the service you plan to use. Select the appropriate connection entry and click Connect. - 23 -
  • vpn-cisco-pdf Note: Once you determine which connection entry works best from your remote location (i.e., tcp or udp), make that entry the default (select Connection Entries > Set as Default Connection Entry). 5. OPTIONAL: If you assigned a password to this connection entry, you are asked to enter your Certificate Password now before connecting to the service. Note: This is the optional "connection" password you created when you imported the certificate into the Cisco VPN Client. It is NOT the password you selected in NetReg. • If you created a connection password when you imported your certificate, enter the connection password now. • If you DID NOT assign a connection password during the "Import Certificate" process, this dialog box may still display on some operating systems. If so, leave the password field blank and click OK to dismiss the dialog box. 6. A VPN connection is established. It is now safe to start any applications that require the use of the VPN service. If you are unable to connect, try the second connection type (e.g. if you connected using a tcp connection entry, try the udp entry). New VPN registrations normally take between 15 and 45 minutes from the time of creation to become fully active. If you experience connection problems with a newly registered connection, please wait 15 minutes and try again. If you still cannot connect after 45 minutes from the time of registration, please contact the Computing Services Help Center at x8-HELP(4357) or send email to advisor@andrew.cmu.edu (mailto:advisor@andrew.cmu.edu) . Note: Although your Internet connection will not be interrupted when the VPN connection is initiated, you may lose your connection with services that are running (e.g., Outlook, Entourage, Andrew Calendar). These services may need to be relaunched. • Windows: A padlock icon appears in your status bar. This padlock is "open" when you are disconnected from the VPN service and "closed" when you are connected. - 24 -
  • vpn-cisco-pdf VPN disconnected VPN connected • Mac: When connected, a padlock icon appears next to the Connection Entry name within the Cisco VPN Client window. There is no indicator when the service is disconnected. Once you are able to establish a VPN connection, your configuration process is complete. Please see the VPN Certificates: Understanding and Managing (http://www.cmu.edu/computing/doc/network/vpn/vpn-certs/index.html) document to better understand the VPN certificates and how to manage the certificates on your machine. While you are connected For most of the VPN networks, communication to off-campus sites or unrestricted campus services is routed directly through the public Internet, not tunneled through the Cisco VPN Client. The software does not need to be started/stopped as you move between restricted and unrestricted sites. This ensures that unrestricted services are not slowed by the Cisco VPN Client software. If you registered for the VPN-Library network, all of your Internet traffic will be tunneled through the Cisco VPN Client. This allows you to access restricted databases that the Libraries subscribe to, but which are not hosted on campus. Because the databases are outside of the Carnegie Mellon network, all of your Internet traffic needs to go through the VPN, so that it can be properly handled. However, this also means that your unrestricted Internet communication may be slowed because it is routed through the VPN. We recommend that you disconnect your connection with the Cisco VPN Client when you do not need to access restricted Library services. Last Updated: 6/9/09 - 25 -