vpn-cisco-pdf - 1 - Cisco VPN Client This document contains the following sections: Introduction Step 1: Download & Install Step 2: Register VPN Certificate Step 3: Import the VPN Certificate Step 4: Create Connection Step 5: UDP Connection Step 6: Firewall Step 7: Configure: Windows XP ONLY Step 8: Advanced Configuration: Windows ONLY Step 9: Establish a Connection For information related to this topic refer to: Virtual Private Networking Overview (http://www.cmu.edu/computing/doc/network/vpn/overview.html) WebVPN (http://www.cmu.edu/computing/doc/network/vpn/vpn-web/index.html) Computing Off Campus [PDF] (http://www.cmu.edu/computing/doc/network/connect/remote.pdf) Support Statement (http://www.cmu.edu/computing/doc/network/vpn/support-vpn.html) Cisco VPN Client: Frequently Asked Questions (http://www.cmu.edu/computing/doc/network/vpn/faq-vpn.html)

Cisco VPN Client

Embed Size (px)



Citation preview

Page 1: Cisco VPN Client


- 1 -

Cisco VPN ClientThis document contains the following sections:

• Introduction• Step 1: Download & Install• Step 2: Register VPN Certificate • Step 3: Import the VPN Certificate• Step 4: Create Connection• Step 5: UDP Connection• Step 6: Firewall• Step 7: Configure: Windows XP ONLY• Step 8: Advanced Configuration: Windows ONLY• Step 9: Establish a Connection

For information related to this topic refer to:

• Virtual Private Networking Overview(http://www.cmu.edu/computing/doc/network/vpn/overview.html)

• WebVPN (http://www.cmu.edu/computing/doc/network/vpn/vpn-web/index.html)• Computing Off Campus [PDF]

(http://www.cmu.edu/computing/doc/network/connect/remote.pdf)• Support Statement

(http://www.cmu.edu/computing/doc/network/vpn/support-vpn.html)• Cisco VPN Client: Frequently Asked Questions


Page 2: Cisco VPN Client


- 2 -

Cisco VPN IntroductionThe Cisco VPN Client is desktop software that secures traffic between your machineand restricted services. With the Cisco VPN Client software running in the background,all restricted traffic is automatically routed using Advanced Encryption Standards (AES)or DES3 (triple Data Encryption Standards).

For most of the VPN networking we provide, communication to off-campus sites orunrestricted campus services is routed directly through the public Internet, not tunneledthrough the Cisco VPN Client. The software does not need to be started or stoppedas you move between restricted and unrestricted sites. This ensures that unrestrictedservices are not slowed by the Cisco VPN Client software.

This service requires installation of the Cisco VPN Client software and registration for acertificate through NetReg (http://netreg.net.cmu.edu) .

Most of the VPN networks provide you with a Carnegie Mellon local IP address in the172.31.*.* range. This allows you access to restricted services that are part of theCarnegie Mellon network, however, it will not allow you access to services that areoutside the Carnegie Mellon network.

For external restricted sites, use the VPN-Library network when you register, or usethe WebVPN (http://www.cmu.edu/computing/doc/network/vpn/vpn-web/index.html) service.

Last Updated 6/9/09

Page 3: Cisco VPN Client


- 3 -

Installation and Configuration Steps

Step 1: Download and Install the Cisco VPN Client

Installation notes:

• Mac OS X 10.4+ requires Cisco VPN Client 4.9.• Windows XP machines should be updated with Service Pack 2.• The current VPN Client 5.0.6 is Windows 7, Windows Vista and Windows XP

compatible.• You will temporarily lose your network connection. You must reboot the system to



1. Be sure to uninstall any previous versions of VPN before you begin.2. Download the Cisco VPN Client

(http://www.cmu.edu/computing/software/all/cisco-vpn/index.html) from theSoftware page.

3. Windows (7, Vista and XP):• Save the file to your desktop or a local folder.• Navigate to the saved location and double-click on the

vpnclient-win-msi- file to unzip it. You will be prompted tospecify the folder to place the files into upon extraction.

• If the installation does not start automatically, select Start > My Computer(Vista: Start > Computer) and navigate to the folder with the extractedinstallation files (12 files).

• Double-click the vpnclient_setup.msi file to launch the Cisco VPN Clientinstaller.

Note: The file extension (.msi) may or may not be displayed depending onyour Windows XP options.

• Follow the installation instructions on your screen.Note: If you have an older version of the Cisco VPN Client installed, you will beprompted to uninstall the software before running the new installation.

Mac:• Double-click the CiscoVPNClient drive image mounted on your desktop. • Double-click the CiscoVPNClient.mpkg file to launch the installer.

• Follow the installation instructions on your screen.4. When the installation is complete you must restart your machine.

Page 4: Cisco VPN Client


- 4 -

Step 2: Register and Download VPNCertificateLast Updated: 2/15/10

Page 5: Cisco VPN Client


- 5 -

Step 2: Register and Download VPN CertificatePlease see the VPN Certificates: Understanding and Managing(http://www.cmu.edu/computing/doc/network/vpn/vpn-certs/index.html) document for more information on how the VPN service uses certificates forauthentication.

1. Go to http://netreg.net.cmu.edu/ (http://netreg.net.cmu.edu/)2. Review the information provided on the Network Registration page and select

Enter at the bottom of the screen.Note: You may get a "connection failed" screen as a result of an invalid securitycertificate. If this is the case, you should be provided a link to "add an exception" atthe bottom of that message. Select it and follow those steps to gain access to theNetwork Registration page.

3. Log in on the WebISO screen using your Andrew userID and password. TheNetwork Registration page displays any machines currently registered under yourAndrew userID.

4. Click Register New Machine.

5. From the Select the Network drop-down list, select the appropriate VPN network(e.g., VPN-General Users, VPN-Library) and click Continue.-OR-From the Select the Subnet drop-down list, select the appropriate VPN subnet(e.g., VPN-General Users, VPN-Library) and click Continue.Which Subnet do I need?If you need to access: Register in subnet:

- Library licensed resources(ArtSTOR, NetLibrary ebooks, and APPhoto Archive)

VPN - Library*

- Windows file shares VPN - General Users

- ACIS services (SIS, DecisionCast, HRIS) VPN - General Users

*VPN-Library Subnet : When you are connected using the VPN-Library networkALL of your Internet traffic is tunneled through the VPN connection. This mayreduce performance. If you need to use VPN to access Windows file shares and/orACIS services, we recommend that you also register within the VPN-General Userssubnet.

Page 6: Cisco VPN Client


- 6 -

Note: If you are not sure which subnet to register in, please check with your systemadministrator.

6. In the Hostname field, type a unique hostname for this "machine". We recommendthe naming convention of hostnamevpn (e.g., VPNHomeGeneral).Note: This hostname must be unique. You cannot use the same hostname thatyou assigned to a wired or wireless machine registration. Do not use any specialcharacters or symbols.

7. Click Continue at the bottom of the page.8. The Registered Machines page will redisplay with the VPN registration that you

JUST added highlighted at the top (xxx.user.vpn.cmu.local or for the VPN-Librarynetwork xxx.library.vpn.cmu.edu). Click on the new registration name (i.e.,vpnhomegeneral.user.vpn.cmu.local).

9. Under the Machine Information title bar, click the Manage Certificates link.

10. The following message displays, click on the Generate new certificate linkpreceding this message.

Page 7: Cisco VPN Client


- 7 -

11. The Certificate Authority page displays with your connection hostname (e.g.,smithhomevpn) and the number of days until expiration. This defaults to themaximum of 365 days. Click Issue Certificate.

12. Once the certificate is issued, information about it displays. Under the DownloadCertificate column, click the Download Certificate link.

13. Enter an "import" password to encrypt the certificate. You will be asked to enter thispassword when you import the certificate into the Cisco VPN Client. Do not useyour Andrew password here.

14. Re-enter the password and then click Download Certificate.15. The File Download dialog box displays. Click Save to save the file to your machine.

Note: We recommend that you create a VPN Certificates directory to store yourcertificate downloads (i.e., from the Save As dialog box, click the Create NewFolder icon).

16. Once your certificate has been downloaded, click Signoff at the top of the NetRegpage to signoff and exit the NetReg system.

Page 8: Cisco VPN Client


- 8 -

Note: New VPN registrations normally take between 15 and 45 minutes from thetime of creation to become fully active. If you experience connection problemswith a newly registered connection, please wait 15 minutes and try again. Ifyou still cannot connect after 45 minutes from the time of registration, pleasecontact the Computing Services Help Center at x8-HELP(4357) or send email [email protected] (mailto:[email protected]) .

Step 3: Import the VPN CertificateLast Updated: 1/28/09

Page 9: Cisco VPN Client


- 9 -

Step 3: Import the VPN certificatePlease see the VPN Certificates: Understanding and Managing(http://www.cmu.edu/computing/doc/network/vpn/vpn-certs/index.html) document for more information on how the VPN service uses certificates forauthentication.

1. Start the Cisco VPN Client.Windows: Start > All Programs > Cisco Systems VPN Client > VPN ClientMac: Applications > VPN Client

2. Select Certificates > Import.Note: The Import button may not give you access to all of the import options.

3. The Import Certificates dialog box displays.Windows:

• Select Import from File and click Browse.• Navigate to the directory where you downloaded your certificate from the

NetReg page. Select the certificate file (xxx.user.vpn.cmu.local or for theVPN-Library network xxx.library.vpn.cmu.edu).

• In the Import Password field, type the password that you assigned to thecertificate in NetReg.OPTIONAL CONNECTION PASSWORD:

o If your computer is used in a "shared" environment (e.g., a sharedworkspace, shared with your children or spouse, etc.) type a "connection"password in the New Password field.Note: This password does not replace the NetReg certificate"import"password. The "connection" password will be requested each timeyou connect to the VPN service. Make a mental note of the passwordyou select. You will need to contact the Help Center if you forget thispassword.

o Retype the password in the Confirm Password field.

• Click Import.• A Certificate successfully imported prompt should display. Click OK.

Page 10: Cisco VPN Client


- 10 -

Mac:• Click in the Import Path field and click Browse.• Navigate to the directory where you downloaded your certificate from the

NetReg pages. Select the certificate file (xxx.user.vpn.cmu.local.p12 or for theVPN-Library network, xxx.library.vpn.cmu.edu.p12).

• In the Import Password field, type the password that you assigned to thecertificate in NetReg.OPTIONAL CONNECTION PASSWORD:

o If your computer is used in a "shared" environment (e.g., a sharedworkspace, shared with your children or spouse, etc.) type a "connection"password in the New Password field.

o Note: This password does not replace the NetReg certificate "import"password. The "connection" password will be requested each timeyou connect to the VPN service. Make a mental note of the passwordyou select. You will need to contact the Help Center if you forget thispassword.

o Retype the password in the Confirm Password field.

• Click Import.• A Certificate successfully imported prompt should display. Click OK.

Page 11: Cisco VPN Client


- 11 -

• The certificate is now listed on the Certificate tab within the VPN Clientwindow.

NOTE: If you are following the steps for renewing a certificate, your processis now complete. You do not need to continue to create and configure a VPNconnection, as you have already done so in the past. All other users, pleasecontinue with Step 4.

Step 4: Create & Configure a VPNConnectionLast Updated: 1/29/09

Page 12: Cisco VPN Client


- 12 -

Step 4: Create and Configure a TCP ConnectionFollow this step if you will use the Cisco VPN Client from an off-campus location.If you only use VPN with a wireless connection on-campus, skip to Step 5: UDPConnection.

1. From the Cisco VPN Client, select Connection Entries > New.2. The Create New VPN Connection dialog box displays.

3. Complete the fields as followsConnection Entry: Type a name for this VPN connection (e.g., Library_tcp orGeneral_tcp). Do not include any spaces!Description: Type a description for this connection.Host: Type server.vpn.cmu.edu.

4. On the Authentication tab, select the Certificate Authentication option.5. In the Name field, select the name of the certificate you imported earlier from the

drop-down list.6. Select the Transport tab.7. Under Enable Transparent Tunneling, select IPSec over TCP.

Page 13: Cisco VPN Client


- 13 -

8. Click Save.9. Repeat this step for each subnet that you are registered under on the NetReg

page (e.g., VPN - General Users, VPN - Library). When you are finished, you willhave a "tcp" connection entry for each registered VPN subnet (e.g., General_tcp,Library_tcp).

Step 5: UDP ConnectionLast Updated: 8/28/09

Page 14: Cisco VPN Client


- 14 -

Step 5: Create and configure a UDP connectionFollow this step if you plan to use the Cisco VPN Client from an off-campus locationor with a wireless connection on campus. If you are using VPN from an off-campuslocation, you should create and configure both a tcp and a udp connection entryfor EACH registered VPN subnet (e.g., General_tcp, General_udp, Library_tcp,Library_udp).

1. Select Connection Entries > New.2. The Create New VPN Connection dialog box displays.

3. Complete the fields as followsConnection Entry: Type a name for this VPN connection (e.g., General_udp,Library_udp). Do not include any spaces!Description: Type a description for this connection.Host: Type server.vpn.cmu.edu.

4. On the Authentication tab, select the Certificate Authentication option.5. In the Name field, select the name of the certificate you imported earlier from the

drop-down list.6. Select the Transport tab.7. Under Enable Transparent Tunneling, select IPSec over UDP (NAT/PAT).

Page 15: Cisco VPN Client


- 15 -

8. Click Save. The Connection Entries tab redisplays.9. Repeat this step for each subnet that you are registered under on the NetReg

page (e.g., VPN - General Users, VPN - Library). When you are finished, you willhave a "udp" connection entry for each registered VPN subnet (e.g., General_udp,Library_udp).Note: If you are using VPN from an off-campus location, you should now haveboth a tcp and a udp connection entry for each registered VPN subnet (e.g.,General_tcp, General_udp, Library_tcp, Library_udp).If you are using a Mac, your configuration process is complete. Continuewith the steps to Establish a VPN connection.

Windows - Step 6: Configure Firewall

Mac - Step 9: Establish a Connection

Last Updated: 1/29/09

Page 16: Cisco VPN Client


- 16 -

Step 6: Configure Windows Firewall

This step MUST be completed for ALL Windows XP SP2 andWindows Vista connections.If you are using a Mac, please skip this step!

1. Select Start > Control Panel.2. Windows XP (category view)

• Click Network and Internet Connections and then click Windows Firewall.The Windows Firewall dialog box displays.

Windows Vista• Click Network and Internet and then click Windows Firewall. The Windows

Firewall windows displays.• On the left of the window, click Allow a program through Windows Firewall.

Click Continue to grant windows permission to continue.3. Select the Exceptions tab and click Add Program.

4. Click Browse and locate the cvpnd.exe file.

Page 17: Cisco VPN Client


- 17 -

• By default, this file is located in the Program Files-Cisco Systems-VPNClient folder. If you chose to install the Cisco VPN Client in another directory,navigate to that location.

• If your machine is not setup to display file extensions, the file name will displayas cvpnd.

5. Select the cvpnd.exe file and click Open.6. Click OK. The Exceptions tab redisplays with cvpnd listed under Programs and

Services (Program or port for Windows Vista machines).

7. Click OK to close the Windows Firewall window.

Step 7: Windows XP ONLYLast Updated: 1/29/09

Page 18: Cisco VPN Client


- 18 -

Step 7: Windows XP ONLY

Configure VPN Client to launch before Windows log onIf you are using a Windows Vista or Mac, please skip this step!

Some Windows XP machines that use Active Directory will need to connect to the VPNserver BEFORE logging into Windows. THIS IS THE CASE ONLY IF you are usingfolder redirection AND, you are using a VPN connection from OFF CAMPUS.

• If you have a Windows machine and this scenario applies to you, follow theinstructions to Configure Cisco VPN client to connect before logging into Windows.Note: If you're not sure whether you're using folder redirection, follow the steps toverify your configuration.

• If you use a Mac or if this does NOT describe your connection usage, pleasecontinue with the steps to Establish a VPN Connection.

Step 8: Advanced Configuration WindowsONLYLast Updated: 1/29/09

Page 19: Cisco VPN Client


- 19 -

Step 8: VPN Client Advanced Configuration-WindowsOnly

Configure the VPN Client to launch before Windows Log On

Some Windows XP machines that use Active Directory will need to connect to the VPNserver BEFORE logging into Windows. THIS IS THE CASE ONLY IF you are usingfolder redirection AND, you are using a VPN connection from OFF CAMPUS.

• If this scenario applies to you, follow the instructions to Configure VPN client toconnect before logging into Windows.Note: If you're not sure whether you're using folder redirection, follow the steps toverify your configuration.

• If this does NOT describe your connection usage, please continue with thesteps to Establish a VPN Connection.

Verify configuration for FOLDER REDIRECTION

1. From the Start menu, right-click on My Documents.2. Select Properties.3. On the Target tab, look under Target folder location,

• If the Target is C:\xxx, you are NOT using folder redirection and do NOTneed to configure your VPN client to connect before windows log in. Yourconfiguration process is complete. Continue with the Establish a VPNConnection section.

• If the Target is \\server name, you ARE using folder redirection. Complete thesteps to Configure your client to connect before logging into Windows.

Page 20: Cisco VPN Client


- 20 -

Configure VPN client to connect before logging into Windows XP


• You determined that you ARE using folder redirection• AND, you are using an off-campus connection.

This will allow you to connect to the VPN server before logging into Windows.Otherwise, your machine will not have access to the Carnegie Mellon servers in order toretrieve the contents of the redirected server folders.

1. From the Cisco VPN Client, select Options > Windows Logon Properties.2. The Windows Login Properties dialog box displays.

• Select the Enable start before logon option.• Deselect the option to Disconnect VPN connection when logging off.

IMPORTANT! Your configuration for folder redirection requires that yourmachine writes back to files on the server when you log off. For this reason,your VPN connection must be maintained when you log out of Windows.

Page 21: Cisco VPN Client


- 21 -


3. Click OK to save the changes and close the Properties dialog box. Yourconfiguration process is complete. Continue with the steps to Establish a VPNconnection before Windows log in.

Establish a VPN Connection before Windows log infor machines using folder redirection

• You must first have an active INTERNET CONNECTION (i.e., DSL, cable modem).• Because you configured your machine to Enable start before logon, your login

screen now contains a VPN connection dialog box.Note: As you boot your machine, you may see a warning message asking you to"wait for Windows networking to start". It may take a moment for the Cisco VPNclient to load.

1. Establish a VPN connection• Select the VPN connection entry from the Connection Entries drop-down list

and click Connect.• You are asked to enter your Certificate Password before connecting to the

service.Note: This is the "connection" password you created when you imported thecertificate into the Cisco VPN Client. It is NOT the password you selected inNetReg.

o If you created a connection password earlier when you imported yourcertificate, enter the password now.

o If you DID NOT assign a connection password during the "ImportCertificate" process, this dialog box still displays. Leave the password fieldblank and click OK to dismiss the dialog box.

• The VPN connection is established and the VPN Client dialog box disappears.2. Log on to Windows

Once the VPN connection is established, enter your Andrew password in the LogOn to Windows dialog box. Click OK. You are now safe to start any applicationsthat require the use of the VPN service

Page 22: Cisco VPN Client


- 22 -

IMPORTANT! Your configuration for folder redirection requires that your machinewrites back to files on the server when you log off. For this reason, your VPNconnection must be maintained when you log out of Windows. After you havelogged out, YOU MUST SHUTDOWN YOUR COMPUTER TO DISCONNECT THEVPN CONNECTION.

Once you are able to establish a VPN connection, your configuration processis complete. Please see the VPN Certificates: Understanding and Managing(http://www.cmu.edu/computing/doc/network/vpn/vpn-certs/manage.html) documentto better understand the VPN certificates and how to manage the certificates on yourmachine.

Step 9: Establish a ConnectionLast updated: 1/29/09

Page 23: Cisco VPN Client


- 23 -

Step 9: Establish a VPN ConnectionIn steps 4 and 5, you created and configured both a TCP and UPD connection entry foreach VPN subnet that you will be using (i.e., VPN-General Users, VPN-Library). Thetable below will help you to decide which connection entry to use. In general,

• when using a wireless connection on-campus, always use a UDP connection.• when off-campus, try the TCP connection first and if you have a problem

connecting try the UDP connection. If you are using VPN from home, you will soondetermine which connection type works best with your Internet service providerand can then set it as your default connection. When travelling, the best connectiontype may vary from one location to the next.

Off-campus On-campusAt home On the Road Wireless Wired


VPN-Library /TCP or UDP

VPN-Library /TCP or UDP<

VPN not needed VPN not needed

Windows FileShares

VPN-GeneralUsers* /TCP or UDP

VPN-GeneralUsers* /TCP or UDP

VPN not needed VPN not needed

ACIS Services(SIS,DecisionCast,HRIS)

VPN-GeneralUsers /TCP or UDP

VPN-GeneralUsers /TCP or UDP

VPN-GeneralUsers / UDP

VPN needed insome cases

*You may also use the VPN-Library subnet to access these services. However, theLibrary subnet tunnels ALL Internet traffic through the VPN and may be slower thanthe General subnet (the General subnet only uses the VPN tunnel to access campusservices).

You must connect using the Cisco VPN Client BEFORE you start an applicationthat requires the use of the VPN tunnel (i.e., those that require the added securityof encrypted networking).

Note for Windows machines: If you determined that your computer uses folderredirection, follow the steps for connecting before Windows login.

1. CONNECT TO THE INTERNET as you normally would (i.e., DSL, cable modem,dialup). You MUST have an Internet connection before you try to establish a VPNconnection.

2. Launch the Cisco VPN Client application.Windows: Start > All Programs > Cisco Systems VPN Client > VPN ClientMac: Applications > VPN Client

3. Select the Connection Entries tab.4. You will see a TCP connection entry and a UDP connection entry (e.g.,

General_tcp, General_udp, Library_tcp, Library_udp). Use the chart at thebeginning of this section to determine which connection entry is suitable for yourlocation and the service you plan to use. Select the appropriate connection entryand click Connect.

Page 24: Cisco VPN Client


- 24 -

Note: Once you determine which connection entry works best from your remotelocation (i.e., tcp or udp), make that entry the default (select Connection Entries >Set as Default Connection Entry).

5. OPTIONAL: If you assigned a password to this connection entry, you are asked toenter your Certificate Password now before connecting to the service.Note: This is the optional "connection" password you created when you importedthe certificate into the Cisco VPN Client. It is NOT the password you selected inNetReg.

• If you created a connection password when you imported your certificate, enterthe connection password now.

• If you DID NOT assign a connection password during the "Import Certificate"process, this dialog box may still display on some operating systems. If so,leave the password field blank and click OK to dismiss the dialog box.

6. A VPN connection is established. It is now safe to start any applications that requirethe use of the VPN service. If you are unable to connect, try the second connectiontype (e.g. if you connected using a tcp connection entry, try the udp entry).New VPN registrations normally take between 15 and 45 minutes from thetime of creation to become fully active. If you experience connection problemswith a newly registered connection, please wait 15 minutes and try again. Ifyou still cannot connect after 45 minutes from the time of registration, pleasecontact the Computing Services Help Center at x8-HELP(4357) or send email [email protected] (mailto:[email protected]) .Note: Although your Internet connection will not be interrupted when the VPNconnection is initiated, you may lose your connection with services that are running(e.g., Outlook, Entourage, Andrew Calendar). These services may need to berelaunched.

• Windows: A padlock icon appears in your status bar. This padlock is"open" when you are disconnected from the VPN service and "closed"when you are connected.

Page 25: Cisco VPN Client


- 25 -

VPN disconnected VPN connected• Mac: When connected, a padlock icon appears next to the Connection

Entry name within the Cisco VPN Client window. There is no indicatorwhen the service is disconnected.

Once you are able to establish a VPN connection,your configuration process is complete. Please seethe VPN Certificates: Understanding and Managing(http://www.cmu.edu/computing/doc/network/vpn/vpn-certs/index.html) document to better understand the VPN certificates and how to managethe certificates on your machine.

While you are connected

For most of the VPN networks, communication to off-campus sites or unrestrictedcampus services is routed directly through the public Internet, not tunneled throughthe Cisco VPN Client. The software does not need to be started/stopped as you movebetween restricted and unrestricted sites. This ensures that unrestricted services arenot slowed by the Cisco VPN Client software.

If you registered for the VPN-Library network, all of your Internet traffic will be tunneledthrough the Cisco VPN Client. This allows you to access restricted databases that theLibraries subscribe to, but which are not hosted on campus. Because the databasesare outside of the Carnegie Mellon network, all of your Internet traffic needs to gothrough the VPN, so that it can be properly handled. However, this also means that yourunrestricted Internet communication may be slowed because it is routed through theVPN. We recommend that you disconnect your connection with the Cisco VPN Clientwhen you do not need to access restricted Library services.

Last Updated: 6/9/09