published by Information Technology Services

Handout WNG 334 - June 2006

Introduction

Virtual private networking (VPN) enables you to log into the Iowa State network in a safe and secure way. A VPN connection uses encryption and "tunnels" through most network restrictions. Once you have logged into the Iowa State VPN, your computer becomes a "virtual" campus computer with access to campus network services.

When you are logged in, the VPN client functions as a virtual network connection. All network traffic that is destined for Iowa State is routed over this virtual network connection. All other network traffic is routed through your usual network connection.

1 Installing the VPN Client

IT Services uses Cisco Systems, Inc. VPN equipment. To use the Iowa State VPN, you must install the Cisco VPN client. Scout, an installation program, is used to automatically download, install, and configure the VPN client for use at Iowa State. To install the VPN client:

1. Start Scout.
2. To display advanced Scout kits, click "Configure", then "Advanced", and then "Done".
3. To install the VPN client, click the "VPN Client" button and then follow the instruction
4. To display current Scout kits, click "Configure", then "Current", and then "Done".
5. Click "Exit" to close Scout.

To download a copy of Scout, go to: http://www.it.iastate.edu/downloads/. Then click on download Scout for XP Pro, 2000, and Vista.

2 Using VPN Certificates

The Iowa State VPN service uses certificates to secure the channel between you and the VPN server. To use the Iowa State VPN service, you must first get VPN certificates for each machine on which you have installed the VPN client. There are two certificates you need: the root certificate, and a certificate specific to your Iowa State Net-ID.

2.1 Creating Certificates

Follow these steps for each machine where you use the VPN client.

1. Go to http://asw.iastate.edu/ and log in.
2. Click "Manage User" and then "Manage VPN Certificates". If you have never created a certificate before, you will see a button marked "Create My ITS VPN Certificate". Click it and then click "Next".
3. Click "Get the Root ITS VPN CA Certificate". This will download a file called root.pem.
4. Click "Fetch My ITS VPN Certificate". This will download a file called netid-import.crt, where netid is your Iowa State Net-ID.

2.2 Installing Certificates

Follow these steps on each machine where you use the VPN client.

1. From the Start menu, click "Programs", then "Cisco Systems VPN Client", and finally "VPN Client".
2. Select the Certificates tab and click the "Import" button.
3. In the window that pops up, click "Browse" and navigate to where you downloaded the root.pem file (it will show up as "root"). Click "Open", then "Import". Click "OK" in the window that says the certificate was successfully imported.
4. Click the "Import" button once again. In the window that pops up, click the "Browse" button and navigate to the file you downloaded called netid-import.crt (it will show up as netid-import, and in both cases netid will be your Iowa State Net-ID). Click "Open", then "Import". Click "OK" in the window that says the certificate was successfully imported.
5. Select the Connection Entries tab. Highlight "Iowa State University VPN" and click "Modify". Under Authentication, set "Name" to your name under Certificate Authentication (do this even if it already says your name, otherwise if you have downloaded and replaced certificates it will not work). Click "Save".

2.3 Revoking Certificates

Revoke certificates only if needed.

A lost or compromised VPN certificate does not mean you have revealed your Net-ID password directly, but it does present a small chance that someone could use the certificate to listen to you logging into the VPN server and get your Net-ID password that way. If for some reason you lose your VPN certificate or your connection is compromised in some way, you can revoke it to invalidate it by logging on at http://asw.iastate.edu/, clicking "Manage User", and then "Manage VPN Certificates". Click "Revoke My ITS VPN Certificate".

After revoking your certificate, you will have to create a new one and then download and install it on each of the machines where you use the VPN service. Instructions on doing this are listed below.

2.4 Removing Certificates

Remove certificates only if needed.

1. In the VPN Client, click on the Certificates tab.
2. Go under the Certificates menu and select "Show CA/RA Certificates".
3. Highlight the certificate with your name on it and click "Delete". It will ask you to enter the certificate password, leave the box empty and click "OK". It will ask you to verify the deletion, click "Delete". Do the same for the Solution Center certificate.

2.5 Certificate Expiration

Your user certificate will expire one year after it was created. Unfortunately, the VPN client does not report any usable error when your certificate expires; it just gives an error saying "the remote peer is no longer responding". If you see error messages like this, you can check when your certificate expires by opening the VPN client and selecting the Certificates tab. Under Validity it will say the certificate is invalid.

If your certificate is invalid, follow the steps in section 2.4 to delete it, and then follow the steps in sections 2.1 and 2.2 to create and install a new certificate. If your certificate page goes directly to where you can download certificates, revoke it by following the steps in section 2.3 and make a new one (old certificates are removed once a day; if your certificate expires before that removal happens on that day, it will still be listed). Then follow the steps for installing the certificate listed above in sections 2.1 and 2.2.

Note that when your certificate expires, you will have to download and replace it on each machine where you use the VPN Client.

3 Using the VPN Client

3.1 Logging In

1. From the Start menu, click "Programs", then "Cisco Systems VPN Client", and finally "VPN Client".
2. Select "Iowa State University VPN".
3. Click the "Connect" icon.
4. When it asks for your Certificate Password, just click "OK".
5. Enter your Iowa State Net-ID for Username and your password for Password. Click "OK".
6. Dismiss any message windows.

3.2 Hints

• You may find it convenient to place a shortcut to the Iowa State VPN on your desktop. To do so, click "Connection entries", then click "Create shortcut". A shortcut to the Iowa State VPN will appear on the desktop.
• If you are running firewall software, you may need to enable UDP traffic on port 10000 for the VPN to make a connection.

3.3 Logging Out

Right-click the little yellow VPN icon in the system tray and click "Disconnect".

4 Questions and Answers

How does a VPN provide security?

The VPN software encrypts all network traffic that is destined for Iowa State University and sends it as a single stream of data to the Iowa State VPN server. The VPN server deciphers the data and places your network traffic onto the Iowa State network. The encrypted data can only be deciphered by the VPN server.

Why would I want to use the Iowa State VPN?

A VPN connection is desirable for several reasons:

• It provides enhanced security through use of encryption.
• It provides access to network services that have been blocked for security reasons. For example, since access to Microsoft filesharing, printer sharing, and Active Directory is blocked at the Iowa State network border, the VPN connection enables you to log in and gain access to the blocked services.

What happens to my network traffic? Does all of it go through the VPN?

No. When you are connected to the VPN, the traffic is split. Traffic that is not destined for Iowa State travels over your regular network connection and is not encrypted. Only Iowa State network traffic uses the VPN.

Does my network setup change?

Yes, a second "virtual" network adapter is automatically added to your system. To your computer, it acts like a second network device has been added. This second virtual network adapter carries all of the VPN traffic. There is no need to modify the settings in this second network adapter.

Will my cable or DSL router work with VPN?

This is a connection-sharing issue. Whether VPN will work or not depends on the capabilities of your hardware.

Some popular cable or DSL routers are only capable of sustaining one IPSec connection at a time. Since the Iowa State VPN uses the IPSec protocol, this means that only one attached computer can use the VPN at a time. If you find that only one of your computers can use the VPN at a time, then it is likely that your cable or DSL router is in this class. Check the manufacturer's web support site for more information.

If you are buying a new cable or DSL router, look for a model that is designed specifically for VPN use and is capable of supporting multiple IPSec sessions. Most router companies offer equipment that can do this.

I live in an apartment complex that includes Internet access. Will the Iowa State VPN work from my apartment?

It depends on what router equipment has been installed in your apartment complex. Our testing indicated potential problems with computers that are sharing a network connection (NAT/PAT). Certain older routers will not allow multiple VPN connections to be made. The routers in your apartment complex would need to be upgraded to address that issue.

I am able to successfully use the Iowa State VPN but the next time I try to connect, the connection fails. What's going on?

The VPN creates a new IP number each time it is activated; the authentication process stores this information on the local computer. If a second VPN connection is started, the process sometimes finds the information from the first connection, which causes a conflict. Logging out of SideCar (i.e., destroying Kerberos tickets) before starting a second connection will fix this.

What does the error message "The Remote Peer is no longer responding" mean?

The VPN client does not report any usable error message when your certificate expires or is otherwise invalid. It just gives the error message above. If you see this error message, you can check when your certificate expires by opening the VPN client and selecting the Certificates tab. Under Validity, it will say the certificate is invalid.

To fix this, follow the steps in section 2.5 of this document. Note that when your certificate expires, you will have to download and replace it on each machine where you use the VPN client.

What ports are blocked to incoming traffic on the Iowa State campus network?

As of 18 November 2003, additional blocked ports include 135-139, 445, 593, 4444 (TCP).

Will this affect my ability to access my Iowa State email?

No, Iowa State email is directed through ports that are not blocked.

What port does the Iowa State VPN use?

The Iowa State VPN uses UDP traffic on port 10000 for communications.

What IP numbers does the Iowa State VPN use?

The IP numbers the Iowa State VPN uses are of the form 10.15.xxx.xxx.

Using a Virtual Private Network (VPN) with the Iowa State Network (Windows 2000, XP) was written by Wayne Hauber and Frank Poduska and updated by Thomas Kula.

For more assistance, contact the Solution Center by phone at 515.294.4000, on the web at http://www.it.iastate.edu/help/, by email at solution@iastate.edu, or in person at 195 Durham Center.

Copyright © 1995-2008, Iowa State University of Science and Technology. All rights reserved.

• ISU INDEX
• A
• B
• C
• D
• E
• F
• G
• H
• I
• J
• K
• L
• M
• N
• O
• P
• Q
• R
• S
• T
• U
• V
• W
• X
• Y
• Z