Table of Contents
Introduction
Virtual Private Network (VPN) provides a secure connection between your computer and the resources available at your home institution. In the case of SLAC, we offer a VPN service that permits authorized users to gain visibility of SLAC network resources from outside of SLAC. This includes the SLAC Visitor Wireless network.
This page documents the use of the SLAC VPN service.
Implementation
SLAC utilizes Cisco's Remote Access VPN line of products and specifically requires the use of Cisco's AnyConnect software. This will be a replacement for the older VPN service. Comparisons of the two services and benefits of the new service can be found at https://confluence.slac.stanford.edu/display/NetMan/VPN+Infrastructure+Replacement
In order to connect to SLAC's VPN, a user must install the AnyConnect client. This allows SLAC to enforce certain access restrictions and checks that the user's computer is not running a keylogger, that the user is not running an unsupported version of Windows (95, 98, ME), and enforces an access control list (ACL) to limit access.
Requirements
- You must have a SLAC VPN account, and agree to the usage policies outlined
- The following operating systems are currently supported:
- Windows XP SP3
- Windows Vista
- Windows 7 SP1
- Mac OSX 10.6.7
- Linux
This guide uses Windows Internet Explorer; however, the steps are the same for Mac and Linux with other internet browsers such as Safari, Firefox and Chrome.
Connecting to SLAC's VPN
The instructions below are for Windows.
Connecting to SLAC's VPN Using Linux
Open a Web Browser to our VPN Gateway
In order to connect to SLAV's VPN, you must have the AnyConnect software installed. By going to the following webpage, we can check to make sure you have the correct software installed and configured (and up to date), and provide an automated install if it is not.
- Goto:
https://vpn.slac.stanford.edu
- Please note the http*s*
Your web browser should come up with the following series of screens
Allow Cisco Secure Desktop to Check Your System
The web page will instantiate a java applet so that it may check your system for the presence of the AnyConnect software.
This may bring up a dialog box which will prompt you to run the application or not.
- If you do not wish to see this dialog again in the future, select 'Always trust content from this publisher'
- Click on 'Run' to allow the applet to scan your system
Log In
The following web page will be presented upon the initial system scan:
- Enter your provided VPN credentials.
- For an account, goto SLAC VPN Accounts
Agree to the Banner
Upon successful login, a banner will be shown on the webpage.
- Click Continue
Initiate the AnyConnect Client
A webpage that offers various methods to access the SLAC VPN services will be presented.
- Click on 'Start AnyConnect'
Install the AnyConnect Software (if required)
If you have problems installing the AnyConnect Client, please refer to the Troubleshooting section of this document.
If necessary (either because it is your first time accessing SLAC's VPN, or if there is a new version of the AnyConnect client), the web page will present that the AnyConnect software needs to be installed.
- If you do not wish to see this dialog again in the future, select 'Always trust content from this publish'
- Click on 'Run' to install the AnyConnect Client onto your system.
Editing the hostname within the VPN client.
- If the hostname does not appear in the VPN client, i.e. it appears as:
then you can manually enter the following hostname: Number
Hostname
Description
1
fwvpn1.slac.stanford.edu
load-balanced main hostname
2
fwvpn2.slac.stanford.edu
load-balanced secondary hostname
You have connected to SLAC's VPN Service
Upon successful VPN negotiation, you should get the following popup from AnyConnect showing that you have connected to SLAC's VPN service
- you may close this webpage.
Disconnecting from the SLAC VPN
The AnyConnect client exists as a tray icon; you can get to it from the System tray next to the clock in the bottom right of your screen.
- To disconnect click on 'Disconnect'
Troubleshooting
I Get a 'AnyConnect client install failed' Error
Depending on which operating system version you are using, a manual install of the AnyConnect client may be required. If you get the following error, you must manually install the AnyConnect client.
To manually install the client, do the following:
- Download the binary from the webpage
- Locate the binary file that has been downloaded; you can do this from the 'Open Folder' button on the download dialog.
- The AnyConnect client binary install will have a file in the format of
anyconnect-win-*.exe
. - Right click on the binary file to get the contextual menu up, and select 'Run as Administrator'. If you do not have administrative rights to your host, you will have to have your Departmental Admin install the software on your behalf.
- Follow the installation prompts, agreeing where ever it asks
- Refresh the webpage and the AnyConnect Client should automatically instantiate and connect you to SLAC's VPN. If this does not work then locate the client (e.g. on Windows got to the Start menu and search for Cisco AnyConnect) and start it.
I'm using Internet Explorer and I get a 'AnyConnect client install failed'
Under Windows 7, ActiveX controls enable Trusted Sites to assume Administrative access. If you get the following page upon logging into SLAC's VPN, then you need to do the following:
- Under IE's Tools menu, select
Options -> Security -> Trusted Sites
- Add the following to the list
Refresh the webpage and the AnyConnect Client should automatically instantiate and connect you to SLAC's VPN.
I'm using Mac OSX and I get a 'System Extension /System/Library/Extensions/tun.kext' Error - what do I do?
We have had reports of issues with the kernel extensions when the AnyConnect Client installs; you may receive the following notice:
We believe this is related to a conflict with Mac OpenAFS.
The result may be that the AnyConnect Client connects you to VPN, but will not pass any traffic - as such, any network activity will fail (eg browsing the Internet, email etc). If this is the case, you should attempt a manual uninstall of the AnyConnect Client and try the install once again:
- You can uninstall the AnyConnect Client by using Finder and going to
- {{ /Applications/Cisco/ }} and running {{ Uninstall AnyConnect.app }}
- Go to
https://vpn.slac.stanford.edu
and repeat the install proceedure.
I Still Can't Get Access to Resources Via VPN
- Without being connected to VPN, verify that you have 'normal' network connectivity using a web browser to verify that (e.g.) web pages and can be loaded.
- Restart the AnyConnect Client
- Windows: Quit the AnyConnect client (if it is running) by right-clicking on the icon in the system tray and selecting Quit. If the client doesn't quit the first time, you may need to right-click and select Quit a second time.
- Mac: Quit the AnyConnect client (if it is running) from the icon in the menu at the top of the screen.
- Restart the AnyConnect client, by either running the Client directly, or by going to
https://vpn.slac.stanford.edu
. - If you are having issues reconnecting, try restarting AnyConnect and selecting the other VPN server (if it says fwvpn1 then select fwvpn2 or vice versa).
- If none of these options work, some users have reported success rebooting then attempting to reconnect.
- Please submit any experieces to us at
net-admin@slac.stanford.edu
The Cisco Secure Desktop denies Access
I get the message:
We have seen this when using the Chrome browser. First try with Microsoft Internet Explorer. If this fails in a similar fashion contact your Departmental Support Administrator and request that they scan your host for security concerns.
VPN says I am connected however now I cannot connected to anything
Try disconnecting the VPN, then see if you can ping say www.slac.stanford.edu. If you can then you have an Ethernet connection, so try connecting to the other VPN server (fwvpn1.slac.stanford.edu<->fwvpn2.slac.stanford.edu)
I cannot Connect to the VPN the server name and Connect statement are greyed out in the AnyConnect window
Quit the AnyConnect Secure Mobility Client. Then restart it and make sure the server name is fully qualified, i.e. fwvpn1 needs to be specified as fwvpn1.slac.stanford.edu and try connecting again .
Frequently Asked Questions (FAQs)
What are the timeouts on the VPN connection?
There is a fixed timeout of 8 hours after which your VPN connection is disconnected. There is also a non-activity timeout of 20 minutes.
I'm using Mac OSX, can I use SLAC's VPN Service?
Yes, please follow the instructions outlined above.
When installing the AnyConnect Client, the following prompt will come up asking for permission to install the software onto your mac:
- Enter your username and password for your Mac and click 'OK'
- After a while, the AnyConnect software will be automatically installed and you will be connected to SLAC's VPN.
Can I Connect to SLAC's VPN with my *nix Machine?
Yes, please follow the instructions as outlined above.
In order to install the AnyConnect Client, you must have sudo
or root
access to your Linux machine. You must also manually download the AnyConnect Client.
You may need to install a Java VM in order for some of the checks to work. You may bypass the use of Java by doing the following:
- Go to
https://vpn.slac.stanford.edu
, it will complain that 'Cisco Secure Desktop' could not be installed
- Click on 'Login' under 'Login using the link below' (skip past the Secure Desktop install)
- Log into the web portal with your VPN credentials
- Click on
Start AnyConnect
- The system will scan for Java - wait for the following screen to popup:
- After a while, the web portal will present the option to install the AnyConnect Client manually:
!linux_manual_install.png|align=center!-- Click on the link underneath 'Install using the link below' - Locate the downloaded file
vpnsetup.sh
- run
sudo vpnsetup.sh
(or equivalent) - You have now installed the AnyConnect Client; you can find it under
Applications -> Internet -> Cisco AnyConnect Secure Mobility Client
- You can use this to connect directly to the SLAC VPN service in the future.
I want to connect my Smart Phone to SLAC's VPN
This is not yet supported, but iPhone connections (via IPSec) are planned in the near future. Android and Windows Mobile connectivity are on our roadmap.
Can I access the K: disk?
Currently you cannot access this disk. Once the service is better understood this will be reviewed.
Can I access PeopleSoft?
Access to PeopleSoft is not currently available via the new VPN. Once the service is better understood, this will be reviewed.
Can I access the license server?
The license server is very fragile. There are many failure modes, and most vendors have not upgraded to more recent flexlm versions that are more reliable, nor to support alternative license servers when one fails or needs to be restarted due to upgrades/patching/failure. Also serving a license across a VPN may be a license violation (e.g. if the licenses is limited to a site). For more on this see VPN and license server. At the moment it appears to work, however there are no guarantees.
Can I use RDP
You should be able to access RDP. If not please report this with details as a problem to net-admin@slac.stanford.edu
.
Can I access Confluence?
You should be able to access Confluence. If not please report this with details as a problem to net-admin.
Does all traffic go via VPN or does SLAC traffic go direct?
Once connected to our VPN service, policy states that all traffic will go through SLAC. We do not use split tunneling.
I connected to the VPN and now many web pages are inaccessible
We have noticed this happening if you change your network connection (e.g. go from a wired to a wireless connection and soon after start the VPN). Try disconnecting the VPN and reconnecting it. Failing that try rebooting if it is a Windows host. Failing that try re-installing the Cisco AnyConnect client.
I could not ping vpn.slac.stanford.edu
You can't ping vpn (or fwvpn1 or fwvpn2) if you have established a VPN connection.