CHE VPN

From Chesupportwiki

Contents 1 VPN Overview 2 Requirements 2.1 Other Notes 3 HowTo Connect (2 options) 3.1 Option #1 **It would be a good idea to read all the instructions first 3.2 Option #2 4 Ok so I am connected now what?? 5 Troubleshooting 5.1 Home Network issues

VPN Overview

The idea behind the vpn is that you can connect to the department services from anywhere securely. We are going to retire our current VPN appliance and move to the campus cisco VPN concentrator

Requirements

• You must have a valid unid and password
• You must notify support@che.utah.edu that you want to be added to the CHE space. Please send name/uNid
• Typically takes a couple of hours to add but could take as long as 48; this a university service is not directly maintained at the department or college level.
• An active internet connection
• The Cisco VPN does not work with the department’s netscreen VPN client installed. If you have installed the netscreen VPN from the CHE website please uninstall the client first.

Other Notes

• Please be aware that to connect to the campus cisco VPN service you must use your university assigned unid and password
• Please be aware that to connect to the department services; for example the fileserver humboldt.chemeng.utah.edu you will need to use your department username/password.
• Please note that there are two separate ways to connect to the campus VPN system.
• You will be able to access other university services by connecting i.e. library

HowTo Connect (2 options)

STEP ONE: REMOVE ALL OTHER VPN SOFTWARE

• Apparently VPN software like to fight with each other I know that following software will conflict with this version of the Cisco VPN client
  • Netscreen VPN Client
  • Cisco VPN Client 4.6 It is recommend to use the uninstaller which can be found in the "Conftol Panel --> Add/Remove Programs" But we have had reports that this can fail if this does manual removal instructions are located here

Option #1 **It would be a good idea to read all the instructions first

• I have only tested this using Windows XP service pack 2
• Download the preconfigured cisco VPN client from UofU OIT
• It is a straight forward install, you will be prompted to reboot. If you have the netscreen VPN the installer will either fail or prompt you to uninstall. It is a good idea to have uninstalled it first.
• Launch the cisco vpn client, you do not need to modify any settings. You will see a line under the tab “Connection Entries” :

          UOFU				vpnaccess.utah.edu

• Highlight that and click connect, you will be prompted for your username/password this is your campus unid/password (if you have peoplesoft access it may be a different password):

          To connect you need enter it in this format:
             u0000000@che.utah.edu  <--- The "che.utah.edu" is important, you will be able to connect without it but you will NOT be able to use Dept services. 
             <CIS Password>

• If you do not add the domain che.utah.edu you will still be able to connect but you will *not* be able to connect to the department network. The che.utah.edu domain string tells the system to put you in the correct IP space.
• If you connect you will receive a banner screen that looks like:

Option #2

• Go to this URL:

             https://vpnaccess.utah.edu/webvpn.html
             Type in your CIS username/password
                  u0000000@che.utah.edu
                  <CIS Password>

• It will wrap your IP session in a java VPN you will be prompted to install some java /active controls depending on which browser you are using. Accept them all
• You will get errors that the sites SSL cert is bad. This is because it is not recognized by an official CA (i.e. VeriSign or Verizon) the site is still encrypted, the university just did not purchase an SSL cert from a third party. Don’t worry about the errors.
• If you connect you will see a gold key in the bottom right corner.

(TODO) Need a pic of a successful connection

Ok so I am connected now what??

• Here is a script that I wrote that will prompt for your departmentID/password and automatically map network share.
  • It will prompt for your username in this form:

          CHEMENG\00000000 <---- Make sure to leave the "CHEMENG\" in the field

• You can grab the script from here

• Or you can map them manually

          \\humboldt.chemeng.utah.edu\faculty
          \\humboldt.chemeng.utah.edu\<deptID>
          \\humboldt.chemeng.utah.edu\staff
       

You can map these manually by opening up My Computer --> Tools --> Map Network Drive

Under folder type in what share you want to connect to and then click “different user name” for username remember it is your department username/password and you have to specify a domain. For example:

Username : CHEMENG\00000000 Password: Dept Password

(TODO) Need pics of this

Troubleshooting

Home Network issues

Disclaimer There are literally thousands of combinations of nics/home routers/ISP/waps this is supposed to be a general guide. If you make a change to your home router/switch please either make a backup or remember what the settings were set to, so that if you need to switch back you can. Warning With router/firewalls do not make changes unless you are absolutely sure what they mean.

• In order to make changes/check settings, to most home routers, you need to navigate to http://192.168.1.1 from inside of your home network.

Step #1 Make sure you have the latest Cisco VPN client for your platform

• You download the latest here

Step #2 If you can connect what is your IP address

• After you have connected to the VPN
• From the Cisco VPN client interface click: "Status" --> Statictics --> Under address information --> what is the IP address to the right of client.
• It should be between 155.101.243.192 - 155.101.243.223

Step #3 Open Ports

• If you are having issues with some aspect of the VPN check that the following ports are open (inbound/outbound) on your router/firewall

         * UDP port 500 (IKE, Internet Key Exchange)
         * IP Protocol 50 (ESP)
         * IP Protocol 51 (AH)
         * UDP port 10000 (IPSec encapsulated in UDP)
         * TCP port 10000 (IPSec encapsulated in TCP)
         * TCP port 443 (SSL/IPSec encapsulated in TCP)

• Note some home routers/firewalls won't allow you to open ports. With most Linksys routers I have used it is located in application/gaming or port forwarding section of the router interface.

Now try to connect if all is working you are done do not continue.

Step #4 NAT

• If you are behind a device that uses NAT (Network Address Translation) you will need to be sure it handles the IKE packets correctly (it should know not to change the source port on IKE packets). On the Linksys model routers you do this by checking the "IPSec Passthrough" option, but most other firewalls know this protocol as well.

Step #5 Encapsulation (Change using the Cisco VPN client interface)

• To change the encapsulation open the cisco VPN client --> highlight the connection entry --> click modify --> click the middle tab transport --> the box with enable transparent tunneling is where you set your encapsulation. Below is a guide on when and how to change the encapsulation settings, remember it may change based on what network you machine is connected to. So if you have a laptop and it works great with the uConnect wireless network you may need to change these settings when connecting from your home network.

        * If you are at home and behind a router or firewall doing NAT, enable UDP encapsulation.
        * If you are behind a corporate or remote firewall (such as a conference/hotel), use TCP encapsulation, as it will run VPN on a standard port allowing you to pass through the firewall.
        * If you are on the wireless network, do not enable any encapsulation.

• If one of these combinations does not work, it is safe to try another combination you will just need to disconnect the VPN, make the change, and then reconnect with the new settings. The default is: Check mark in Enable Transparent Tunneling, selected radio button IPSec over UDP (NAT/PAT)