Frequently Asked Questions About VPN | Help & Support | The University of North Carolina at Chapel Hill

Table of Contents

Introduction

The following is a list of frequently-asked questions about Virtual Private Networks (VPN). Also refer to Best Practices for Using the Campus VPN for more detailed security information.

Questions & Answers

What is a VPN?

A Virtual Private Network (VPN) provides an encrypted connection (secure tunnel) from outside networks or Internet Service Providers (ISPs) to the UNC-Chapel Hill internal network. UNC has installed a Cisco VPN concentrator that allows authorized users to access network resources from off campus using an ISP dial-in, DSL or cable modem service with Onyen authentication. You can work securely, just as if you were physically on campus.

Why should I use the VPN?

Some services require the user to have an on-campus IP address/unc.edu domain name to work correctly. Connecting to campus via an Internet Service Provider does not give your computer a campus address. However after establishing the VPN tunnel, your computer is assigned a campus IP address with a .unc.edu host name. You then have access to the same services that you can only use on campus.

How do I obtain and install the VPN?

First, you must fill out the agreement form with your Onyen and password. Before downloading the VPN client please see the following documents for installation instructions specific to your operating system:

How do I upgrade the VPN Client?

You must uninstall your current version of the client before installing the new version. On Windows, you must do this through Add/Remove Programs and not by using the Cisco client uninstaller. Once the current version has been removed, then you can install the new version.

Go to the UNC Shareware Software Page for links to updates for the VPN Client.

Who should use the VPN?

You should use the VPN if you are off-campus and need to access departmental servers and/or services that require a campus IP address. If you are off-campus and want to connect to a computer on-campus by using the Remote Desktop Protocol (RDP), security controls require that you must use the VPN. Another example of when you would want to use the VPN is if you are connecting from off-campus to virtual machines on campus, such as those available at the Virtual Computing Lab or the Virtual Lab.You should also use the VPN if you need to comply with federal regulations regarding data confidentiality.

Can I use the VPN on campus?

No. The VPN will not work on campus.

Can I get a static IP address?

The VPN concentrator assigns campus IP address from pools – just like DHCP. There is currently no way to assign a static address to a connection on the VPN concentrator.

How does a VPN work with my computer?

The VPN client software is installed on your home computer or laptop. After you connect to the on-campus VPN Concentrator, the software client creates a secure tunnel. UNC uses Cisco Unified VPN Clients which can be used on Windows, Mac OS X, Solaris, and Linux. You will be required to authenticate with your Onyen and password.

Can I still connect to sites outside of UNC-Chapel Hill’s network with the VPN?

Currently only the Cisco IPSec client supports the split tunneling feature which sends only the communications that go directly to campus through the tunnel and lets other traffic go elsewhere directly. You will still be able to connect to sites outside of UNC, though you will not be protected with the strong encryption tunnel.

Why isn’t the VPN Client on the CCI load?

Because of the client’s strong encryption, U.S. law requires the distribution to be highly restricted and does not allow us to add the client to the CCI load.

Will the VPN Client work on my Operating System?

The Cisco VPN client will work on Windows, Linux, Solaris, and Mac OS X.

There is a fundamental problem with using the Cisco VPN client on Windows XP. We recommend that you install at least Service Pack 1 before installing the VPN client. Please refer to Microsoft’s Announcement for more information.

Some individuals have also noticed that the Cisco VPN client that ITS currently supplies via shareware.unc.edu will not build against newer 2.6-based Linux kernels.

Will the VPN work with my router?

The following is provided for information only. UNC-Chapel Hill provides no support for the use of routers in conjunction with the Cisco VPN client.

The VPN technology will only allow one single tunnel from a remote IP address to campus. This means that only one computer can connect to the VPN client through a router at a time. Please see the additional information about Linksys routers and the VPN.

Can I use an alternative to the Cisco VPN Client?

Unfortunately only clients that support split tunneling and the encryption protocol used on the Cisco VPN client will work. This means that most available alternatives, like the Microsoft VPN Client, are ineffective. Currently we only provide support for the Cisco VPN client.

Will I notice a difference in my network connection?

No, the split tunneling feature allows seamless connections to both on and off campus resources. The VPN Dialer software will minimize to your system tray after you successfully authenticate.

Can I use two VPN Clients at the same time?

No. If you have two Cisco clients installed and try to open a second instance, you will simply see the connection window. You can only have one IPSec connection at a time. Beginning a second instance of the client for Linux or Solaris will yield the following error message: A connection already exists. You will need to disconnect before making a new connection.

Where is the Cisco documentation for the VPN Client?

The Cisco documentation for version 3.6.1 can be found here.

I changed my Onyen password and now I can no longer log into the VPN Client. What do I do?

To eliminate a saved password, you need to modify the connection entry profile; use the following procedure:

1. Select a connection entry in the display underneath the Connection Entries tab.

2. To modify the selected connection entry, do one of the following actions:

Display the menu and choose Modify.
Click the Modify icon on the toolbar above the Connection Entries tab.
Right-click the selected entry and choose Modify from the menu.

3. Click Erase User Password.

4. To save your changes, click Save, or to cancel your changes, click Cancel.

Note:

If you get a failed-to-authenticate message, you should enable Erase User Password on the VPN Client and verify that your password is valid. When you attempt to connect, the VPN Client prompts you to enter your password.

With Erase User Password in effect, the next time you connect, the authentication dialog box prompts you to enter your password.

I’m getting a “not available” error message.

You may encounter the following error message: The necessary VPN sub-system is not available. You will not be able to make a connection to the remote IPSec server. It is likely that the Cisco VPN service did not start. Please reboot your computer and if the problem does not clear up then go to: Control Panel > Administrative Tools > Services . Look for the Cisco Systems, Inc. VPN Service and confirm that the service has started. Please also confirm that the Deterministic Network Enhancer protocol (DNE), which was installed at the same time as the VPN client, is still installed.

Why is the VPN trying to initiate a dial-up connection when I have DSL/cable modem?

Choose Properties for the connection. Under the Connections tab, make sure that the checkbox for Connect to the Internet via dial-up is unchecked if you connect to the Internet with a cable modem or DSL.

I am getting an installation error that the VPN Client is not Windows Certified. What do I do?

The warning will not affect the installation. It is OK to proceed with the installation without making any additional changes.

Why am I having problems connecting?

If you are still having problems connecting, look under Properties for your VPN connection and select the General tab. Make sure that Enable Transparent Tunneling is checked, and choose to Allow IPSec over UDP. Note that if you are connecting through a router and are experiencing intermittent connectivity, you may need to uncheck Enable Transparent Tunneling.

Why am I unable to connect to my Windows domain on campus using the VPN?

From the VPN Dialer Startup window: Select Options > Windows Logon Properties > Enable start before logon . Under Properties for your network connection, choose Advanced and select the WINS tab. Enable NetBIOS over TCP/IP in order to permit Windows networking to campus.

Why am I having trouble uninstalling my VPN Client running on Windows XP?

Please see the Cisco VPN 3000 Concentrator FAQs for more details on removing the VPN client if the uninstall fails for some reason.

When I install the VPN Client on Windows XP, I see a dialog box warning me that the driver is not signed. What should I do?

The dialog box should be asking you to stop or continue. Press Continue to complete the installation. Occasionally, you will have to press Continue for two or three additional dialog boxes with the same message before the installation continues. This is just a result of Windows not updating their environment and it will NOT interfere with the remainder of the installation.

How should I configure my Linksys router to work with the VPN?

If you are using a Linksys router/firewall with your broadband connection, you must enable Block WAN Request, IPSec Pass Through and PPTP Pass Through. If you are having difficulties, try upgrading your Linksys firmware to the latest version. Note that a Linksys router will only allow one VPN session at a time. For more information about this firmware upgrade, please see Cisco’s release notes.