Mac OS X Cisco VPN Client

Preliminary notes and warnings:

This document describes how to install the Cisco VPN client, which allows remote access to PARC via PARC's new VPN concentrators. The new VPN client/server arrangement significantly increases the probability that PARC users will be able to connect to PARC when traveling.

• Remote access logins to PARC require each user have their own SecureID Card .
• Please be sure that there is a least 20MB of local disk space available.
• UNINSTALL NORTEL CLIENT: If you've been using PARC's legacy Nortel client, you must uninstall the Nortel client prior to installing the Cisco client. CNS strongly recommends against having both VPN clients installed at the same time.
• DON'T UPGRADE ON THE ROAD: If you're presently using the legacy Nortel client and you're traveling, wait until you return to PARC to install the Cisco client. CNS recommends against trying to upgrade from the Nortel client to the Cisco client in the middle of a road trip.
• PARC COMPUTERS ONLY: Don't install the Cisco VPN client (or any VPN client) on non-PARC hardware such as an airport kiosk or a public/communal PC at a conference. Non-PARC hardware is not secure, even if you install a PARC VPN client on it. If you use non-PARC hardware to make a VPN connection to PARC then your email, your files, and every keystroke that you type could be intercepted by persons unknown and potentially shared with the world.
• DISCONNECT WHEN YOU'RE NOT THERE: When you use the VPN client, be sure to disconnect when you physically walk away from your computer. A VPN connection to PARC is a live, fully-authorized connection to the internal PARC network. If you leave the VPN connection up when you step out of the room, anybody with physical access to your laptop has a full connection to the internals of PARC.

__________________________________________

• Installation
• Setup

Installation

1. You will need to be logged in as admin or have admin privileges to do this.
2. If Nortel SWVPN client is already installed remove by running : /Library/Application Support/Netlock/uninstall.app
3. Connect to server afp://macserver/software/licensed/Ciscovpn use your UNIX user name and password
4. copy the ciscovpn(version number).dmg to your desktop and doubleclick on it
5. Double click "Cisco VPN Client.mpkg" file to begin installation
6. Select the system disk as the destination and "Upgrade" for installation. Select Default answers to all other cases.
7. When the install has completed click on VPN client file in Application folder to start the Cisco VPN client.
8. The preconfigured PARC profile will automatically be installed but in the event you delete or corrupt the file you can download it at afp://macserver/software/licensed/Ciscovpn the file name is parcvpn.pcf

Setup

 

1. The Cisco VPN Client which you have installed is already configured to connect to the PARC VPN Server. The connection process should work even from PARC "NEWNET" ports, so if you install the client while at PARC you can test it immediately. 

   NOTE that this will NOT work from the PARC Wireless Network or from the HOMENET(Ravlin or ISDN).

Usage

1. Make sure that you can ping 13.3.160.104, the public IP of the concentrator.
2. Get your securID key fob out.
3. From the main VPN window, select the "parcvpn" connection entry.
4. Click the "connect" icon in the upper left corner of the window.
5. If all is working well, you should almost immediately get a large text window that displays ongoing connect status, and a smaller user authentication window.
6. In the authentication window, enter your PARC username in the Username field.
7. In the password field, enter your securID PIN followed by the number from your securID key fob. You must concatenate the two numbers together to form a single password.
8. Click OK in the authentication window.
9. If all goes well, the text display window should say "Contacting the security gateway at 13.3.160.104" followed by "Negotiating security policies" followed by "Connected to parcvpn"

10. The usual timing constraints apply for the use of the SecurID one-time passwords. If you wait too long after typing the Passcode before you click OK, the SecurID portion of the password will become invalid and your authentication will fail. If you make 3 failed login attempts in a row, PARC's SecurID server will disable your access because it will assume that your keyfob might have been stolen.

11. The VPN connection should now be active.
12. Tests:
    1. Try to ping 13.0.209.243, the inside (private) IP address of the VPN concentrator.
    2. Try to ping 13.0.208.245, the HSRP IP address of the Cisco core routers on the homenet VLAN.
    3. If these pings fail, something is wrong.
    4. Try running PARC applications and browsing the web to internal PARC web sites.

    5. About unexpected disconnects: The VPN client uses occasional keepalive packets to maintain a session with the VPN server. If there's an interruption in your internet connection for any reason, and if that interruption lasts for longer than a few seconds, it can cause the VPN client to tear down the IPsec connection. Interruptions in internet connectivity can happen due to hotels doing maintenance on their internet equipment, due to disruptions in the "public" internet fabric between your location and PARC, due to SBCIS maintenance windows that impact PARC's internet connectivity, and so on. If internet connectivity between your location and PARC stays stable, you should be able to keep the VPN connection running for hours.

       __________________________________________

        

       Appendix: Testing and debugging

        

       The outside world can be hostile in terms of offering internet connectivity. Many hotels and wireless hotspots block common internet ports, transform packets as they cross the internet, or impose other barriers which can make it difficult or impossible to form an IPsec tunnel back to PARC. If you have VPN problems on the road or from home, here are some troubleshooting steps that you can take. The more of these steps that you can do in advance, the faster CNS will be able to help you solve your problem when you contact us via email or phone.

        

       1. Tests prior to any VPN connection attempt

        

       - From the terminal application, make sure that you can ping vpn1.parc.xerox.com. This is the external interface of PARC's Cisco VPN concentrator. If you can't successfully ping to this destination, there's very likely a problem with your local internet connection.

        

       - From a Command prompt, do a traceroute to vpn1.parc.xerox.com. This test is similar to the ping test above, but it can offer hints about where you're losing reachability to the VPN concentrator at PARC.

        

       2. Tests after the VPN client has negotiated a connection.

        

       - Make sure that you have, in addition to your regular ethernet interface, an additional ethernet interface which is assigned an IP address of the form 13.0.211.___, a subnet mask of 255.255.252.0, and a default gateway the same as the interface's IP address. This is the virtual interface that the client brings up for the IPsec connection. If it doesn't appear configured as described here, then your VPN connection has probably failed in some way.

        

       - Try to ping vpn1-int.parc.xerox.com, the inside (private) IP address of the VPN concentrator.

        

       - Try to ping 13.0.208.245. This is one of the redundant IP addresses of the Cisco core routers at PARC.