Carnegie Mellon University Website Home Page
 
Skip navigation and jump directly to page content
Documentation Index
Networking
VPN
VPN: Cisco Client
Step 1: Download & Install
Step 2: Register VPN Certificate
Step 3: Import the VPN Certificate
Step 4: Create Connection
Step 5: UDP Connection
Step 6: Firewall
Step 7: Windows XP Only
Step 8: Advanced Configuration-Windows Only
Step 9: Establish a Connection
Accounts
Network, Phone & TV
Software
Email & Calendar
Secure Your Computer
Clusters & Printing
Web Services
Classroom & Event Support
Education & Outreach
Support & Repair
Information Security Office (ISO)

Step 9: Establish a VPN Connection

In steps 4 and 5, you created and configured both a TCP and UPD connection entry for each VPN subnet that you will be using (i.e., VPN-General Users, VPN-Library). The table below will help you to decide which connection entry to use. In general,

  • When using a wireless connection on-campus always use a UDP connection.
  • When off-campus, try the TCP connection first and if you have a problem connecting try the UDP connection. If you are using VPN from home, you will soon determine which connection type works best with your Internet service provider and can then set it as your default connection. When travelling, the best connection type may vary from one location to the next.
 

Off-campus

On-campus
 

At home

On the Road

Wireless

Wired

Library Licensed Resources

 VPN-Library /
TCP or UDP		 VPN-Library /
TCP or UDP<		 VPN not needed VPN not needed

Windows File Shares

 VPN-General Users* /
TCP or UDP		 VPN-General Users* /
TCP or UDP		 VPN not needed VPN not needed

ACIS Services
(SIS, DecisionCast, HRIS)

 VPN-General Users /
TCP or UDP		 VPN-General Users /
TCP or UDP		 VPN-General Users / UDP VPN not needed
*You may also use the VPN-Library subnet to access these services. However, the Library subnet tunnels ALL Internet traffic through the VPN and may be slower than the General subnet (the General subnet only uses the VPN tunnel to access campus services).

You must connect using the Cisco VPN Client BEFORE you start an application that requires the use of the VPN tunnel (i.e., those that require the added security of encrypted networking).

Note for Windows machines: If you determined that your computer uses folder redirection, follow the steps for connecting before Windows login.

  1. CONNECT TO THE INTERNET as you normally would (i.e., DSL, cable modem, dialup). You MUST have an Internet connection before you try to establish a VPN connection.
  2. Launch the Cisco VPN Client application.
    Windows: Start > All Programs > Cisco Systems VPN Client > VPN Client
    Mac: Applications > VPN Client
  3. Select the Connection Entries tab.
  4. You will see a TCP connection entry and a UDP connection entry (e.g., General_tcp, General_udp, Library_tcp, Library_udp ). Use the chart at the beginning of this section to determine which connection entry is suitable for your location and the service you plan to use. Select the appropriate connection entry and click Connect.

    Note: Once you determine which connection entry works best from your remote location (i.e., tcp or udp), make that entry the default (select Connection Entries > Set as Default Connection Entry).
  5. OPTIONAL: If you assigned a password to this connection entry, you are asked to enter your Certificate Password now before connecting to the service.
    Note: This is the optional "connection" password you created when you imported the certificate into the Cisco VPN Client. It is NOT the password you selected in NetReg.
    • If you created a connection password earlier when you imported your certificate, enter the connection password now.
    • If you DID NOT assign a connection password during the "Import Certificate" process, this dialog box may still display on some operating systems. If so, leave the password field blank and click OK to dismiss the dialog box.
  6. A VPN connection is established. You are now safe to start any applications that require the use of the VPN service. If you are unable to connect, try the second connection type (e.g. if you connected using a tcp connection entry, try the udp entry).

    New VPN registrations normally take between 15 and 45 minutes from the time of creation to become fully active.  If you experience connection problems with a newly registered connection, please wait 15 minutes and try again.  If you still cannot connect after 45 minutes from the time of registration, please contact the Computing Services Help Center at x8-HELP(4357) or send email to advisor@andrew.cmu.edu.

    Note: Although your Internet connection will not be interrupted when the VPN connection is initiated, you may lose your connection with services that are running (e.g., Outlook, Entourage, Andrew Calendar). These services may need to be relaunched.
  • Windows: A padlock icon appears in your status bar. This padlock is "open" when you are disconnected from the VPN service and "closed" when you are connected.


    VPN disconnected


    VPN connected
  • Mac: When connected, a padlock icon appears next to the Connection Entry name within the Cisco VPN Client window. There is no indicator when the service is disconnected.


    Once you are able to establish a VPN connection, your configuration process is complete. Please see the VPN Certificates: Understanding and Managing document to better understand the VPN certificates and how to manage the certificates on your machine.

While you are connected

For most of the VPN networks, communication to off-campus sites or unrestricted campus services is routed directly through the public Internet, not tunneled through the Cisco VPN Client. The software does not need to be started/stopped as you move between restricted and unrestricted sites. This ensures that unrestricted services are not slowed by the Cisco VPN Client software.

If you registered for the VPN-Library network, all of your Internet traffic will be tunneled through the Cisco VPN Client. This allows you to access restricted databases that the Libraries subscribe to, but which are not hosted on campus. Because the databases are outside of the Carnegie Mellon network, all of your Internet traffic needs to go through the VPN, so that it can be properly handled. However, this also means that your unrestricted Internet communication may be slowed because it is routed through the VPN. We recommend that you disconnect your connection with the Cisco VPN Client when you do not need to access restricted Library services.

Last Updated: 02/20/08