Frequently
Asked Questions About Virtual Private Network (VPN)
Troubleshooting
General
Will
the VPN interface work with my normal network connection?
The VPN
client is active only when you choose to start it. If the program
is not running, then it will not affect your connection.
Do
I have to use the Cisco or Movian client software?
For non-palmtop
operating systems (Windows, Macintosh, or Unix), the Cisco client
is the only client supported by MCCCD.
If you have
a palmtop system (Windows CE or PalmOS), you will need to install
the Movian
client from Certicom. Certicom is also responsible
for Movian client support. We will make all reasonable efforts
to ensure that our VPN systems are accessible by Movian clients.
Note:
Certicom no longer sells single licenses; the smallest available
unit is 25 licenses. However, they may soon have resellers that
will sell single licenses. Watch their website for more information.
Is
there a charge for the Cisco or Movian client software?
For non-palmtop
operating systems (Windows, Macintosh, or Unix), the Cisco client
is freely available to end-users. See "Downloading
and Installing Cisco VPN client software" for more
details.
If you have
a palmtop system (Windows CE or Palm OS), you will need to purchase
Movian client software from Certicom. See the
purchase section of their website for the latest
pricing information.
Is
there PalmOS or Windows CE support?
A third-party
client from Certicom, called MovianVPN,
is available for these platforms.
Note:
Certicom no longer sells single licenses; the smallest available
unit is 25 licenses. However, they may soon have resellers that
will sell single licenses. Watch their website for more information.
Is
there Windows XP support?
The latest
version of the Windows 2000 client also works with Windows XP.
See "Downloading
and installing Cisco VPN Software" for more information.
Windows-specific:
Uninstall or disable "Internet Connection
Sharing".
Windows
95
Uninstall or disable "Internet Connection Sharing" before installing
this software.
Users must also have the Winsock2 and Dial Up Networking 1.3 software
installed. You may download them in a combined installer from
Microsoft. Read the instructions on the System Requirements link
on the download page before starting the download.
http://www.microsoft.com/ntserver/nts/downloads/recommended/dun13win95/default.asp
Windows 98
Uninstall or disable "Internet Connection Sharing" before installing
this software.
To disable ICS, use any of the following methods:
If the ICS icon appears on the taskbar, right-click the icon and
then click Disable Internet Connection Sharing.
Note that
this method disables ICS without restarting the computer.
If the ICS icon does not appear on the taskbar, click Start,
point to Settings, click Control Panel, double-click Internet,
click the Connection tab, click the Sharing tab, click to select
the Disable Internet Connection Sharing check box, click OK,
and then click OK.
Note that
this method disables ICS without restarting the computer.
To permanently disable ICS, use the Ics.adm policy file located
in the Tools\Mtsutil\ICS folder on the Windows 98 Second Edition
CD-ROM. Loading the Disable Internet Connection Sharing option
disables the ability to route requests to the Internet and to
hand out IP addresses on any computer that loads this profile.
Windows ME
Uninstall or disable "Internet Connection Sharing" before installing
this software.
1.
Open Network Connections.
2. Click the dial-up, local area network, PPPoE, or VPN connection
you want to share, and then, under Network Tasks, click Change
settings of this connection.
3. On the Advanced tab, uncheck the Allow other network users
to connect through this computer's Internet connection check
box.
Windows NT, 2000 and XP systems
There are
three ways to disable ICS: through the Desktop,
through the Control
Panel, or through the Registry.
We will only cover the first two, Desktop and Control Panel
Desktop
To disable ICS through the Desktop, use the following steps.
Right Click on My Computer and select Manage > Services and
Applications. Select Services > Right mouse click Windows Firewall/Internet
Connection Sharing (ICS). Change the startup type to disable
and stop the service. IPSec can be disbaled in the same fashion.
Control
Panel
To disable ICS through the Control Panel, use the following
steps.
Go to Start > Settings > Control Panel > Administrative Tools
> Services. Select Services > Right mouse click Windows Firewall/Internet
Connection Sharing (ICS). Change the startup type to disable
and stop the service. IPSec can be disbaled in the same fashion..
Why
can't I browse Network Neighborhood?
The instructions
given in "Downloading
and installing Cisco VPN client software" concentrate
on using the VPN server with Internet networking protocols (TCP/IP).
To access
networked resources through the Windows Network Neighborhood
you will need the following:
Windows
95/98/ME
If you
are running Windows 95 you, will need to update your winsock
and dial up networking.
If you are running a personal firewall, you may have to decrease
your security settings in order to connect to the VPN network.
First you will need to verify your network settings.
- Click
on
 then go to “Settings”, then “Control Panel”.
- Double
click on the "Network" icon.
- In the
Network window, double mouse click the “Client for Microsoft
Networks”
It is recommended to have “Windows Logon” as your Primary
Network Logon.
Next click the “Identification” tab and change the “Work Group”
to
DO.
- In the
“Client for Microsoft Networks Properties” window, be sure
to check “Log
on to Windows NT domain”. Then enter DOas the “Windows NT
domain:”
- Once
you have made these changes, you will need to reboot your
computer before you can go any further. After your computer
has rebooted, you may connect to the VPN to verify that your
changes are correct.
- Once
you have successfully logged on to the VPN concentrator, you
will be required to log on to the DO domain. In this window
enter your DO username and password again. Be sure DO is entered
as the Domain. Then click “OK”.
Windows
XP/2000
- First,
make sure that your VPN client is already correctly handling
the TCP/IP-based communications. If you cannot connect to
the VPN concentrator or to an MCCCD internal web site while
the tunnel connection is up, you should resolve those issues
before configuring the VPN client for the Network Neighborhood.
- To verify
that you have received the correct DNS and WINS IPaddresses.
Open a DOS shell and run "ipconfig /all" after the VPN connection
has been established. You should see the following entries:
DNS Servers.......................140.198.8.15 and 104.198.8.14
Primary WINS server...........140.198.8.4
Secondary WINS Server.......140.198.8.5
- Depending
on your ISP and your configuration, you may or may not correctly
receive the WINS IP addresses needed to connect to the Windows
Network Neighborhood area of the MCCCD network. If Network
Neighborhood is not properly populated, you need to tell your
machine how to find the district WINS servers, located at
140.198.8.4 and 140.198.8.5.
- If you
want to be prompted to connect to the VPN before you log onto
your computer you can modify the settings of the VPN client.
Double click on the VPN dialed. 
Click on "Options" then select "Windows Logon Properties and
make sure the setting are as follows:
- Now when
you press Ctrl-Alt-Delete to log on to Windows you will be
prompte to connect to the VPN. After you have established
a VPN connection you can complete the Windows logon. This
will enable you to log directly onto the DO domain. Remember
to use your DO username and password to log onto windows or
you will not be authenticated.
- Remember,
if you are running a personal firewall, you may have to decrease
your security settings in order to connect to the VPN network.
How
do I map a network share?
There
are two ways to do this, First:
1.
Right Click on Network Neighborhood (NT) or My Network Places
(2000).
2. Select the Map Network Drive option.
3. On the Map Network Drive window, a drive letter will be assigned;
if you wish to change the drive letter you may by clicking on
the appropriate down arrow for Drive: and selecting one of the
available letters.
4. On the
Path: line, please type \\do-admin3\foldername$. Replace foldername
with name of the folder to which you want to map. Please use
lowercase and don’t forget the $.
5. Be sure to check the “Reconnect at Log” box if it does not
already have a checkmark.
6. Click OK/Finish.
7. To verify that the Drive was mapped correctly, open My Computer.
8. Left click on View and select List.
9. Review the list and verify that the foldername$ on ‘do-admin3’
(drive letter) is listed.
Second:
1. Click
on Start and select Run. Type in \\do-admin3\foldername$ then
press OK.
2. You should now be in the shared directory you listed above.
3. Drag either of the two icons circled in red into Network
Neighborhood or onto your desktop. This creates a shortcut rather
than a map, it does not use a drive letter or try to connect
to the share at logon.
Using
software-based firewalls with the VPN server
In order
for the VPN server to work through any software-based firewalls
you may have installed on your Windows computer, you will need
to tell your firewall that information from the VPN server (140.198.253.251)
is allowed to come in. Each software firewall system has different
controls; to provide an example, we've documented how to configure
the free edition of ZoneAlarm. (This is not a product endorsement,
just an example.)
To configure
the free edition of ZoneAlarm to work with the MCCCD VPN server:
- Open
ZoneAlarm.
- Select
the Security tab.
- Verify
that the Local security setting is set to medium.
- Click
Advanced, then Add, then IP Address.
- Enter
"MCCD VPN" in the Description box.
- Enter
the IP Address of the VPN Concentrator (140.198.253.251).
- Click
OK twice.
Some firewalls
will have a more complex configuration procedure than this.
For more information on configuring firewalls to pass data on
specific ports, see "Firewall
Ports" later on this page.
Problems
after installing service packs
Installing
some service packs (notably Windows 2000 Service Pack 3 or the
Internet Explorer 6 service packs) can overwrite some libraries
that the VPN client needs to operate correctly.
If you are
having problems after installing a service pack, uninstall the
VPN client (under Control Panel Add/Remove Programs) and then
reinstall it. The VPN client should work correctly after reinstallation.
Windows
XP hangs
This problem
is caused by the interaction of the VPN client (even when not
active) and the Microsoft QoS feature. Since the QoS feature
is not required for networking, we recommend that you disable
it as follows:
- From
the Start menu, select Control Panel. When the
Control Panel window opens, double-click Network Connections.
- Right-click
on one of the network connections shown, and choose Properties.
The resulting window will look something like this:
If you
click on the "QoS Packet Scheduler" item, it will be highlighted
and its description will appear, as illustrated above.
- With
the QoS Packet Scheduler highlighted as shown, click the Uninstall
button.
- You will
be presented with a screen that warns you that this will remove
the QoS Packet Scheduler from all connections. Click Yes.
After
the QoS Packet Scheduler is uninstalled, we recommend rebooting
the system. From this point on, you should be able to use
the VPN and your modem correctly.
It has
been reported, but not confirmed, that this bug may appear
on Windows 2000 machines as well. If anyone has encountered
it on Windows 2000, please contact the MCCD
Help Desk so that we can add the relevant information
to this page.
Macintosh-specific:
Occasional
error messages when upgrading to OS X ver. 10.2
Some users
have reported error messages when running some versions of the
Cisco VPN client on Macintosh OS X version 10.2.
Native
IPSEC support in OS X ver 10.2
We do not
have sufficient information to determine whether the built in
IPSEC capability in 10.2 will work with our VPN concentrator.
The Cisco
client has been tested and is the supported client for connecting
to the MCCCD VPN. The native IPSEC capability of the OS is at
this point untested and unsupported.
Troubleshooting:
Screen
savers, hibernation/sleep mode, and the VPN software
On several
operating systems, the Cisco VPN client will have problems when
the system engages a screen saver, goes into hibernation, or
goes into sleep mode. This is because the VPN client expects
to have constant communication with the concentrator. When the
system goes into a state of lower activity, some hardware devices
can also be put into standby, including wireless and Ethernet
cards. If this is done, it interrupts the network connection
the VPN client is using to communicate with the server.
On Macintosh
versions 7.5 to 9.x, putting the Macintosh into sleep mode
while the VPN client software is running can freeze the Macintosh.
You should always log out of the VPN client software and exit
it before putting your pre-OS X Macintosh into sleep mode.
On Windows,
some network cards are put into standby when a screen saver
engages or hibernation starts. While there have not been reports
of Windows machines freezing, the VPN client often becomes unable
to communicate with the server even after the screen saver or
hibernation has ended and normal network card activity resumes.
Stopping and restarting the client will not solve the problem;
you will need to reboot the system in order to be able to connect
correctly again. As with a Macintosh, you should always log
out of the VPN client software and exit it before letting your
system go into screen saver or hibernation mode.
This has
not been reported as an issue for Unix or Mac OS X users.
I
can't seem to connect. What do I do?
- Can
you connect without the VPN to your usual Internet Service Provider?
If you can't connect to your ISP even when you're not trying
to use the VPN, the problem is related to the ISP rather than
the VPN system specifically. Contact your ISP's technical support
department for assistance.
- For
cable modem and DSL users only:
There are several factors that may affect users who connect
via cable modem or DSL that dialup users may not experience.
One common
device that many cable modem users have attached to their
home network is a cable modem router. Most cable modem routers
act as firewalls and Network Address Translation (NAT) devices.
Both the firewall rules and the NAT may affect their ability
to connect via VPN.
The Cisco
client has a check box for NAT transparency. The first suggested
course of action for these users is to try to connect with
that box unchecked. If that doesn't work, try again
with it checked. (Here's
how to know if the NAT transparency check box affects you.)
Firewall ports
It is also imperative that the firewall rules allow the VPN
traffic to pass. Many of these devices are not configured to
pass such traffic by default; you may need to reconfigure them
yourself in order to permit the VPN connection. Configuration
of these devices is beyond the scope of this document. However,
the ports that are required for VPN traffic are:
| Service
|
Protocol
number |
Source
port |
Destination
port |
| PPTP
Control Connection |
6
(TCP) |
1023
|
1723
|
| PPTP
Tunnel Encapsulation |
47
(GRE) |
N/A
|
N/A
|
| ISAKMP/IPSEC
Key Management |
17
(UDP) |
500
|
500
|
| IPSEC
Tunnel Encapsulation |
50
(ESP) |
N/A
|
N/A
|
| IPSEC
NAT Transparency |
17
(UDP) |
10000
(default) |
10000
(default) |
If none of the above steps have helped:
For further assistance, contact the Help Desk at (480) 731-8632 or helpdesk@domail.maricopa.edu.
I
can connect, and the VPN works for a while, but then it stops
working. What do I do?
- Your
computer goes into screen saver/hibernation/standby mode,
or powers down the network card to save energy. This is further
explained in the hibernation
item above.
About
NAT Transparency:
Checking the
NAT Transparency box when it is not needed may prevent the client
from working properly. When attempting to connect from a new location,
follow this test sequence:
- First,
try connecting without NAT Transparency (leave the box unchecked).
- If that
does not work, then try checking the box and selecting "Allow
IPSEC over UDP".
- If that
does not work try selecting "Use IPSEC over TCP".
- If none
of those options work for you, contact the Help Desk at (480) 731-8632 or helpdesk@domail.maricopa.edu.
Here's why
you should try troubleshooting NAT in this order:
The NAT Transparency
box is needed if a user is behind a NAT device that is doing PAT
(Port address translation) rather than a 1 to 1 NAT. This is common
when there are a limited number of routable IP addresses available
and many un-routable IP addresses are being mapped to one routable
IP address. Some ISPs and some cable/DSL routers may use PAT for
this purpose.
If you can
connect and authenticate to the VPN server, but are not able to
pass traffic, more than likely you will need to turn on the NAT
Transparency check box in the VPN client. If you are not able
to authenticate to the VPN server, the NAT Transparency box may
not by itself fix the problem.
If the VPN
client can specify a port for NAT transparency, there are 2 ports
that the client can try. The VPN server is configured for NAT
Transparency on port 80 and port 10000. (Port 80 is the new default
for the client and server software; Port 10000 is provided as
an alternate port in case you are behind a firewall or other device
that may interfere with port 80 traffic.) You can configure either
of these ports in your client if prompted for a port when the
NAT Transparency box is checked.
If the VPN
client cannot specify a port for NAT Transparency, it will use
Port 80 when the NAT box is checked. If you are using both
NAT behind a device that blocks port 80 traffic and a VPN
client that cannot specify the alternate port 10000, you may not
be able to use the VPN server unless you can work without either
the block on port 80 or the NAT device. |