FCLA VPN Service

VPN Client Installation and Operation

(modified from net-services VPN site)

Background

The UF FCLA remote access VPN service now supports both the Cisco client, as well as built in VPN clients on the Windows, Macintosh, and PocketPC platforms. It should work with most other l2tp over ipsec clients, however they are not officially supported. The Cisco client is still the recommended way to access the VPN service as it supports a wider feature set.


Cisco VPN Client (recommended client)

    Windows (98/ME/NT/2000/XP) Installation/Configuration

    1. The first step to installation is to download the client software from the "clients" section of this website.
    2. If you are using Windows XP, we heavily recommend that you install Service Pack 2 before installing the VPN client. A minimum of Service Pack 1 is required for the VPN client to work properly.
    3. If you are upgrading from a previous version of the Cisco VPN client, it will automatically be removed as a part of the install process. If the client is not un-installing properly, please see the Troubleshooting Guide.
    4. Run the application you just downloaded. If you are using Windows NT, 2000, or XP, you must have Administrator privileges to install the client. It will automatically extract the client and start the install process.
    5. After running the installation program, you will be asked to reboot.
    6. Once your system comes back up, you can launch the vpn client from the Start Menu. It should be under Programs->Cisco Systems Gatorlink VPN Client->Gatorlink VPN Dialer.

    Windows (98/ME/NT/2000/XP) Operation

    Starting a VPN session:

    1. The client comes pre-configured for a full gatorlink VPN tunnel. To start it, simply launch the Gatorlink VPN dialer. You will see a window similar to Figure 1:

      Figure 1

      Click the "Connect" button. You will get a User Authentication window shown in Figure 2:

      Figure 2

      Replace "username" with your gatorlink username (leaving the @ufl.edu/fcla in place), and type in your password. The username will be saved for future use, but the password will not.

    2. Once you successfully authenticate, the window will disappear, and you will see a lock icon in the system tray. This lets you know the VPN tunnel is up and active. Any traffic sent to any network other than the local subnet will take the tunnel. You can display the tunnel endpoint address, connected time, and traffic levels by double clicking on the lock and clicking on the down arrow on the lower right side of the VPN client window shown in Figure 3:

      Figure 3

      You can also get tunnel statistics including encryption levels and tunnel encapsulation (useful in troubleshooting VPN connection problems) from the VPN client by going to Status->Statistics shown in Figure 4:

      Figure 4

    3. If after you type in your password, you keep getting the User Authentication window back, this means you password is not correct. Please try again. If you suspect your Gatorlink password has expired, please call the UF Computing Help Desk and have it reset.

    Shutting down a VPN session:

    1. To close a VPN session, simply right click on the "lock" and click "Disconnect". The lock will disappear. You may also click the "Disconnect" button from the VPN client window.

    Additional Windows Cisco VPN client configuration

    • Establish VPN before authentication to a Windows Domain/Directory

      If you would like to have your system authenticate to your Windows NT domain to Windows 2k/XP active directory, here is a procedure to do that:

      Windows NT/2k/XP Domain

      1. Enable "Start VPN before logon" by going to Options -> Advanced Mode, then Options->Windows Logon Properties and checking "Enable start before logon". Note: This will disable Fast User Switching in Windows XP.
      2. Add your local WINS server to your network interface card configuration. The VPN will not overwrite this setting. You may have to reboot here.
      3. Start the VPN. This can be done either with the default tunnel or a campus only tunnel.
      4. Once the VPN is built, add your local machine to the domain the same way you would add any machine to the domain.
      5. Logout, reboot
      6. When the machine restarts, you should get a VPN dialog asking you to authenticate. You will then be able to authenticate to the domain and access all your MS network resources over the VPN tunnel.

      Windows 2k/XP Active Directory

      1. Enable "Start VPN before logon" by going to Options -> Advanced Mode, then Options -> Windows Logon Properties and checking "Enable start before logon". Note: This will disable Fast User Switching in Windows XP.
      2. If your active directory exists within the UF Active Directory hierarchy, there should be no specific client configuration necessary. The Gatorlink VPN client automatically uses campus UFAD DNS servers. if this isn't the case, you will need to put your local DNS servers in the network interface configuration and use a campus only tunnel. The default VPN tunnel will overwrite the DNS servers with the campus UFAD nameservers.
      3. Start the VPN.
      4. Add the machine to the Active Directory tree the same way you would normally add a machine to the tree.
      5. Logout, reboot
      6. When the machine restarts, you should get a VPN dialog asking you to authenticate. You will then be able to authenticate to the active directory and access all your MS network resources over the VPN tunnel.
    • Firewalls and the Cisco VPN Client.

      Windows XP Firewall

      As configured, the Cisco VPN Client should be compatible with the Windows XP firewall by adding a rule to the firewall:

      1. From the main Windows desktop, Go to "Start Button->Settings->Control Panel"
      2. Double click on "Windows Firewall". A new window will pop up. Make sure the "Don't allow exceptions" checkbox is not checked.
      3. Click the "Exceptions" tab at the top of the screen.
      4. Click "Add Port" at the bottom of the screen. A new window will pop up
      5. Under name, type "VPN IKE". Under Port number, enter 500 and select the "UDP" radio button just below the port field.

        Figure 5

      6. Click "OK". You should now see a new exception for "VPN IKE". Click OK to finish the process.

        Note: We have seen occasional problems with the Windows firewall dropping the keepalive traffic somewhat randomly and causing connections to disconnect. This is a problem with the windows firewall. If you see this behavior often you may need to switch to another firewall.

      ZoneAlarm

      • ZoneAlarm 6.0 is known to have problems with the Cisco VPN client (along with many other programs as well). These problems cause the VPN client not to be able to complete its authentication. As a result, 6.0 should not be used with the Cisco VPN client.
      • Zonealarm 5.5 is known to work with the Cisco VPN client. After installation there are three changes you will need to make to the Zonealarm client:
        1. When the machine reboots, you will get an alert that "cvpnd.exe" is trying to access the Internet. Click "Remember this setting" and then click the "Allow" button.
        2. When you start the VPN client, you will get the same warning about "vpngui.exe" Click "Remember this setting" and then click the "Allow" button.
        3. When the VPN client connects you will get a warning about "cvpnd.exe" trying to accept connections from the Internet. Click "Remember this setting" and then click the "Allow" button.

      If you already have Zonealarm 6.0 installed, please see the Troubleshooting guide for more info.

      Built in Cisco VPN Firewall

      The Cisco vpn client comes with a simple built in stateful firewall. It is not very flexible, but does work. Note that to enable it you must right click on the "lock" in your icon tray in the lower right hand corner of the screen and select "Stateful Firewall (always on)". Note that the firewall will be enabled even when the VPN client isn't in use.

    • Connection Types

      • As shipped the Gatorlink VPN client has two VPN profiles. The default is called ufl-vpn. This should be used by all users unless they have problems making a connection (see the Troubleshooting Guide for more information). It includes a new feature called "mutual group authentication". This means that in addition to the shared key, the VPN concentrator also must present a certificate to the client which is authenticated against a root certificate that is pre-installed into the Gatorlink VPN client. This provides further protection against man in the middle (MIM) style attacks.
      • There is also a "ufl-vpn-ska" profile which doesn't use MGA. This uses the same connection profile as the earlier 3.6.x clients.
    • Other Features

      • The Cisco client 3.6.1 or above comes with a new feature that is disabled by default. It is called "Automatic VPN Initiation". This feature will automatically start the VPN client if you are on the campus wired or wireless authentication network. To enable this feature, go to Options->Advanced Mode (if you are not already in advanced mode) and then Options -> Automatic VPN Initiation and check the "Enable" box. Additional networks can be added to this rule set by editing the vpnclient.ini file which is usually located in C:\Program Files\Cisco Systems\VPN Client\.

    Linux kernel 2.2/2.4/2.6 Installation/Configuration

    Note: The Linux client is known to work on Redhat 9.x, Redhat Enterprise 3.x and 4.x, Fedora Core 2-4, and SuSE 9.x. It has not been tested on other distributions. If you are using a non-distribution kernel, your mileage may vary.
    1. The first step to installation is to download the client software from the "clients" section of this website.
    2. You should uncompress the software and untar it with the command tar -xvzf filename.tar.gz (case sensitive, the filename can change depending on the version you choose).
    3. You should now have a directory called vpnclient. Enter this directory and type vpn_install
    4. You will be asked several questions that are specific to your installation of Linux and your preferences. You should choose "yes" to "start the vpn service at boot time."
    5. Reboot. This will ensure the vpn module is properly loaded.
      Note. While rebooting, you may see the following messages: Starting /usr/local/bin/vpnclient: Warning: loading cisco_ipsec will taint the kernel: no license. This is nothing to worry about. It simply means the module you are inserting into the kernel is not distributed under the GPL license. It will not affect the stability or performance of your system.
    6. If you are using ipchains or ipfilter (which is default on Redhat 7.2 and above installations) or another type of firewall on the linux platform, you will need to open it up for the vpn connection. If you are using transparent tunneling, which is the default for the UF client, you will need to open the following ports to and from 128.227.166.116-118
      • TCP port 32611
      • UDP port 32611
      • UDP port 4500
      • UDP port 500
      If you have disabled transparent tunneling, you will need to allow the following to 128.227.166.116-118
      • IP protocol 50 (ESP)
      • UDP port 500
      Please see the ipchains/ipfilter documentation for your distribution on the correct way of making these changes. Alternatively, you may also allow all communication between your system and 128.227.166.116-118.

    Linux kernel 2.2/2.4/2.6 Operation

    Starting a VPN session:

    1. To start a VPN session, you should type the command vpnclient connect ufl-vpn
    2. You will be asked for your username. Enter it in the form of "username@ufl.edu/fcla". It will be remembered for subsequent VPN attempts. You will also be asked for your password. This is your gatorlink password.
    3. If your authentication is successful, you will get a tunnel endpoint IP address notification. You will not get back a prompt. The vpnclient command will stay in the foreground. Its important that you not ctrl-c out of the vpnclient command, as it will kill your tunnel. If you would like to place the vpnclient command in the background, hit ctrl-z and then type bg.
    4. If you would like statistics on the tunnel, you can type vpnclient stat
    5. Note: The linux client also has the ufl-vpn-ska profile installed. For more information see the "Connection Types" section of the "Additional Windows Cisco VPN client configuration" topic above.

    Shutting down a VPN session:

    1. To shut down a tunnel session, just type vpnclient disconnect. You should get a message indicating the process was killed.

    Macintosh OS 10.X Installation/Configuration

    1. The first step to installation is to download the client software from the "clients" section of this website.
    2. It should automatically uncompress and create an application folder on the desktop called "CiscoVPNClient".
    3. Double click on the "CiscoVPNClient" desktop icon.
    4. A new window will now open. Double click on the "Cisco VPN Client.mpkg" icon.
    5. The installer will launch and ask you where to install. You should select the "Macintosh HD" or equivalent (not the CiscoVPNClient virtual drive).
    6. Once the installer finishes, the Cisco VPN client is installed and ready to be used.

    Macintosh OS 10.X Operation

    The Macintosh 10.X client is substantially similar to the Windows VPN client in its appearance and use. Please refer to the Windows section of this document for more information on using the client.

    Macintosh OS 8/9 Installation/Configuration

    Although Cisco does not make a VPN client for Macintosh OS 8 or 9, you may use the third party client from Apani. Here are some instructions we have compiled to use the Apani client with the UF VPN service.
    1. Install the Apani client per Apani instructions. Be sure to reboot once the installation is complete
    2. Install the client license code per Apani instructions.
    3. Download the ufl-vpn.hqx config file from the Client Software page. This will pre-configure your Apani client to use the UF VPN service.
    4. De-binhex and unstuff the config file. You will need the "unstuffit" application to perform this task. It is included with most recent versions of MacOS. The resulting file will be called "config.db".
    5. Place this file in System Folder -> Preferences -> Cisco Apani Client folder.
    6. Reboot

    Macintosh OS 8/9 Operation

    Starting a VPN session:

    1. Start session by pulling down the menu from Apani icon on menu bar and selecting "Apani Cisco Client".
    2. A web browser will start. Click the "Connect" button.
    3. Type in your gatorlink username (in the form of username@ufl.edu/fcla) and gatorlink password.
    4. A tunnel will be established and you will be notified of your tunnel parameters (remote IP address, encryption level, etc).
    5. You may close the web browser window if you like.

    Shutting down a VPN session:

    1. To shut down the tunnel, pull down the menu from the Apani icon on the menu bar and select "Apani Cisco Client".
    2. Click the "Disconnect" button. You will receive a confirmation notification.

    Palm/PocketPC Installation/Configuration

    Cisco does not currently produce a VPN client for the Palm or PocketPC platforms, however, you may use the third-party Antha/MovianVPN client from AnthaVPN. Here are some instructions for configuring and using that client.
    1. Download and Install the AnthaVPN client for PocketPC or MovianVPN client for palm according to the vendor instructions.
    2. Reboot the Palm or PocketPC device. This will ensure the IPsec driver is properly installed.

    Movian Client

    1. Launch the MovianVPN client.
    2. Click the "New" button
    3. Please make the following settings in the "Policy" window:
      • The policy name should be something descriptive, such as "UFL VPN"
      • From the pull down list, select "Cisco VPN Concentrator 3000"
      • The gateway address is 128.227.166.116. Note: Because the MovianVPN client does not support load balancing, you must directly connect to one of the two redundant UF VPN concentrators. If the first concentrator is not available, you can reconfigure the MovianVPN client to connect to 128.227.166.117, but this will not be automatic.
    4. In the group and user configuration window, make the following settings:
      • Group Name: vpn-auth-ext
      • Group Password: Click here for current group password (Gatorlink authentication required).
      • Username: This should be your gatorlink username in the form of username@ufl.edu/fcla
    5. Click the "IKE Suite" button
    6. In the IKE Suite window, make the following settings:
      • Group: GRP2_DH-1024
      • Cipher: 3DES_CBC
      • Hash: SHA
    7. Click "Continue", then click "IPSec Suite"
    8. Change the Suite to ESPIP_3DES_SHA-96.
    9. Click "Continue", and then "Done".
    That should complete the MovianVPN configuration.

    AnthaVPN Client

    1. Launch the AnthaVPN client.
    2. Pull up the "Policy" menu and select "Policy Editor"
    3. Select one of the generic accounts and name it something descriptive like UFL VPN, then doubletap on it.
      • Under "Gateway" select "Cisco VPN Concentrator" for the Gateway type.
      • The gateway address is 128.227.166.116. Note: Because the AnthaVPN client does not support load balancing, you must directly connect to one of the two redundant UF VPN concentrators. If the first concentrator is not available, you can reconfigure the AnthaVPN client to connect to 128.227.166.117, but this will not be automatic.
    4. Under "Account" make the following settings:
      • Make sure "Xauth" is checked.
      • Xauth type = Username/Password
      • Group Name: vpn-auth-ext
      • Group Password: Click here for current group password (Gatorlink authentication required).
      • Username: This should be your gatorlink username in the form of username@ufl.edu/fcla
      • Password: Although you can enter your real password here, we recommended you not do this as it may be a security issue if you lose the device. You must enter something for the vpn client to continue.
    5. Under "IKE Proposals" make the following settings:
      • Group: Group2
      • Cipher: 3DES
      • Hash: SHA
    6. Under "IPSec Proposals" make the following settings:
      • Group: Group1
      • Cipher: 3Des
      • Hash: SHA
    7. Click "OK" in the upper right hand corner and select "Yes" when it asks you to apply changes.
    8. Under "Options" you must now choose the connection you are using. This is either a modem profile or an SSID if you are using wireless. If using wireless on campus, the SSID should be UFW. Refer to vendor docs for more information on this setting.

      Note: In testing we have had issues with this "feature" of the AnthaVPN client causing the wireless card not to associate to wireless networks occasionally after an VPN session was terminated. A soft reset was required to restore normal wireless function. This may be a byproduct of the platform we used for testing. Also note that SSIDs that are not broadcast do not appear to show up reliably under the wifi section of the connections menu.

    Palm/PocketPC Operation (Movian Client)

    Starting a VPN session:

    1. Once the Antha/MovianVPN client is running, select the Policy that was defined above. Click "Login".
    2. You will see a prompt to enter your password. Enter your gatorlink password.
    3. If authentication is successful, you will get a "Finished" message.
    4. Click "Ok" then "Exit". This will not close the client, only the login window. You should see a lock icon in the lower right hand corner of your screen.
    5. To see what your VPN IP address is, click on the lock, then choose "Tools->View IPsec Policy". The first line in the IPsec Policy window should read "xxx.xxx.xxx.xxx/32 <--> yyy.yyy.yyy.yyy/24. The yyy IP address is your VPN IP address. The XXX IP address is your local IP address.

    Shutting down a VPN session:

    1. Click on the lock icon in the lower right hand side of the screen, then click "Logout".

    Palm/PocketPC Operation (AnthaVPN Client)

    Starting a VPN session:

    1. Once the AnthaVPN client is running, select the Policy that was defined above from the Policy menu on the bottom right. Verify the correct policy is selected.
    2. Tap anywhere on the anthaVPN client window, that will start the login process. If you are using wifi, you will de-associate and then re-associate with the SSID you defined above.
    3. You will see a prompt to enter your password. Enter your gatorlink password.
    4. If authentication is successful, you will get a "connected to UFL VPN" message at the bottom.
    5. To see what your VPN IP address is, open the client, then choose "Tools->Status". Your VPN address is listed as "Private IP".

    Shutting down a VPN session:

    1. Click anywhere on the AnthaVPN window and it will disconnect your client.

Using Built in L2TP/IPsec Clients

    Windows XP L2TP/IPsec Client Configuration

    Note: Only the Windows XP and greater L2TP/IPsec clients are supported and covered in this guide. Windows 2000 does have a built in client, but it is not designed for remote access connectivity without the presence of a full CA infrastructure.

    Windows XP L2TP client configuration

    1. Go to Start Button->Control Panel->Network and Internet Connections.
    2. Select "Create a connection to the network at your workplace". A new window will appear
    3. Select "Virtual Private Network" connection.
    4. Enter "Gatorlink VPN" for the Company Name. Click Next.
    5. Enter "l2tp.vpn.ufl.edu" for the hostname. Click Next. Note: The first letter in the hostname is "elle" not one.
    6. Click Finish.
    7. Go to Start Button->Connect To->Gatorlink VPN
    8. Click on the Properties Button.
    9. Click on the "Security" Tab.
    10. Click on "IPsec Settings" button
    11. Check "Use pre-shared key for authentication". Type they key found here
    12. Click ok, then ok again. You are now ready to use the Windows XP L2TP/IPsec client with the UF Gatorlink VPN service.
    Note: Please do not store you password on the local client by typing it in at setup time. This is a security risk.

    Windows XP L2TP/IPsec Client Use

    1. Go to Start Button->Connect To->Gatorlink VPN. A new window will appear.
    2. Type your Gatorlink username without the @ufl.edu/fcla extension.
    3. Type your Gatorlink password.
    You should now be connected to the UF Gatorlink VPN service. To disconnect simply right click on the appropriate "double computer" icon in the lower right hand corner of the Windows desktop and select "Disconnect".

    Mac OSX 10.3-4 L2TP/IPsec Client Configuration

    Note: Only the VPN client built in to MacOSX 10.3 and 10.4 is compatible with the Gatorlink remote access VPN service.
    1. Open "Internet Connect" This is usually found in the Applications folder on the "Macintosh HD".
    2. Select "VPN"
    3. Under Configuration select "Edit Configuration"
    4. For the Description enter "Gatorlink VPN"
    5. For the Server Address enter "l2tp.vpn.ufl.edu" (that is an "elle", not a 1)
    6. For the Account Name enter your gatorlink username without the @ufl.edu/fcla.
    7. For the shared secret, enter the key found here .
    8. Click OK
    9. You are now ready to use the MacOS L2TP/IPsec client with the Gatorlink VPN remote access service.
    Note: Please do not store your password on the local client machine by typing it in at setup. This is a security risk.

    Mac OSX 10.3-4 L2TP/IPsec Client Use

      Connecting:
    1. Open the VPN client by going to the VPN icon in the upper right hand part of the apple menu bar and pulling the menu down.
    2. Select "Connect"
    3. You will be asked for your password.
    4. Once entered, it will take 5-10 seconds for the connection to complete.
    Disconnecting:
    1. Go to the VPN icon in the upper right hand part of the apple menu bar and pull the menu down.
    2. Select "Disconnect".

    PocketPC 2003 L2TP/IPsec Client Configuration

    PocketPC 2003 and above includes a built in L2TP/IPsec VPN client. Unfortunately, this is one of the worst VPN clients we have ever seen. This section provides some guidance on how to configure the client, but the actual steps may vary from client to client.

    1. Go to Start->Settings and pick the "Connections" tab.
    2. Click on the "Connections" Icon. A new screen will appear.
    3. Click on "Add a new VPN server connection"
    4. Change the name to "Gatorlink VPN" (optional)
    5. Type "l2tp.vpn.ufl.edu" for the hostname (that is an "elle" not a one) and click "Next"
    6. Select "A pre-shared key". Type in the key found here . Click Next
    7. For username type your gatorlink username without the @ufl.edu/fcla. Do not fill in Password or Domain. Click finish.

      That was the easy part. Now we have to tell the client when to connect to the VPN client. This is where it gets very confusing. By default, the PPC2003 VPN client uses the VPN to get to all network resources without a fully qualified domain name (i.e. www rather than www.ufl.edu). It will not use the VPN client to access fully qualified resources such as www.ufl.edu. Here is how you change that behavior to make everything take the tunnel:

    1. From the "Connections" screen (which you should still be on from the setup), choose the "Advanced" tab and click on the "Select Networks" button.
    2. Make sure that The first pull down menu is configured for "My ISP" and the second is configured for "My Work Network".
    3. Click on the "Exceptions" button. A new screen will appear.
    4. Click on "Add new URL...".
    5. Type *.* and click OK. Click ok until you reach the top of the Connection Manager, then click X to close.
    6. All Internet Explorer traffic will now take the VPN. To force email down the VPN requires additional configuration (as do other application).

      Forcing the PPC2003 email client to use VPN

    1. Open PPC2003 email client. Click on accounts menu and choose "accounts..." (an email account must already have been created).
    2. Click on the account name. A new window should appear.
    3. Click next 3 times. You should now see an "Options" button. Click on it.
    4. Under Connection: choose "Work". Click next 2 more times then Finish.
    5. Now your email will always use the VPN, but will disconnect when the email client is closed.

    In general the PPC2003 VPN client is difficult and confusing to use. We do not recommend its use. The Antha VPN works much better.




Links