Skip to navigation content (Press Enter).

University Technology Services

VPN - Frequently Asked Questions

General

Will the VPN interface work with my normal network connection?

The VPN client is active only when you choose to start it. If the program is not running, then it will not affect your connection.

What the VPN server does not replace.

The VPN server provides secure ways for you to connect to campus and Internet resources. However, it is not a total security solution. The information is encrypted between the server and your machine; however, when the server relays your request to the campus or Internet resources, it is unencrypted.

Once the connection leaves the VPN server, it behaves just as a wired connection originating on the McMaster campus would behave. This means that encryption may or may not be provided, depending on the resources you access and the method you use to access them. Univmail access is encrypted between source and destination if you use the SSL connection (URL begins with https://). Other methods of email access are not automatically encrypted.

In order for the VPN service to behave as if you were located on campus, traffic does not go through the campus firewall, bypassing any protective rules operating there. This could be a problem if your home machine were infected with code which attacked other machines. Whereas the firewall may have prevented this, using the VPN service you may infect McMaster machines to which you connect. Hence, it is particularly important to ensure that the machine you use as a VPN client is up to date with the latest security patches, and runs current antivirus software.

Split Tunnel

McMaster's distribution of the AnyConnect VPN client is configured in a split tunnel mode of operation. This means that traffic to a McMaster address (130.113.x.y) is encrypted and sent to the VPN. Traffic to other destinations is sent through your ISP as it normally would and unaffected by the VPN. This makes the VPN connection more efficient by only encrypting what is necessary and reduces bandwidth waste.

VPN session timeouts

VPN sessions from a MacSecure network connection will time out after 30 minutes of inactivity, or 3 hours of continuous use. VPN sessions from off campus will time out after 30 minutes of inactivity or 24 hours of continuous use. If the VPN times out and your IPSec connection is terminated, click OK and bring up the VPN Dialer again. Important: Power management modes differ from OS to OS, and from laptop to laptop. When your computer goes into sleep mode, the Network Interface Card (NIC) may lose power and drop your Internet connection without warning. You must stop and restart the VPN client in order to reconnect.

Do I have to use the Cisco client software?

UTS supports the Cisco AnyConnect vpn clients only. Other clients might work, but they are unsupported. Use them at your own risk.

Is there a charge for the Cisco client software?

The Cisco client is freely available to McMaster community users of the VPN server. See VPN pages for a link to Download and Install Cisco AnyConnect software for more details.

Do I require an account to use VPN?

MAC ID is a unique, common identifier enabling single sign-on for a number of McMaster systems and applications. A valid MAC ID account is required for access to VPN. Further more, access to some VPN profiles is restricted to only those authorized. An explanation of MAC ID can be found at Here.

Home Firewall Issues

Most home routers from manufacturers such as SMC, NetGear, Linksys, D-Link and Microsoft work with the VPN without modification. However, some firewall software such as that found in the Linux operating system may need to be modified.

If you are running a firewall or a router for a home network, you must allow the following types of traffic to pass through: UDP port 500 (ISAKMP), IP protocol 50 (ESP), and UDP port 4500 (for use with NAT-T, for users utilizing NAT).

For PPTP, you must allow the following types of traffic to pass through your firewall: TCP/1723, TCP/139UDP/Netbios-NS, UDP/Netbios-DGM, IP/47 GRE

What smartphones work with VPN?

Supported vpn devices are detailed on the main VPN Page.

How do I connect to network drive from off-campus?

Shared Windows directories are sometimes referred to as SMB or CIFS shares. SMB - Server Message Block, CIFS - Common Internet File SystemMany customers at McMaster currently connect to shares on the UTS Office Servers. You must install and use the Cisco VPN Client in order to access these shared directories from home. Once you have established a VPN connection, you may follow these instructions in order to connect to Office Server shares:

Windows: Linking to Office Server Shares (Instructions)

Mac OSX: Linking to Office Server Shares (Instructions)

AnyConnect Specific

AntiVirus Software Conflicts

It is recommended that you disable all AntiVirus software during the installation of either the IPSec or PPTP client software as some conflicts may occur.

Windows & Multiple User Logon

If there are other users logged in to a Windows machine (even if not running a program), Cisco VPN client stalls during authentication & never completes the connection. Fix: log off other users (it is suspected that the Cisco client establishes the VPN tunnel for the whole machine, not just a particular user's session).

Firewall - connection dropping after a few minutes

Those using the Cisco VPN Client, on a system running Windows, with the Firewall feature enabled, may experience timeout problems (your session may disconnect within 5 minutes) if the following type of traffic is not allowed to pass through the firewall: UDP port 500 Any customers using a home router or "NAT" (Network Address Translation) box* should not experience any problems whatsoever.

* Devices that are used to share Internet connections within the home - connecting to Cablemodem services (e.g. Cogeco) or High-Speed DSL services (e.g. Sympatico) - from manufacturers such as SMC, NetGear, Linksys, D-Link and Microsoft.

Changes required to avoid timeout issues: Start->Control Panel->Windows Firewall Under the "General" Options Tab, ensure that the "Don't allow exceptions" is NOT checked). That is, you DO want to allow exceptions ... Next, select the Exceptions Tab ... Select "Add Port" Specify a Name for this exception, in the "Name:" field (call it anything you like. Example: UDP500) Specify 500 as your Port number. Select UDP. Select OK. Select OK again, to close the Windows Firewall window.

Is a reboot required after AnyConnect is installed/upgraded

No. Unlike the IPsec VPN Client, a reboot is not required after the AnyConnect installation/upgrade.

What platforms is Datagram Transport Layer Security

(DTLS) supported on?

DTLS is supported on WINXP/Vista/Win7/Win8/Win10/Mac OS and Linux.

Does DTLS support both 32-bit and 64-bit platforms?

Yes.

What is the difference between the SSL-Tunnel and DTLS-Tunnel?

What type of traffic goes through each?

The SSL-Tunnel is the TCP tunnel that is first created to the ASA. When it is fully established, the client will then try to negotiate a UDP DTLS-Tunnel. While the DTLS-Tunnel is being established, data can pass over the SSL-Tunnel. When the DTLS-Tunnel is fully established, all data now moves to the DTLS-tunnel and the SSL-tunnel is only used for occasional control channel traffic. If something should happen to UDP, the DTLS-Tunnel will be torn down and all data will pass through the SSL-Tunnel again.

The decision of how to send the data is very dynamic. As each network bound data packet is processed there is a point in the code where the decision is made to use either the SSL connection or the DTLS connection. If the DTLS connection is heathly at that moment, the packet is sent via the DTLS connection. Otherwise it is sent via the SSL connection.

The SSL connection is established first and data is passed over this connection while attempting to establish a DTLS connection. Once the DTLS connection has been established, the decision point in the code described above just starts sending the packets via the DTLS connection instead of the SSL connection. Control packets, on the other hand, always go over the SSL connection.

The key point is if the connection is considered healthy. If DTLS, an unreliable protocol, is in use and the DTLS connection has gone bad for whatever reason, the client does not know this until Dead Peer Detection (DPD) occurs. Therefore, data will be lost over the DTLS connection during that short period of time because the connection is still considered healthy. Once DPD occurs, data will immediately be set via the SSL connection and a DTLS reconnect will happen.

The ASA will send data over the last connection it received data on. Therefore, if the client has determined that the DTLS connection is not healthy, and starts sending data over the SSL connection, the ASA will reply on the SSL connection. The ASA will resume use of the DTLS connection when data is received on the DTLS connection.

Where are the Windows AnyConnect installation logs stored?

There are two possible locations for the install logs on Windows:

If this is a fresh install, then it will be in the USER's temp directory. This directory can be found by entering %TEMP% from the Start->run menu in Windows XP or 2K (and the search window on Vista) and then clicking ok / enter.

If this is an upgrade, then this file will be located in the SYSTEM's temp directory which is typically %SYSTEMDRIVE%\temp or %SYSTEMROOT%\temp, but might be located elsewhere.

The file has a format of WinSetup-Release-4.xxx.log, for example.

Where are the Linux AnyConnect installation logs stored?

These logs are stored in /opt/cisco/vpn.

What is the AnyConnect Reconnect Behavior?

AnyConnect will attempt to reconnect if the connection is disrupted. This is not configurable, but automatic. As long as the session on the ASA is still valid, if AnyConnect can re-establish the physical connection, the session will be resumed.

How do I uninstall Cisco Anyconnect VPN Client on Mac OS X?

If the application is still installed do this:

From the Finder go to the Applications folder.
Look for the Cisco folder and open it
Then double click on Uninstall Anyconnect to start the uninstall process
Follow instructions to uninstall VPN program

Here's the procedure for manually uninstalling the AnyConnect client from a Mac OS X system.

As root, run the following shell script from the Terminal:

$ sudo /opt/cisco/vpn/bin/vpn_uninstall.sh
You will be prompted for your password. Once you enter it, just follow the steps

If you still having trouble and/or the new Cisco Anyconnect installation complains that you have a version installed, follow these steps:

Enter these commands to clean out the old Cisco VPN kernel extension and reboot the system.

sudo -s
rm -rf /System/Library/StartupItems/CiscoVPN
rm -rf /Library/StartupItems/CiscoVPN
rm -rf /System/Library/Extensions/CiscoVPN.kext
rm -rf /Library/Extensions/CiscoVPN.kext
rm -rf /Library/Receipts/vpnclient-kext.pkg
rm -rf /Library/Receipts/vpnclient-startup.pkg
reboot

If you installed the Cisco VPN for Mac version 4.x.x package, enter these commands to delete the misplaced files. The deletion of these files will not affect your system, since applications do not use these misplaced files in their current location.

sudo -s
rm -rf /Cisco\ VPN\ Client.mpkg
rm -rf /com.nexUmoja.Shimo.plist
rm -rf /Profiles
rm -rf /Shimo.app
exit

Enter these commands if you no longer need the old Cisco VPN Client or Shimo.

sudo -s
rm -rf /Library/Application\ Support/Shimo
rm -rf /Library/Frameworks/cisco-vpnclient.framework
rm -rf /Library/Extensions/tun.kext
rm -rf /Library/Extensions/tap.kext
rm -rf /private/opt/cisco-vpnclient
rm -rf /Applications/VPNClient.app
rm -rf /Applications/Shimo.apprm -rf /private/etc/opt/cisco-vpnclient
rm -rf /Library/Receipts/vpnclient-api.pkg
rm -rf /Library/Receipts/vpnclient-bin.pkg
rm -rf /Library/Receipts/vpnclient-gui.pkg
rm -rf /Library/Receipts/vpnclient-profiles.pkg
rm -rf ~/Library/Preferences/com.nexUmoja.Shimo.plist
rm -rf ~/Library/Application\ Support/Shimo
rm -rf ~/Library/Preferences/com.cisco.VPNClient.plist
rm -rf ~/Library/Application\ Support/SyncServices/Local/TFSM/com.
nexumoja.Shimo.Profiles
rm -rf ~/Library/Logs/Shimo*
rm -rf ~/Library/Application\ Support/Shimo
rm -rf ~/Library/Application\ Support/Growl/Tickets/Shimo.growlTicket
exit

Finally this.

sudo pkgutil --forget com.cisco.pkg.anyconnect.vpn



Service Bulletins

  • MAC ID Password Expiry

    Beginning in May 2016, MAC ID passwords at McMaster expire annually. Learn more at www.mcmaster.ca/uts/macid

Service Desk

Hours: Monday - Friday
8:30 am - 4:30 pm
Phone: 905-525-9140 x24357 (2HELP)
Email: uts@mcmaster.ca
Location: Main Campus BSB Rm. 245
Service Catalogue:
http://www.mcmaster.ca/uts

Great Idea Site

Great Idea