A PDF version of this document is also available.
|1. Virtual Private Networking in Windows Vista
This leaflet covers the installation, setup and troubleshooting of the components necessary to create a VPN connection to the University network (CUDN) over a modem, broadband, ADSL or remote ethernet connection. It is assumed that for the purposes of this document that you already have a network connection established outside cam.ac.uk (ie outside the CUDN). This document is not about making the initial network connection.
Potential users of this service should note that, depending on the platform used and the means by which the remote computer is connected to the external ISP, the configuration of the remote computer, the client software and possible intermediate devices such as firewalls can be complex, requiring a substantial degree of technical competence.
Furthermore, because of the variety of remote computer types, operating systems and their configuration, network connections and ISPs, together with the fact that the installation is remote, the Computing Service does not undertake to provide support in configuring or sorting out problems relating to the remote end. In particular it should be noted that we are unable to provide any support in using PDAs or other mobile devices with the VPDN service and that anyone who attempts this should consider themselves to be entirely on their own.
1.1 What is a Virtual Private Network (VPN)?
A virtual private network is a network which uses encryption to provide a secure connection through an otherwise insecure network, typically the Internet. Or in other words "private data travelling over public IP infrastructure". This is not a new concept, but is becoming increasingly important as people need to access their IT resources when away from home, or when using external ISP providers. In this particular case, the connection is a VPDN (a virtual private dial-up connection).
1.2 Components necessary to establish a VPN connection
To use the VPDN service you must register by completing the online form at http://userforms.csx.cam.ac.uk/vpdn.
Windows Vista comes with the components needed to create a VPN connection to the CUDN. These include L2TP and IPSec, protocols which are needed to create this particular type of VPN. However, your machine will need to be configured to set the VPN up correctly.
You need to start by checking that the necessary Services are running on your Windows Vista computer. Go to Start>Control Panel. Choose the Classic View view. Then select Administrative Tools>Services (or simply search for Services from the Start menu). Choose the Standard tab and check that IPSec Policy Agent is started (and not disabled).
If it is listed as Disabled you need to double-click on the IPSec services line and change the Startup type from Disabled to Automatic.
You also need to check that the Base Filtering Engine service is also running; if it is not it need to be changed in the same way as above. When you have done this, you will also need to check that the Remote Access Auto Connection Manager, the Remote Access Connection Manager and Telephony services are enabled (these can be set to Manual rather than Automatic since the computer will start them for you as necessary).
1.3 Setting Up the VPDN Network Connection
Assuming you still have the Classic View of the Control Panel go to the Control Panel>Network Connections>Network and Sharing Center and choose Set up a connection or network. Select Connect to a workplace (set up a dial-up or VPN connection to your workplace). Click Next.
Optional: You may then be asked if you want to Use my Internet connection (VPN) or Dial directly. Choose the former.
When prompted for the Internet Address enter
vpdn-access.csx.cam.ac.uk. Unless you have another member of your family or occupant of your residence who is a member of the University do (not tick Allow other people to use this connection. Tick Don't connect now; just set it up so I can connect later Call the Destination name something like Cambridge VPDN, so that you will remember it later.
Click Next. Enter your username (do not complete your password). Leave Domain (optional) blank. Click Create.
You will then see a screen telling you that The connection to your workplace is ready to use. Unfortunately, it is not. Click Close. You need to ensure that the properties of this connection are correct before proceeding any further.
1.4 Picking Up Your Pre-shared Key
There are two major ways to establish IPSec (IP Security) connections in Windows. One is to use certificates, and the second is to use a pre-shared key (a text string which is presented to the server as another level of proof that you are a valid user). To pick up the current pre-shared key you need to make an SSH (secure telnet) connection to vpdn-admin.csx.cam.ac.uk and pick it up from there. Unfortunately Windows Vista does not arrive with a native SSH client, so you will have to install one for yourself.
Note: The pre-shared key will probably change every so often for security reasons, so this will not be the only time you have to carry out this procedure.
The client which the Computing Service standardly uses is PuTTY which can be run from ftp://ftp.csx.cam.ac.uk/pub/pc/applications/ssh/putty.exe by double-clicking on the link. Enter vpdn-admin.csx.cam.ac.uk in the Host Name box, and ensure that the Protocol is set to SSH and the Port to 22.
You will then (if this is the first time you have connected to this server) be told that The server's host key is not cached in the registry. This is normal.
You should choose Yes to continue the connection. When prompted for a username enter vpdn and no password. You will then be prompted for your username and password.
You should then enter k (for pre-shared key) which will be presented to you on the screen. Copy it. (Control-C).
Go to the Network and Sharing Center. Select Manage your network connections. Go to your Cambridge VPDN connection and right-click on it, selecting Properties.
Choose the Networking tab.
Choose the Type of VPN which will by default be set to Automatic and change it to L2TP IPsec VPN. Make sure that the IPv6 and File and Printer Sharing for Microsoft Networks are not ticked for security reasons.
Double-click on the IPSec Settings button. Tick Use pre-shared key for authentication and paste your pre-shared key into the dialog box.
Click OK and close the Properties box. You have now told IPSec about your pre-shared key.
1.5 Checking the VPDN Network Properties
Go back to the Network and Sharing Center. Choose the Manage Network connections. You will see the Cambridge VPDN connection listed. Right-click on the Cambridge VPDN icon and choose Properties.
You will see the five tabs. Choose General.
Ensure that the address vpdn-access.csx.cam.ac.uk appears in the Host name box. Then select the Options tab.
Make sure that Include Windows logon domain is not ticked; the VPDN is not a Windows setup.
Now select the Security tab and then the Advanced (Custom Settings) radio button.
Make sure that only the Unencrypted password [PAP] box is ticked. Several of the other possibilities like MS-CHAP are Microsoft-only, and not suitable for our VPDN server. Make sure that Require encryption (disconnect if server declines) is selected under the Data encryption dropdown list. Click on OK; you may receive a warning message about unencrypted data. Just choose Yes and continue.
Now choose the Networking tab. Make sure that the Type of VPN is set to L2TP IPsec VPN. Under IPSec Settings make sure that Use pre-shared key for authentication is set. Click OK to close this window.
Note: The Shared tab should not be used to enable other people to use this connection unless another member of the family or household is also a member of the University.
1.6 Making the VPDN Connection
You are now ready to test your VPDN connection. Make sure that you are on-line using your usual ISP or external setup. Then double-click on your Cambridge VPDN icon.
You will be presented with the Cambridge VPDN dialog box.
Enter your username and password and click Connect. You should now be able to log into magpie via your new VPN connection.
If you now select the computer-to-computer icon in the bottom right-hand of the system tray and choose Details you should see something similar to the following:
You will now see a CUDN address (beginning 131.111...) as the Client IPv4 address and the address of the VPDN server (18.104.22.168) as the Server IPv4 address.
1.7 Checking that you are actually in cam.ac.uk
The simplest way to test this is to try to go to a site which is restricted to cam-only (Cambridge-only) access. The download of the anti-virus software VirusScan (licensed for all members of the University, including home use) has to be such a restricted site in order to comply with the vendor's licensing requirements. Try navigating to the PC Platform Downloads page and downloading the Windows Vista (8.5) version of VirusScan. If you can do this, then you are "in" Cambridge. Congratulations!
1.8 Shutting down your VPDN Connection
Since your VPDN connection relies on another connection being in place (ie broadband or an existing dialup connection) before it will work, setting the normal timeout limits will fail. The VPDN server and the client (your machine) exchange messages at least once a minute to make sure that each other are still there, which means that your machine is never "idle" (which most timeout mechanisms rely on to work). To close down the VPDN connection cleanly, double-click on the VPDN computer-to-computer icon in the system tray, and choose Disconnect.
There are such a variety of possible causes for the VPN connection not to work that the main ones are difficult to summarise. Under Windows Vista, the system may offer to diagnose the problem for you. This is probably a reasonable way of trying to address the problem. For example. you may be told that the DHCP service is not running, and there will be a suggestion that it is started. If this is your problem, let it happen. Other problems include a variety of spurious messages, for example one about missing or invalid certificates. If this happens check that you have completed the configuration (including pasting in your pre-shared key and the ordering of the tab settings in the precise order they are given in this leaflet. Otherwise you may well have problems.
A few of the other obvious problems are addressed below.
2.1 Checking if your route is setup correctly
If you can make a connection to the VPDN server but not download VirusScan, then there may be a slight problem with your routing. Sometimes Windows Vista needs a little extra help to "see" things properly. Go to Search on the Start menu and enter Command Prompt. Right-click on the result and choose Run as Administrator. At the command prompt enter
route add 22.214.171.124 <default gateway> . (If you don't know what your default gateway is then type
route print and you will see it displayed at the bottom of the screen.) Then type
You should see 126.96.36.199 listed under the Network Destination list.
2.2 If nothing seems to be happening
To check your connection, use the network command ping to see if you can "see" another computer on the network. Go to Search on the Start Menu and enter Command Prompt. At the prompt in the Command Prompt windows type the command
ping vpdn-access.csx.cam.ac.uk [Enter]. You should see output similar to the example given earlier in this document. If you do not see a response from vpdn-access.csx.cam.ac.uk, your machine is not managing to communicate with the VPN server at all. Try checking that the Windows Firewall or similar product is either off or properly configured (preferably the latter). If you are a ZoneAlarm user, the easiest way to do this is to add vpdn-access.csx.cam.ac.uk to the list of Trusted hosts.
2.3 If you cannot setup a VPN in the usual way
If when you get to the point where you can see the option Virtual Private Network but is greyed out, then it is almost certainly because you do not have some essential services running. Go back to 1.2 and make sure that you have the necessary services enabled.
2.4 If your VPDN connection window just hangs
If an icon with the message ' Error 792: The L2TP connection attempt failed because security negotiation timed out' appears and remains on your screen for about a minute, then there is almost certainly a security negotiation problem.
This could have a variety of causes, and is really beyond the scope of this leaflet. Clues can be obtained by pressing More Info listed above or by checking the logs in your Security event log (if it is turned on of course).
For example one error message given above includes No response from peer. This indicates that your computer is not getting any response from the VPDN server, and may well be because a firewall is not configured correctly (see 2.1).
See How to troubleshoot a Microsoft L2TP/IPSec virtual private network client connection for further diagnosis. If this does not help, then try emailing full details of the problem to the email@example.com
2.5 The Norton Security Suite and similar third-party products
If you have the Norton Internet Security Suite (which seems to be supplied by several OEMs with Vista) then you may get an 809 error when trying to connect.
Since there are a variety of Norton packages available and they change on a regular basis, it is not possible to produce a detailed troubleshooting guide. In general removal of this package and its replacement by VirusScan and the Windows Firewall will cure the problem whilst maintaining security. Users who do not wish to do this may wish to consult the relevant Symantec support pages for further information.
It is possible that you may get a similar error when using other Security Suites containing third-party firewalls eg ZoneAlarm, McAfee. In general you may be able to resolve this kind of problem by ensuring that the ports necessary to allow appopriate access are open. These are UDP Port 500 (IKE) UDP Port 4500 (NAT-T) and IP protocol 50 number (ESP).
2.6 Further Information
Consult the following documentation for further information:
- Technet article 926282 How to configure verification of additional fields in peer certificates during IKE negotiation for L2TP/IPsec tunnel connections in Windows Vista
- Technet article 923944 List of Error Codes that you may receive when you try to make a dial-up connection or a VPN connection in Windows Vista
Microsoft Windows Vista is a registered trademark of Microsoft Corporation and screen shots are reprinted by their permission.
Document date: September 2012 Last checked: September 2012 Last updated: September 2012