VPN Frequently Asked Questions

Upgrade FAQs

How do I know which VPN system I'm using?


Old (Cisco) version

You're using the old (Cisco) VPN if your software uses icons that look like this:



The old (Cisco) VPN interface looks like this image.

Current (CITES / Nortel) version

You're using the current (CITES / Nortel) VPN if your software uses icons that look like this:



If you need to contact the CITES Help Desk, it'll be helpful to tell them which VPN system you're using.

How do I upgrade from the old Cisco VPN system to the new VPN system?


It's easy! You don't need to uninstall the Cisco VPN software first. Just don't use the Cisco software anymore. (If it helps you remember, you can delete the Cisco icon, but you don't need to uninstall the entire program.)

To configure your computer to access the new VPN server, visit the Download and Installation page to find the correct installer for your operating system.

How long will the old Cisco VPN server be available?


Cisco's support contract expires in December 2007. CITES may be able to offer the old VPN server for longer than that, but if a problem occurs that CITES can't fix by itself, the old Cisco server will need to be retired at that point.

Do you still have the documentation for the old Cisco system?


Our previous Cisco VPN documentation will continue to be available for a while in the VPN Archive.

With the old VPN system, I used to be able to connect to the VPN server from a certain coffeehouse, but with the new one I can't. What's changed?


The new Nortel VPN system uses different ports for connecting than the previous Cisco VPN system did.

First, make sure that you can connect to the new VPN server over the UIUCnet Wireless network.

If you can connect from on campus, then your configuration is working correctly and the other network's firewall rules may be a likely source of connection problems. (If you can't connect from on campus either, check the other FAQs and troubleshooting items for further suggestions.)

Once you've determined that your configuration is correct, you may need your coffeehouse wireless administrator's assistance to be able to connect. Ask the wireless administrator if he or she can configure their firewall to permit PPTP, L2TP, and IPSEC ports through the firewall. (These ports are listed in the Firewall Ports Used for VPN Connections page.)

I used to be able to connect to the Library's online resources from off campus by using the VPN. Now I need to log in through their web interface even with the VPN active. What's changed?


Because of the licensing agreements required by the providers of the Library's online resources, and because guest accounts can now be created by anyone at the University, the Library needs to use NetIDs rather than VPN login ability as the indicator of whether you are an individual who's authorized to use the Library resources. The Library's licenses do not allow campus guests to use their online resources.

If you have a NetID, you will be able to receive off-campus access to Library resources by logging in to the Library's web site when prompted. Guests will not be able to use their VPN identities to log in to the NetID-protected Library web sites.

Make sure that you search for materials through the Library Gateway in order to receive full access.

General FAQs

Will the VPN connection work with my normal network connection?


Yes. In addition, the VPN client is active only when you choose to start it. If the client is not running, then it will not affect your connection.

Do I have to use the VPN software to use UIUCnet Wireless?


You can connect to the Internet without using the VPN system by using UIUCnet QuickConnect, a simple browser-based way to authenticate yourself and access many of the most commonly used networking resources, including email and the Web.

However, if you use unencrypted software with QuickConnect and choose to communicate sensitive data such as passwords, this information can be taken from the air by anyone else on UIUCnet Wireless.

For more information, see Why wireless users need to use VPN.

Is there a charge for client software?


In most cases, there is no charge because a suitable VPN client is already available and built into your operating system.

For most current operating systems (Windows 2000, XP, and Vista, Macintosh OS X, Linux, and Unix), you can use the VPN client that comes built in to your operating system to connect to the campus VPN server. See Downloading and installing VPN client software for more information.

If you have an older or less frequently used operating system (Windows 95, 98, ME, NT, Macintosh 9 or earlier), you may or may not be able to find software to allow your system to connect. The third-party client software that was formerly available for older Macintosh and palmtop users worked with different protocols on the old Cisco VPN server; the Nortel VPN server is using different protocols.

Note that CITES maintains a list of Help Desk-supported software and operating systems. If your operating system isn't mentioned on this list, the CITES Help Desk cannot assist you with acquiring and installing a VPN client.

However, if you can find a PPTP-compatible VPN client for your operating system, you can try to create your own connection configuration. See VPN Clients for Other Systems for more information.

Is there handheld device (PalmOS or Windows CE) support?


At this time, CITES does not have the resources to offer specific help for handheld users wishing to connect to the VPN system, because of the range of handheld devices and VPN software clients available.

If you've already purchased the Movian or Antha software for use with the old Cisco VPN server, you can continue to use that software while the Cisco VPN server remains in service. For installation and configuration details, see Movian / Antha VPN Client Software.

If your handheld device's VPN client software offers PPTP support, you should be able to connect to the new VPN server, but CITES will not be able to assist you with the configuration process. See VPN Clients for Other Systems for more information.

Can I use a Nortel, Apani, Movian, Antha, or other third-party VPN software client?


The Nortel VPN client will not work with the CITES VPN server.

Other third-party VPN clients may or may not work with the CITES VPN server; however, the CITES Help Desk can only provide support for the CITES-released VPN client. If you have difficulty using a third-party VPN client, you'll need to work with the VPN client's author to resolve any issues you have.

Similarly, some campus network administrators have released VPN clients for members of their department. If you have difficulty using a department-released VPN client, contact your department's IT professional staff for assistance.

If you've already purchased the Movian or Antha software for use with the old Cisco VPN server, you can continue to use that software while the Cisco VPN server remains in service. For installation and configuration details, see Movian / Antha VPN Client Software.

How do I configure my computer's firewall to allow the VPN to connect?


Some firewall programs, like the Windows XP and Vista native firewalls, will be automatically reconfigured to permit the VPN traffic when the VPN client configuration is added to your computer's networking systems. You won't need to manually change the configuration for these firewalls.

On the other hand, some third-party firewalls are not automatically reconfigured when the VPN client is installed. ZoneAlarm is one commonly used example of a firewall you will need to reconfigure yourself in order to allow VPN connections.

Guidelines for reconfiguring a firewall that offers program-based access control (like ZoneAlarm) and for reconfiguring a firewall that offers port-based access control (like many Unix firewalls) are given on the Firewall Ports page.

How long can I stay connected to the VPN server?


The total maximum connection time is 24 hours (1440 minutes).
If your network connection is not being used, the connection times out in 90 minutes.

Note: Many laptops' power-saving features will put network cards to sleep sooner than our idle timeouts will. If you want to stay connected even when you aren't actively using your laptop/mobile device, you will probably need to disable the power-saving features of the laptop or mobile device. You may also need to disable power-saving features on the network card itself.

I get disconnected from the VPN frequently. How can I stay connected?

This problem has several possible causes.

• Power management / energy saving modes

If you're using a wireless connection and your laptop is unplugged, your computer may be turning off your wireless network card during times of low activity. Since your computer's VPN client needs to maintain a constant connection to the VPN server, it won't be able to communicate without the wireless card.

To correct this, adjust your computer's power management or energy saving controls. (Look in the Control Panel on Windows systems, or in System Preferences on Macintosh systems. Some Windows users may also be affected by the Intel 3945 driver issue.)

• Busy wireless network or distance from access point

Your computer may lose its connection to the VPN server briefly. This can happen when the signal strength of a wireless access point fluctuates or when the wired network connection you are using is too busy to permit the VPN client to maintain its connection with the VPN server.

If the wireless network is saturated, there's little you can do to prevent disconnections. However, if you're too far from an access point, try moving to an area where the wireless signal is stronger.

• Jumping from access point to access point (Windows systems)

In areas that contain both UIUCnet Wireless signals and other wireless signals, Windows may change back and forth between networks by homing in on whichever signal is stronger at a given moment. Unfortunately, people moving around in hallways may change which signal is stronger.

To correct this, see the "Frequent changes in access point" item in the Windows-specific wireless troubleshooting page.

Windows-specific FAQs

Why won't the CITES VPN installer from the WebStore work on my Windows system?


For Windows Vista users:

The CITES VPN installer is not compatible with Windows Vista. CITES hopes to offer a Vista-compatible installer in the future.

For Windows XP users:

Changes made by a Microsoft patch released in March 2008 caused the CITES VPN package to be unable to install correctly on a few systems.

Option 1 : Use the other XP instructions (recommended for most users)

If you have one or two computers with this problem, you can use the 64-bit Windows XP instructions. (These are essentially the same as the guest instructions, but they use your NetID and Active Directory password rather than a guest user name and password.)

Option 2 : Patch your operating system (recommended for IT pros)

IT pros who have labs with many identically-configured machines can use this optional Microsoft patch to correct the issue:

http://support.microsoft.com/kb/925876

After you've installed the patch, you'll also need to check whether the Remote Access Connection Manager service is enabled. To check this:

1. Right-click on My Computer and select Manage.
2. In the Computer Management window that appears, expand the Services and Applications node at the bottom of the left-hand pane and choose Services.
3. In the list of services that appear in the right pane, scroll down until you locate the Remote Access Connection Manager item. Check the Status column for its current state.

Is there Windows 95, 98, or ME support?


Windows 95, 98, and ME are not supported by either Nortel or the CITES Help Desk. In addition, CITES Security strongly recommends that these older Windows systems should no longer be active on the campus network.

Is there Windows NT or 2003 Server support?


Since a VPN client is intended for use on an individual person's computer, and since the campus VPN configuration doesn't allow a connection to be established for more than 24 hours, CITES does not recommend the use of the VPN system on servers.

This doesn't mean that it's technically impossible to run a VPN client on a Windows server. However, if you encounter problems when trying to run a VPN client on Windows server systems, you will need to troubleshoot it by yourself.

Using third-party firewalls (ZoneAlarm, etc.) with the VPN server


When the Windows VPN client is used with the Windows firewall, the operating system will adjust the firewall settings to allow the VPN client to communicate. Since third-party firewalls are not built into the operating system in the same way, they may need to have their configuration adjusted in order to allow proper two-way communication.

In order for the VPN server to work through any third-party firewalls you may have installed on your Windows computer, you will need to configure your firewall so that information from the VPN server (IP address 192.17.44.3) can be allowed to both come in to your computer and leave it.

For some firewall programs, you may need to configure access by port rather than by IP address.

For more information on specific information that your firewall will need to communicate with the VPN server, see Firewall Ports that the VPN System Uses.

How do I uninstall the CITES VPN configuration settings on a Windows computer?

In the Control Panel, go to Add/Remove Programs, then select CITES VPN from the list of installed programs.

Click the Change/Remove button that appears beneath the selected CITES VPN entry and follow the computer's prompts to remove the CITES VPN configuration settings.

Windows-specific error messages:

Error 678: There was no answer from the VPN server


The most common cause of this error is a network configuration problem on the network you're using. It's typically related to a firewall's settings.

• If you see this error every time you try to connect from any location, you may need to adjust your own computer's firewall.

If you're using the built-in Windows firewall, the VPN configuration process automatically adjusts settings as needed.

However, if you're using a third-party firewall such as ZoneAlarm, you'll need to adjust your computer's firewall settings. See Firewall Ports Used for VPN Connections for more information.

• If you see this error when you try to connect from a new location, ask the network administrator to adjust the location's firewall.

Many hotels, coffeehouses, and similar short-term access locations don't forward all the information that the VPN needs for a successful connection. If you've been able to successfully use the VPN from other locations in the past, the error is likely related to this particular site.

Ask the site's system administrator to look at the information in the Firewall Ports Used for VPN Connections page and adjust their firewall accordingly.

Error 691: Access was denied because the username and/or password was invalid on the domain


This error usually means that you've mistyped either your username or your password.

Username: Use your NetID. If your campus email address is myname@uiuc.edu, then your NetID is myname.

Password: Use your Active Directory password. Your Active Directory password is also used for NetFiles, and may be the same as your Express Email password as well.

If retyping your username and Active Directory password carefully doesn't correct the problem, contact the CITES Help Desk.

Error 800: Unable to establish the VPN connection.


This error usually means that you don't have an active network connection. Make sure that you've successfully connected to your network as described in step 1.

If you're seeing Error 800 and can use the network, but can't use the VPN, contact the CITES Help Desk at consult@illinois.edu or 244-7000.

Mac-specific FAQs

Is there Macintosh 7.5-9.x support?

Macintosh systems older than OS X are not supported by either Nortel or the CITES Help Desk. In addition, CITES Security strongly recommends that these older Macintosh systems should no longer be active on the campus network.

Related FAQs

For more information on topics related to the CITES VPN system, such as UIUCnet Wireless, QuickConnect, or guest accounts accessing these services, visit the Wireless, VPN, and QuickConnect FAQs and Troubleshooting page.