Skip to navigation content (Press Enter).

University Technology Services

VPN - Frequently Asked Questions


General
Windows-Specific
AnyConnect Specific
General

Which wireless standard does McMaster Wireless use?

The most common standards today are 802.11g and 802.11n (also known as "wireless G" and "wireless N", respectively). Wireless N is faster than wireless G, though routers that support wireless N are also more expensive. Most new devices—like smartphones and laptops—support the faster wireless N. McMaster wireless supports wireless G and N at some locations.


Will the VPN interface work with my normal network connection?

The VPN client is active only when you choose to start it. If the program is not running, then it will not affect your connection.


Is the VPN required to use the MacConnect Wireless network?

Although it is optional, you should use MacSecure wireless to ensure your wireless traffic is encrypted over the airwaves. It is not neccessary to use both MacSecure and VPN.


What the VPN server does not replace

The VPN server provides secure ways for you to connect to campus and Internet resources. However, it is not a total security solution. The information is encrypted between the server and your machine; however, when the server relays your request to the campus or Internet resources, it is unencrypted.


Once the connection leaves the VPN server, it behaves just as a wired connection originating on the McMaster campus would behave. This means that encryption may or may not be provided, depending on the resources you access and the method you use to access them. Univmail access is encrypted between source and destination if you use the SSL connection (URL begins with https://). Other methods of email access are not automatically encrypted.


In order for the VPN service to behave as if you were located on campus, traffic does not go through the campus firewall, bypassing any protective rules operating there. This could be a problem if your home machine were infected with code which attacked other machines. Whereas the firewall may have prevented this, using the VPN service you may infect McMaster machines to which you connect. Hence, it is particularly important to ensure that the machine you use as a VPN client is up to date with the latest security patches, and runs current antivirus software.


Split Tunnel

McMaster's distribution of the AnyConnect VPN client is configured in a split tunnel mode of operation. This means that traffic to a McMaster address (130.113.x.y) is encrypted and sent to the VPN. Traffic to other destinations is sent through your ISP as it normally would and unaffected by the VPN. This makes the VPN connection more efficient by only encrypting what is necessary and reduces bandwidth waste.


VPN Session Time-outs

VPN sessions from an MacConnect network connection (wired and wireless) will time out after 30 minutes of inactivity, or 3 hours of continuous use. VPN sessions from off campus will time out after 30 minutes of inactivity or 24 hours of continuous use. If the VPN times out and your IPSec connection is terminated, click OK and bring up the VPN Dialer again. Important: Power management modes differ from OS to OS, and from laptop to laptop. When your computer goes into sleep mode, the Network Interface Card (NIC) may lose power and drop your Internet connection without warning. You must stop and restart the VPN client in order to reconnect.


Do I have to use the Cisco AnyConnect software?

UTS supports the Cisco AnyConnect vpn clients only. Other clients might work, but they are unsupported. Use them at your own risk.


Is there a charge for the Cisco client software?

The Cisco client is freely available to McMaster community users of the VPN server. See VPN pages for a link to Download and Install Cisco AnyConnect software for more details.


Do I require an account to use the MacConnect network?

MAC ID is a unique, common identifier enabling single sign-on for a number of McMaster systems and applications. A valid MAC ID account is required for access to VPN. Further more, access to some VPN profiles is restricted to only those authorized. An explanation of MAC ID can be found at Here.


Home Firewall Issues

Most home routers from manufacturers such as SMC, NetGear, Linksys, D-Link and Microsoft work with the VPN without modification. However, some firewall software such as that found in the Linux operating system may need to be modified. If you are running a firewall or a router for a home network, you must allow the following types of traffic to pass through: UDP port 500 (ISAKMP), IP protocol 50 (ESP), and UDP port 4500 (for use with NAT-T, for users utilizing NAT). For PPTP, you must allow the following types of traffic to pass through your firewall, TCP/1723, TCP/139UDP/Netbios-NS, UDP/Netbios-DGM, IP/47 GRE


What smartphones work with VPN?

Supported vpn devices are detailed on the main VPN Page.
Connecting to shared Windows directories

Shared Windows directories are sometimes referred to as SMB or CIFS shares.
SMB - Server Message Block, CIFS - Common Internet File SystemMany customers at McMaster currently connect to shares on the UTS Office Servers. You must install and use the Cisco VPN Client in order to access these shared directories from home. Once you have established a VPN connection, you may follow these instructions in order to connect to Office Server shares:

  • Windows 2000/XP: Linking to Office Server Shares (Instructions)
  • For Mac OS X, or various versions of linux and unix, you can use the smbclient command: For example, to link to the "Q" or "common" departmental drive, where "X" is 1,2, or 3, and "DEPT" is the abbreviation for your department (discuss this with your UTS Client Services representative if you have any questions about this), use: smbclient //osX/DEPTcommon$ -U AP1/your_MAC_ID


AntiVirus Software Conflicts

It is recommended that you disable all AntiVirus software during the installation of either the IPSec or PPTP client software as some conflicts may occur.


Windows XP & Multiple User Logon

If there are other users logged in to a Windows XP machine (even if not running a program), Cisco VPN client stalls during authentication & never completes the connection. Fix: log off other users (it is suspected that the Cisco client establishes the VPN tunnel for the whole machine, not just a particular user's session).


XP Firewall - connection dropping after a few minutes

Those using the Cisco VPN Client, on a system running Windows XP, with the Firewall feature enabled, may experience timeout problems (your session may disconnect within 5 minutes) if the following type of traffic is not allowed to pass through the firewall: UDP port 500

Any customers using a home router or "NAT" (Network Address Translation) box* should not experience any problems whatsoever.

* Devices that are used to share Internet connections within the home - connecting to Cablemodem services (e.g. Cogeco) or High-Speed DSL services (e.g. Sympatico) - from manufacturers such as SMC, NetGear, Linksys, D-Link and Microsoft.

Changes required to avoid timeout issues:

  1. Start->Control Panel->Windows Firewall Under the "General" Options Tab, ensure that the "Don't allow exceptions" is NOT checked). That is, you DO want to allow exceptions ...
  2. Next, select the Exceptions Tab ...
  3. Select "Add Port"
  4. Specify a Name for this exception, in the "Name:" field (call it anything you like. Example: UDP500)
  5. Specify 500 as your Port number.
  6. Select UDP.
  7. Select OK.
  8. Select OK again, to close the Windows Firewall window.

AnyConnect Specific

What level of rights is required for the AnyConnect client?

For the first installation, you need administrative privileges. However, subsequent upgrades do not require the admin level privilege.


Is a reboot required after AnyConnect is installed/upgraded

No. Unlike the IPsec VPN Client, a reboot is not required after the AnyConnect installation/upgrade.


What platforms is Datagram Transport Layer Security (DTLS) supported on?

DTLS is supported on WIN2K/XP/Vista/Win7/Mac OS and Linux.


Does DTLS support both 32-bit and 64-bit platforms?

Yes.


What is the difference between the SSL-Tunnel and DTLS-Tunnel? What type of traffic goes through each?

The SSL-Tunnel is the TCP tunnel that is first created to the ASA. When it is fully established, the client will then try to negotiate a UDP DTLS-Tunnel. While the DTLS-Tunnel is being established, data can pass over the SSL-Tunnel. When the DTLS-Tunnel is fully established, all data now moves to the DTLS-tunnel and the SSL-tunnel is only used for occasional control channel traffic. If something should happen to UDP, the DTLS-Tunnel will be torn down and all data will pass through the SSL-Tunnel again.

The decision of how to send the data is very dynamic. As each network bound data packet is processed there is a point in the code where the decision is made to use either the SSL connection or the DTLS connection. If the DTLS connection is heathly at that moment, the packet is sent via the DTLS connection. Otherwise it is sent via the SSL connection.

The SSL connection is established first and data is passed over this connection while attempting to establish a DTLS connection. Once the DTLS connection has been established, the decision point in the code described above just starts sending the packets via the DTLS connection instead of the SSL connection. Control packets, on the other hand, always go over the SSL connection.

The key point is if the connection is considered healthy. If DTLS, an unreliable protocol, is in use and the DTLS connection has gone bad for whatever reason, the client does not know this until Dead Peer Detection (DPD) occurs. Therefore, data will be lost over the DTLS connection during that short period of time because the connection is still considered healthy. Once DPD occurs, data will immediately be set via the SSL connection and a DTLS reconnect will happen.

The ASA will send data over the last connection it received data on. Therefore, if the client has determined that the DTLS connection is not healthy, and starts sending data over the SSL connection, the ASA will reply on the SSL connection. The ASA will resume use of the DTLS connection when data is received on the DTLS connection.


Does AnyConnect standalone mode require the system to have Internet Explorer (IE) installed?

In brief testing, AnyConnect standalone mode appears to operate properly even after IE is removed from the system.

Where are the Windows AnyConnect installation logs stored?

There are two possible locations for the install logs on Windows:

  • If this is a fresh install, then it will be in the USER's temp directory. This directory can be found by entering %TEMP% from the Start->run menu in Windows XP or 2K (and the search window on Vista) and then clicking ok / enter.
  • If this is an upgrade, then this file will be located in the SYSTEM's temp directory which is typically %SYSTEMDRIVE%\temp or %SYSTEMROOT%\temp, but might be located elsewhere.

    The file has a format of WinSetup-Release-2.0install-21333219012007.log, for example.

Where are the Linux AnyConnect installation logs stored?

These logs are stored in /opt/cisco/vpn.

What is the AnyConnect Reconnect Behavior?

AnyConnect will attempt to reconnect if the connection is disrupted. This is not configurable, but automatic. As long as the session on the ASA is still valid, if AnyConnect can re-establish the physical connection, the session will be resumed.

Does AnyConnect 2.x support both x86 (32-bit) and x64 (64-bit) versions of Windows, Linux, & Mac OS X?

Yes.



Notice

Upgrade your MAC ID password today

McMaster is strengthening its password system and all MAC ID passwords established before February 19, 2013 must be changed.

  • Upgrade before
    May 29, 2013

Service Desk

Hours: Monday - Friday
8:30 am - 4:30 pm
Phone: 905-525-9140 x24357 (2HELP)
Email: uts@mcmaster.ca
Location: Main Campus BSB Rm. 245
Service Catalogue:
http://www.mcmaster.ca/uts

UTS QuickSupport


UTS QucikSupport Download
More information...

Service Bulletins

  • There are no Service Bulletins at this time

Important Topics