University of Florida VPN Service

VPN Client Installation and Operation

Important Note: This guide covers both the older IPsec based VPN client as well as the L2TP client. These clients are not recommended for most users. Please use the Anyconnect client instead.

Cisco VPN Client (recommended client)

Windows (98/ME/NT/2000/XP/Vista 32bit) Installation/Configuration

Important Note: Vista 64bit is not supported by the Cisco Client. You may use the built-in L2TP client to access the VPN from Vista 64bit.

  1. The first step to installation is to download the client software from the "clients" section of this website.
  2. If you are using Windows XP, we heavily recommend that you install Service Pack 2 before installing the VPN client. A minimum of Service Pack 1 is required for the VPN client to work properly.
  3. If you are upgrading from a previous version of the Cisco VPN client, it will automatically be removed as a part of the install process. If the client is not un-installing properly, please see the Troubleshooting Guide.
  4. Run the application you just downloaded. If you are using Windows NT, 2000, or XP, you must have Administrator privileges to install the client. It will automatically extract the client and start the install process. If you are running Windows Vista, you must right click on the self extracting .exe file and select "Run As Administrator". Otherwise you will get dll failure messages on install.
  5. After running the installation program, you will be asked to reboot.
  6. Once your system comes back up, you can launch the vpn client from the Start Menu. It should be under Programs->Cisco Systems Gatorlink VPN Client->Gatorlink VPN Dialer.

Windows (98/ME/NT/2000/XP/Vista 32bit) Operation

Starting a VPN session:

  1. The client comes pre-configured for a full gatorlink VPN tunnel. To start it, simply launch the Gatorlink VPN dialer. You will see a window similar to Figure 1:

    Figure 1
    Figure 1

    Click the "Connect" button. You will get a User Authentication window shown in Figure 2:

    Figure 2
    Figure 2

  2. Replace username with your gatorlink username (leaving the @ufl.edu in place), and type in your password. The username will be saved for future use. This will provide a "full" VPN tunnel, which results in all network traffic, with the exception of traffic to the local subnet, going over the tunnel. Please see tunnel types for other tunnel options and descriptions of how they work.
  3. Once you successfully authenticate, the window will disappear, and you will see a lock A Lock Picture icon in the system tray. This lets you know the VPN tunnel is up and active. Any traffic sent to any network other than the local subnet will take the tunnel. You can display the tunnel endpoint address, connected time, and traffic levels by double clicking on the lock and clicking on the down arrow on the lower right side of the VPN client window shown in Figure 3:

    Figure 3
    Figure 3

    You can also get tunnel statistics including encryption levels and tunnel encapsulation (useful in troubleshooting VPN connection problems) from the VPN client by going to Status->Statistics shown in Figure 4:

    Figure 4
    Figure 4

  4. If after you type in your password, you keep getting the User Authentication window back, this means you password is not correct. Please try again. If you suspect your Gatorlink password has expired, please call the UF Computing Help Desk and have it reset.

Shutting down a VPN session:

  1. To close a VPN session, simply right click on the "lock" and click "Disconnect". The lock will disappear. You may also click the "Disconnect" button from the VPN client window.

Additional Windows Cisco VPN client configuration

Establish VPN before authentication to a Windows Domain/Directory

If you would like to have your system authenticate to your Windows NT domain to Windows 2k/XP active directory, here is a procedure to do that:

Windows NT/2k/XP Domain

  1. Enable "Start VPN before logon" by going to Options -> Advanced Mode, then Options->Windows Logon Properties and checking "Enable start before logon". Note: This will disable Fast User Switching in Windows XP.
  2. Add your local WINS server to your network interface card configuration. The VPN will not overwrite this setting. You may have to reboot here.
  3. Start the VPN. This can be done either with the default tunnel or a campus only tunnel.
  4. Once the VPN is built, add your local machine to the domain the same way you would add any machine to the domain.
  5. Logout, reboot
  6. When the machine restarts, you should get a VPN dialog asking you to authenticate. You will then be able to authenticate to the domain and access all your MS network resources over the VPN tunnel.

Windows 2k/XP Active Directory

  1. Enable "Start VPN before logon" by going to Options -> Advanced Mode, then Options -> Windows Logon Properties and checking "Enable start before logon". Note: This will disable Fast User Switching in Windows XP.
  2. If your active directory exists within the UF Active Directory hierarchy, there should be no specific client configuration necessary. The Gatorlink VPN client automatically uses campus UFAD DNS servers. If this isn't the case, you will need to put your local DNS servers in the network interface configuration and use a campus only tunnel. The default VPN tunnel will overwrite the DNS servers with the campus UFAD nameservers.
  3. Start the VPN.
  4. Add the machine to the Active Directory tree the same way you would normally add a machine to the tree.
  5. Logout, reboot
  6. When the machine restarts, you should get a VPN dialog asking you to authenticate. You will then be able to authenticate to the active directory and access all your MS network resources over the VPN tunnel.

Firewalls and the Cisco VPN Client.

Windows XP Firewall

As configured, the Cisco VPN Client should be compatible with the Windows XP/Vista 32bit firewall. If you switch to "TCP" encapsulation you will need to add the following rule to the firewall:

  1. From the main Windows desktop, Go to "Start Button->Settings->Control Panel"
  2. Double click on "Windows Firewall". A new window will pop up. Make sure the "Don't allow exceptions" checkbox is not checked.
  3. Click the "Exceptions" tab at the top of the screen.
  4. Click "Add Port" at the bottom of the screen. A new window will pop up
  5. Under name, type "VPN IKE". Under Port number, enter 500 and select the "UDP" radio button just below the port field.

    Figure 5
    Figure 5

  6. Click "OK". You should now see a new exception for "VPN IKE". Click OK to finish the process.

    Note: We have seen occasional problems with the Windows firewall dropping the keepalive traffic somewhat randomly and causing connections to disconnect. This is a problem with the windows firewall. If you see this behavior often you may need to switch to another firewall.

Built in Cisco VPN Firewall

The Cisco vpn client comes with a simple built in stateful firewall. It is not very flexible, but does work. Note that to enable it you must right click on the "lock" in your icon tray in the lower right hand corner of the screen and select "Stateful Firewall (always on)". Note that the firewall will be enabled even when the VPN client isn't in use.

Connection Types

Other Features

Linux kernel 2.2/2.4/2.6 Installation/Configuration

Note: The Linux client is known to work on Redhat 9.x, Redhat Enterprise 3.x through 5.x, Fedora Core 5-10, Ubuntu 7-8 and SuSE 9-11 It has not been tested on other distributions. If you are using a non-distribution kernel, your mileage may vary.

  1. The first step to installation is to download the client software from the "clients" section of this website.
  2. You should uncompress the software and untar it with the command tar-xvzf filename.tar.gz (case sensitive, the filename can change depending on the version you choose).
  3. You should now have a directory called vpnclient. Enter this directory and type vpn_install
  4. You will be asked several questions that are specific to your installation of Linux and your preferences. You should choose "yes" to "start the vpn service at boot time."
  5. Reboot. This will ensure the vpn module is properly loaded.
    Note: While rebooting, you may see the following messages: Starting /usr/local/bin/vpnclient: Warning: loading cisco_ipsec will taint the kernel: no license. This is nothing to worry about. It simply means the module you are inserting into the kernel is not distributed under the GPL license. It will not affect the stability or performance of your system.
  6. If you are using ipchains or ipfilter (which is default on Redhat 7.2 and above installations) or another type of firewall on the linux platform, you will need to open it up for the vpn connection. If you are using transparent tunneling, which is the default for the UF client, you will need to open the following ports to and from 128.227.166.116-118
    • TCP port 32611
    • UDP port 32611
    • UDP port 4500
    • UDP port 500
  7. If you have disabled transparent tunneling, you will need to allow the following to 128.227.166.116-118:
    • IP protocol 50 (ESP)
    • UDP port 500
  8. Please see the ipchains/ipfilter documentation for your distribution on the correct way of making these changes. Alternatively, you may also allow all communication between your system and 128.227.166.116-118.

Linux kernel 2.2/2.4/2.6 Operation

Starting a VPN session:

  1. To start a VPN session, you should type the command vpnclient connect ufl-vpn
  2. You will be asked for your username. Enter it in the form of username@ufl.edu, where username is your gatorlink ID. It will be remembered for subsequent VPN attempts. You will also be asked for your password. This is your gatorlink password. This will provide a "full" VPN tunnel, which results in all network traffic, with the exception of traffic to the local subnet, going over the tunnel. Please see tunnel types for other tunnel options and descriptions of how they work.
  3. If your authentication is successful, you will get a tunnel endpoint IP address notification. You will not get back a prompt. The vpnclient command will stay in the foreground. Its important that you not ctrl-c out of the vpnclient command, as it will kill your tunnel. If you would like to place the vpnclient command in the background, hit ctrl-z and then type bg.
  4. If you would like statistics on the tunnel, you can type vpnclient stat
  5. Note: The linux client also has the ufl-vpn-ska profile installed. For more information see the "Connection Types" section of the "Additional Windows Cisco VPN client configuration" topic above.

Shutting down a VPN session:

  1. To shut down a tunnel session, just type vpnclient disconnect. You should get a message indicating the process was killed.

Macintosh OS 10.X Installation/Configuration

  1. The first step to installation is to download the client software from the "clients" section of this website.
  2. It should automatically uncompress and create an application folder on the desktop called "CiscoVPNClient".
  3. Double click on the "CiscoVPNClient" desktop icon.
  4. A new window will now open. Double click on the "Cisco VPN Client.mpkg" icon.
  5. The installer will launch and ask you where to install. You should select the "Macintosh HD" or equivalent (not the CiscoVPNClient virtual drive).
  6. Once the installer finishes, the Cisco VPN client is installed and ready to be used.

Macintosh OS 10.X Operation

  1. The Macintosh 10.X client is substantially similar to the Windows VPN client in its appearance and use. Please refer to the Windows section of this document for more information on using the client.

Using Built in L2TP/IPsec Clients

Windows XP L2TP/IPsec Client Configuration

Note: Only the Windows XP and Vista (both 32 and 64bit) L2TP/IPsec clients are supported and covered in this guide. Windows 2000 does have a built in client, but it is not designed for remote access connectivity without the presence of a full CA infrastructure.

  1. Go to Start Button->Control Panel->Network and Internet Connections.
  2. Select "Create a connection to the network at your workplace". A new window will appear
  3. Select "Virtual Private Network" connection.
  4. Enter "Gatorlink VPN" for the Company Name. Click Next.
  5. Enter "l2tp.vpn.ufl.edu" for the hostname. Click Next. Note: The first letter in the hostname is "elle," not one.
  6. Click Finish.
  7. Go to Start Button->Connect To->Gatorlink VPN
  8. Click on the Properties Button.
  9. Click on the "Networking" Tab.
  10. Under Type of VPN, select "L2TP IPsec VPN".
  11. Click on the "Security" Tab.
  12. Click on "IPsec Settings" button
  13. Check "Use pre-shared key for authentication". Type the key found here
  14. Click ok, then ok again. You are now ready to use the Windows XP L2TP/IPsec client with the UF Gatorlink VPN service.

Windows XP L2TP/IPsec Client Use

  1. Go to Start Button->Connect To->Gatorlink VPN. A new window will appear.
  2. Type your Gatorlink username in the form of username@ufl.edu. This will provide a "full" VPN tunnel, which results in all network traffic, with the exception of traffic to the local subnet, going over the tunnel. Please see tunnel types for other tunnel options and descriptions of how they work.
  3. Type your Gatorlink password.
  4. You should now be connected to the UF Gatorlink VPN service. To disconnect simply right click on the appropriate "double computer" icon in the lower right hand corner of the Windows desktop and select "Disconnect".

Windows Vista 32bit/64bit L2TP client configuration

  1. Go to Start Button->Control Panel
  2. Select "Set up a connection or network"
  3. Select "Connect to a workplace" and click Next.
  4. If prompted select "Create a new connection."
  5. Select "Use my Internet Connection (VPN)".
  6. If prompted select "I'll set up an Internet connection later."
  7. For Internet Address type l2tp.vpn.ufl.edu Note:The first letter of the hostname is an "elle," not one).
  8. For Destination Name type Gatorlink VPN and check "Dont Connect Now".
  9. Click the "Create" button and then click the "Close" button.
  10. Go to the Start Button->Connect To and right click on "Gatorlink VPN" and click "Properties".
  11. Click on the "Networking" Tab.
  12. Under Type of VPN, select "L2TP IPsec VPN".
  13. Click on "IPsec Settings" button.
  14. Check "Use pre-shared key for authentication". Type the key found here
  15. Click "OK" to close the properties window. You are now ready to use the client.

Windows Vista 32bit/64bit L2TP/IPsec Client Use

  1. Go to Start Button->Connect To->Gatorlink VPN. Click connect.
  2. Type your Gatorlink username in the form of username@ufl.edu. This will provide a "full" VPN tunnel, which results in all network traffic, with the exception of traffic to the local subnet, going over the tunnel. Please see tunnel types for other tunnel options and descriptions of how they work.
  3. Type your Gatorlink password.
  4. You should now be connected to the UF Gatorlink VPN service. To disconnect simply click on the "double computer" icon in the lower right hand corner of the Windows desktop and select "Connect or disconnect," then choose Gatorlink VPN and click the disconnect button.

Mac OSX 10.4-5 L2TP/IPsec Client Configuration

Note: Only the VPN client built in to MacOSX 10.4 and 10.5 is compatible with the Gatorlink remote access VPN service.

  1. Goto Apple->System Preferences->Network.
  2. Click the + button at the bottom left of the window and select "VPN" as the Interface
  3. Leave the VPN type as "L2TP over IPsec"
  4. For the Service Name enter "Gatorlink VPN" and click "Create"
  5. For the Server Address enter "l2tp.vpn.ufl.edu" (that is an "elle", not a 1)
  6. For the Account Name enter your Gatorlink username in the form of username@ufl.edu. This will provide a "full" VPN tunnel, which results in all network traffic, with the exception of traffic to the local subnet, going over the tunnel. Please see tunnel types for other tunnel options and descriptions of how they work.
  7. Click on the "Authentication Settings" button
  8. Go to the Machine Authentication sections and enter the key found here for the Shared Secret and click OK.
  9. Click Apply
  10. You are now ready to use the MacOS L2TP/IPsec client with the Gatorlink VPN remote access service.

Mac OSX 10.4-5 L2TP/IPsec Client Use

Connecting:

  1. Open the VPN client by going to the VPN icon in the upper right hand part of the apple menu bar and pulling the menu down.
  2. Select "Connect Gatorlink VPN"
  3. You will be asked for your password.
  4. Once entered, it will take 5-10 seconds for the connection to complete.

Disconnecting:

  1. Go to the VPN icon in the upper right hand part of the apple menu bar and pull the menu down.
  2. Select "Disconnect".

PocketPC 2003/Windows Mobile L2TP/IPsec Client Configuration

PocketPC 2003 and above includes a built in L2TP/IPsec VPN client. Unfortunately, this is one of the worst VPN clients we have ever seen. As a result we can't directly support it, but we have provided a guide to help people get started.

This section provides some guidance on how to configure the client, but the actual steps may vary from client to client. Additionally, the AnthaSoft VPN client may also work for some devices including non windows devices. More info can be found here. Please make sure to download a trial version and verify it works for your client before purchasing.

  1. Go to Start->Settings and pick the "Connections" tab.
  2. Click on the "Connections" Icon. A new screen will appear.
  3. Click on "Add a new VPN server connection"
  4. Change the name to "Gatorlink VPN" (optional)
  5. Type "l2tp.vpn.ufl.edu" for the hostname (that is an "elle" not a one) and click "Next"
  6. Select "A pre-shared key". Type in the key found here. Click Next
  7. For username type your gatorlink username without the @ufl.edu. Do not fill in Password or Domain. Click finish.
  8. That was the easy part. Now we have to tell the client when to connect to the VPN client. This is where it gets very confusing. By default, the PPC2003 VPN client uses the VPN to get to all network resources without a fully qualified domain name (i.e. www rather than www.ufl.edu). It will not use the VPN client to access fully qualified resources such as www.ufl.edu. Here is how you change that behavior to make everything take the tunnel:
  9. From the "Connections" screen (which you should still be on from the setup), choose the "Advanced" tab and click on the "Select Networks" button.
  10. Make sure that The first pull down menu is configured for "My ISP" and the second is configured for "My Work Network".
  11. Click on the "Exceptions" button. A new screen will appear.
  12. Click on "Add new URL...".
  13. Type *.* and click OK. Click ok until you reach the top of the Connection Manager, then click X to close.
  14. All Internet Explorer traffic will now take the VPN. To force email down the VPN requires additional configuration (as do other application).

Forcing the PPC2003 email client to use VPN

  1. Open PPC2003 email client. Click on accounts menu and choose "accounts..." (an email account must already have been created).
  2. Click on the account name. A new window should appear.
  3. Click next 3 times. You should now see an "Options" button. Click on it.
  4. Under Connection: choose "Work". Click next 2 more times then Finish.
  5. Now your email will always use the VPN, but will disconnect when the email client is closed.

Available VPN Tunnels

Different VPN tunnel configurations can be used to control what traffic will take the VPN tunnel. You can specify what kind of VPN tunnel you would like by simply changing the user ID that you use to log into the UF VPN service. Currently there are three tunnel configurations that are available:

1. Full VPN Tunnel

Using a full tunnel, all network traffic to and from the VPN client will be encrypted (including all private IP networks), with the exception of traffic to and from the "local network". The local network is based on the local IP address and subnet mask assigned to your computer's network interface. This is the default tunnel type, and is recommended in most instances. You will receive a full tunnel if you log into the UF VPN service with the username@ufl.edu style gatorlink ID.

2. Campus Only VPN Tunnel

Using a campus-only tunnel, only traffic sent to and from the UF network will be encrypted (including a select group of private IP networks). All other traffic will not take the tunnel. This is the recommended tunnel type for users working from home or traveling. Note that this tunnel type does not support access to library journals and other such off campus subscription services that require a UF IP address to access. The full tunnel does support this type of access. You will receive a campus-only tunnel configuration if you log into the UF VPN service with the username@ufl.edu/campus style gatorlink ID. This tunnel is not available to L2TP over IPsec clients.

3. Departmental Tunnels

At the request of a campus department or college of reasonable size, a specific tunnel will be created for use by the members of that department or college. Members of that vpn tunnel will be placed in a known private IP subnet that is dedicated to that tunnel and will receive a custom tunnel policy. Authorization to a departmental VPN tunnel is accomplished with a list of gatorlink IDs. Access to this tunnel is accomplished by using the username username@ufl.edu/[dept] where [dept] is the assigned name of the individual tunnel. This will result in a full tunnel as described above with a known private IP subnet assigned to the client. You may also use username@ufl.edu/[dept]-campus to get a Departmental Campus-Only tunnel (not available to L2TP over IPsec clients). To request a departmental VPN tunnel, please go to net-services.ufl.edu and fill out a request.