Fermilab Site VPN Frequently Asked Questions

A. Fermilab Site VPN (Virtual Private Networks) provides several advantages for users. It provides an encrypted tunnel into the lab so that traffic across the internet can not be easily sniffed. It provides your home system with a local Fermilab address (131.225.x.x) and node name, so that you can access services or systems that are restricted to Fermilab only servers. VPN tunnel bypasses some of the site/services border router blocks, including blocks for NetBIOS, web servers, rpc, and remote printing.

Q. I use Network Address Translation (NAT) between my home system(s) and my ISP. Will the VPN work with NAT?

A. Yes, the VPN tunnel will work properly from home system(s) that use NAT addresses.

Q. I have read that some ISPs block VPN. Is this likely to be a problem?

A. No. ISPs that block VPNs typically block the IP protocols ESP (50) and AH (51). The Cisco VPN implementation uses UDP, not ESH or AH to establish the VPN tunnel. In the course of a lengthy and extensive VPN Pilot Project, no problems with ISP-blocked VPNs were encountered.

Q. Does Kerberos work with VPN-connected systems?

A. Yes, version 8.0 through version 10.0 of WRQ Reflection with Fermilab’s VPN, but V10.0 is required if home system(s) uses NAT addresses. Please see your System Administrator for WRQ Reflection license. In linux you may want to obtain an addressless ticket by the command "kinit -n" .

Q. I have a local network at home. Is it OK to forward traffic from my other home systems through my VPN-connected system, using NAT?

A. Definitely not. Your VPN-connected system is logically part of the Fermilab network. Using NAT to forwarding packets through a system is violation of the Laboratory’s Policy on Computing. If you have multiple systems at home requiring VPN access to the Laboratory, you will have to set up VPN connections from each system.

Q. Do I need firewall or Anti-Virus software?

A. The Cisco VPN Client has a build-in “Stateful Firewall”. An Anti-Virus software is highly recommended as your home VPN-connected system(s) is virtually like a system On-site. Please see your System Administrator for licenses.

Q. So I can setup multiple VPN connections simultaneously?

A. No, multiple VPN accounts are not allowed.

Q. Does Fermilab Site VPN Support Split Tunnel?

A. Yes, Fermilab Site VPN support Split Tunnel, all traffics between a user's home system and the laboratory (131.225.x.x) are send via the Encrypted Tunnel. While all other Internet traffics are routed through your usual path.

Q. What is the difference between the tunnel default gateway and the default gateway?

A. The VPN 3000 Concentrator uses the tunnel default gateway to route the tunneled users within the private network (usually the inside router). The VPN Concentrator uses the default gateway to route packets to the Internet (usually the outside router).

Q. What authentication mechanisms/systems do the Fermilab's Cisco VPN 3000 Concentrator Series support for client PCs?

A. Currently users are authenticated via RADIUS Server, in the future, Windows Domain, Security SecurID (SDI), or Digital Certificates authentication maybe supported.

Registration:

Q. Who can request a Fermilab Site VPN account?

A. Any Fermilab employee, scientific user, or contractor with a valid Fermilab ID, and must also have a valid e-mail account to be eligible for a Fermilab Site VPN account. This is to ensure user has agreed to the "Proper Computing usage Policy" and "Fermilab Policy on Computing".

Q. How do I register for a Fermilab Site VPN account? And what steps are required?

A. The VPN process works as following:

1. Point your browser to the link below, and fill out the form in its entirety.

https://www-dcn.fnal.gov/vpn/vpn_reg.cgi

2. You will receive an email with information on where to obtain the VPN client software.

3. Download both the Cisco Client and the Profile, and install the client onto your home system.

4. Contact the HELPDESK (630)840-2345 - during normal business hours - to activate your account. There is a two hour delay between when you register and when your account can be activated. Please verify your VPN account username with the HELPDESK. The username should be in the format of <firstname.lastname>.

Q. Why doesn't the username and password working for the VPN Client download page?

A. The password for the Client downloads regenerate weekly (12:30am Monday), please contact the HELPDESK for a new password if the password has expired.

Q. What is my VPN username, and what's my password limitations?

A. Your username is your full name as appeared in CNAS, it's in the form of <firstname.lastname>, username is not case sensitive. You can verify your username with the HELPDESK after you have filled out the VPN account Registration Form. Password length must be either 8 or 9 characters, and must contain both alphabet and numeric. Some special characters may be used.

Software:

Q. Where do I download the VPN Client software?

A. E-mail containing a link to download the VPN client software will be sent to the user following a successful VPN account registration. Enter the Username and Password; select the VPN Client OS type. Download both the Client and Profile to your local directory.

To download the VPN client or the user Profile, you must first contact the Helpdesk at (630)840-2345 during business hour, and request your Group username and password. Then follow the instructions at https://fndcg0.fnal.gov/vpn/vpnsign.cgi to download latest software.

Q. What is the purpose of the Profile file that I have downloaded onto my system? And what do I do with it?

A. The Profile file contains parameter specific to the Fermilab Site VPN, and it information such as the VPN Concentrator's server IP address, and encrypted password to establish an encrypted tunnel. There are multiple methods to incorporate the Profile into the Cisco VPN Client, if the Profile file is in the same directory as the "expanded", the Profile will automatically incorporate into the correct directory location during the VPN Client install.

Or, you can use the Import function after the Client install and point the application to where the Profile is located.

Or, in Microsoft Windows you can simply move the Profile file to c:\Program Files\Cisco Systems\VPN Client\Profiles.

Users should not attempt to edit this file as it may render failure in you VPN authentication.

Q. Why can't I mount Fermilab file shares after the VPN connections? I am keep getting user failure.

A. Make sure your system has NTLMV2 enabled. HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Lsa/lmcompatabilitylevel to 3

Q. Can I startup the VPN Client before logon to the FERMI Domain?

A. Yes. First startup the VPN Client>Options>Windows Logon Properties...Put a check mark next to "Enable start before logon" and click OK.

Q. Why is my VPN session disconnects unexpectedly; message "Remote peer has terminated connection"?

A. There are two types of Time-Out set for a user session. Idle-Timeout is set to 30 minutes; this time-out disconnects a user session if inactivity occurred within that period. Maximum Session-Timeout is set to 12 hours; this will disconnect a user session that exceeds 12 hours.

Q. Why does the VPN Server keeps prompting me for username/password, I am sure the username and password is correct?

A. If the username/password is correct, you may be exceeding your “Maximum Session Limit”, make sure to log out your VPN session after if you have completed you VPN session.

Q. What supports are available for VPN issues?

A. For VPN Server Problems, please contact Computing Division Helpdesk at helpdesk@fnal.gov or x2345. For Client issues, contact your Local Support Administrators. Or VPN mailing list that user can e-mail to vpn-users@fnal.gov

Q. Can I change my VPN password via the VPN Client without calling the Helpdesk?

A. No. The Cisco VPN Client currently does not support changing of user password.

Q. Can I change my VPN password via the VPN Client without calling the Helpdesk?

A. No. The Cisco VPN Client currently does not support changing of user password. Please contact the Helpdesk (630)840-2345 during business hour to change your password.

Cisco VPN Client:

Q. Will Cisco VPN Client v4.0 coexists with another installed VPN client?

A. The Cisco VPN Client v4.0 has introduced some architectural changes that allow it to coexist better with other VPN clients on the system. System interoperability has been verified with the Microsoft Windows Layer 2 Tunneling Protocol (L2TP) IPsec VPN client and the Nortel VPN client. Other VPN clients may now coexist, but would not be formally supported by Cisco.

Q. How can I tell what address was assigned to me after establishing a VPN Client connection to a VPN Concentrator?

A. The VPN Client icon on the taskbar lets you view the status of your private network connection. Right-click the icon and select Status from the pop-up menu. On the Status screen, you can see the Client IP address and the Server IP address.

Q. What operating system versions support the Cisco VPN Client?

A. Supported and Tested...

* Microsoft Windows 9.x, ME, SE, XP, NT 4.0, 2000, and XP

* Solaris 2.6

* Linux 2.2.12 and 2.2.14

* Mac OS 10.0 (Mac OS X), 10.1, and later

Q. Is Windows 95 OSR2+ supported in Cisco VPN Client v4.0?

A. Windows 95 pre-OSR2 has not been supported since v2.5. Version 4.0 will no longer support Windows 95 OSR2.

Q. Do I need to be an Administrator on Windows NT/2000 or Windows XP machines in order to load the client?

A. Yes, you must have Administrator privileges to install the VPN Client on Windows NT and Windows 2000, and Windows XP because these operating systems require Administrator privileges to bind to the existing network drivers or to install new network drivers. The VPN Client software is networking software; therefore you must have Administrator privileges to install it.

Q. Can the Cisco VPN Client work with Microsoft Internet Connection Sharing (ICS) installed on the same machine?

A. No, the Cisco VPN 3000 Client is not compatible with Microsoft ICS on the same machine. ICS must be uninstalled before the VPN Client can be installed.

Q. When installing the VPN Client on Windows XP and on Windows 2000, is the multi-user interface disabled?

A. The installation disables the welcome screen and the fast user switching.

Q. My VPN Client seems to only connect to certain addresses. I am running Windows XP. What should I do?

A. Verify that the built-in firewall in Windows XP is disabled.

Q. What does it mean when I get "Error msg: failed to find the uninstall file..." while trying to uninstall VPN Client? Also, what needs to be done to successfully complete uninstallation?

A. Check the networking Control Panel to ensure that the Deterministic NDIS Extender (DNE) was not installed. Also check for the uninstall file by going to Microsoft > Current Version > Uninstall. Then remove the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Uninstall\{5624C000-B109-11D4-9DB4-00E0290FCAC5} file and retry the uninstallation.

Q. What operating systems are supported by Non-Cisco Commercial Vendors?

A. 3rd. party commercial vendor support, but no support or testing provided by Data Communications and Network Group

* MacOS 8 and 9, Supported by Netlock (www.netlock.com)

* Palm PDA/Palm OS 3.5, Supported by MovianVPN V3.x (www.certicom.com)

* Handheld or Pocket PC/Windows CE, Supported by MovianVPN V3.x (www.certicom.com)

* Microsoft PPTP Native PPTP/V5.2+ supported by Microsoft.

*Microsoft L2TP/IPSec Native/V6.0+ supported by Microsoft.

Q. How can I make the VPN Client for Linux move to the background after execution? If I initiate a connection such as vpnclient connect foo, I get in, but the shell is returned.

A.After signing on, type the following:

Q. Can I use NetMeeting and other H.323 applications or internal instant-messaging applications with Cisco VPN Client v4?

A. Yes, version 4.0 introduces a VPN Interface Adapter (Virtual Adapter) for Windows 2000 and XP, which allows these and other applications that may not have operated previously, to now operate properly.

Q. Is Cisco VPN Client v4.0 "digitally signed" by Microsoft?

A. Unfortunately, the new VPN Interface Adapter could not be signed in time for version 4.0. Cisco expects a future patch release to offer a signed VPN driver. Microsoft has now signed the network interface driver. This driver is included in Cisco VPN v3.6.4 patch releases and greater, including v4.0.