NCI-Frederick Networking
Return to NCI-Frederick Communications

 

Virtual Private Networking (VPN) - Frequently Asked QuestionsClick Here to Print!


General Questions:

Installation Questions:

Connection Problems:

Usage Problems:

General Questions

What is "VPN"?

A virtual private network (VPN), otherwise known as a client tunnel, is an encrypted path through the Internet between two endpoints. The endpoints of the tunnel are a host running a VPN service and a client running an appropriate client software package for that service. The resulting link provides a secure communications channel for computer traffic between the two endpoints. For more information about Virtual Private Networking, please see our VPN Introduction. When connected to the VPN, treat the system that is making the connection as US Government property and as if it were physically located on the NCI-Frederick campus. Therefore, access to sites normally restricted by NCI-Frederick are also restricted while connected to the VPN. Likewise, your system will be subject to monitoring of traffic. This means that adult-content, gambling, and other non-work related site access should be avoided as accessing such sites are considered a violation of the use of Government equipment laws.

How do I obtain a VPN account?

If you would like to take advantage of VPN capabilities, you will need IPSec Client software. In addition to the client software, you must also posses an NIH Active Directory user account and password. In order to obtain a user account, please visit the Remote Access Services Account Application page. If you already have an NIH Active Directory account, you may download the VPN client software and profiles for your operating system from the VPN Clients web site. Please note that this web site is accessible from outside of the NCI-Frederick campus but you will need your user account and password in order to obtain the necessary profiles that permit access to the system. If you already possess an NIH e-mail account (name@mail.nih.gov), an ITAS account, or any other NIH Service-oriented account, that account is the same as your NIH Active Directory Account.

I have an NIH E-Mail account. Do I need to submit an application for a VPN account as well?

No. The NIH e-mail and NIH Active Directory account systems are the same. You may use those account credentials to access and download the VPN client software and profiles. Application requests for users that already possess such an account will be denied. Only a single account and remote sign-on per user is permitted.

I had a dial-up or VPN account before September 18, 2007 but cannot log on. How do I access the VPN?

All pre-existing NCI-Frederick dial-up and VPN users were e-mailed their NIH account user credentials and passwords over the past few months. They were asked to log into the NIH account password system and change their passwords as well as to set up password remediation. However, if you did not receive such an e-mail or if you cannot locate it or remember your account credentials, please contact the NCI-Frederick LAN office help desk (301-846-5555) for assistance.

I already have an NIH VPN account. Do I need another account to access the NCI-Frederick VPN?

No. However, you will need to download the NCI-Frederick VPN profiles and install them into your Cisco Systems VPN Client "Profiles" directory. These profiles will grant you access to the NCI-Frederick campus network using the same account and password as your current NIH-Bethesda VPN user account. In order to obtain the required profiles, return the home page and select the operating system appropriate for your computer.

What do I do if I forget my password? How do I change my password?

NIH Active Directory users an self-remediate their own passwords. However, in order to do this, the user must first configure self-remediation. Both processes may be done by pointing your web browser to the NIH password remediation web site. You may change your own password (if you know the current one) by pointing your web browser to the NIH central E-Mail web site. If you do not know your password and have not set up self-remediation, please contact one of the help desks to have your password reset:

301-846-5555 (NCI-Frederick LAN Office Help Desk)

301-846-5115 (NCI-Frederick CSS Help Desk)

301-496-4357 (6-HELP) (CIT 24-hour Hotline)
866-319-4357 (Toll free)
301-496-8294 (TTY)

I have high speed Internet access via a satellite link. Can I use the VPN client?

No. At this time, neither the NIH nor the NCI supports VPN connectivity over satellite services. VPN and satellite Internet technologies were not designed to work together. There are two technical limitations of satellite Internet that greatly affect the performance of a VPN and thus make the two technologies incompatible with each other. These two limitations are:

  • Virtual private networks require a high-bandwidth (high speed), low-latency (delays, if they occur, have a short length) network to function efficiently. Satellite Internet services, on the other hand, normally suffer very high latencies due to the long distance satellite signals must travel.
  • Satellite Internet also tends to support low upstream (upload) bandwidth. Specifically, satellite bandwidth for uploads is comparable to that of dial-up Internet services. VPNs demand high bandwidth for both uploads and downloads.

Unfortunately, because of these limitations in the way that a satellite Internet connection works, a satellite Internet connection is incompatible with the VPN Client. There is currently no work-around for this situation.

Installation Questions

I'm having trouble downloading the profiles. I enter the correct user name and password but get prompted again and again for them. What's happening and how do I fix this?

You should only see two boxes displayed when you are prompted for your user name and password. The first is username. In this box you should enter "NIH\" followed immediately by your user account name (no spaces). In the second box, you are asked to enter your password. The password is case-sensative. There should not be any other boxes displayed. If you see a third box with the name "Domain", your system is configured for someone else's network. In such a case, enter NIH in the Domain box (type it in all capital letters as shown here). If you still have problems obtaining the profiles, contact the LAN office help desk (301-846-5555) for assistance - your account may have been locked out or you may be entering a bad password.

When I try to download the VPN profiles, I get a dialog box asking me for a user name and password. But when I type in my VPN user account name and password it doesn't work. What's wrong and how to I fix this?

As of September 18, 2007, you must use your NIH Active Directory user account and password. If you have never set your password since receiving your account credentials, or if you have not used your account in over 60 days, your account may be locked out or disabled. If your computer is not part of the NIH or NCI domains, your account may be in need of a password change. This must be done every 60 days. However, only those that log into the NIH Active Directory from their computer receive notification that the password is due to be changed. All other users must be pro-active in changing their passwords on a regular basis. In order to change your password, point your web browser to the NIH central E-Mail web site. For further assistance, contact the NIH help desk.

301-496-4357 (6-HELP) (Local)
866-319-4357 (Toll free)
301-496-8294 (TTY)

I have the VPN client. I import the PCF files however there is no host entry. Only the name comes over and no configuration information. Why is this happening?

The PCF file that you are importing is most likely corrupted, either during the download or you may have opened them in a program that corrupted the files. Download a new copy of them from the VPN Client web site. Save the files to a temporary location on your hard drive. Launch the VPN client software and import the profiles from the temporary location. Accept the over-write if you are prompted. Verify the profiles imported correctly by modifying the profile. You should see a host name that cannot be changed and the password field should be full of asterisks ("*"). If this is NOT the case, your import failed and you will need to contact the help desk for a manual configuration.

I have a Macintosh computer with an Intel processor chip, which VPN client should I use?

The Macintosh computers that use the Intel processor chip set must also use the Macintosh OS/X operating system version 10.4.xx in order to use the Cisco VPN client. You want to use version 4.9.xx of the Universal Macintosh VPN client with this type of system. For all other Macintosh OS/X computers, you will need to user the standard PowerPC (PPC) version of the Macintosh VPN client. The PPC version of the client requires OS/X version 10.1 or above. There is no version of the VPN client that is compatible with Macintosh computers that are running operating systems older than OS/X version 10.1, in such a case you will need to upgrade your operating system in order to use the VPN.

Connection Problems

I am receiving a message telling me that I may not connect to the VPN because the remote peer is not responding and I am getting an error message #412. The VPN client worked fine from my current location until recently. What happened?

We periodically update the VPN client software on these pages in order to correct security holes and client issues. When you make a connection to the VPN concentrator, it checks to see what version of the client you are running. If a new version of the code is available, you are prompted to download that version by using the "launch" button on the notice page that pops up when you connect. You should do this within a few days of receiving the notice. After the new code has been active for a while, the older version of the code will no longer be permitted to make the connection to the concentrator (receiving the #412 error message) and you will have to download and install the latest VPN client from the web site in order to correct your problem. Keeping your software up to date at the time you are initially notified that it needs updated will prevent this. Please note that keeping your profiles up to date is also important. Profile changes will be made to coincide with software changes and are periodically necessary in order to maintain network security. Profile changes affect the encryption keys exchanged while the VPN client is active. If you see a notice about updated profiles while you are updating your client software, please update the profile immediately by deleting the old profiles and replacing them with the new profiles. If your profile is out of date, you will not be able to establish a VPN connection.

I am receiving a message telling me that I may not connect to the VPN because the remote peer is not responding. My VPN client works fine from home, but I am using my VPN client from a hotel or at a wireless hotspot. What can I do to connect to the VPN?

The problem with hotels and wireless hotspots is that the company that operates these systems usually lock down the use of their systems to restrict the types of traffic that can be used across them. If you are using the primary VPN profile, your profile has worked at home or elsewhere, and you are not able to make a connection, try the Alternate profile first. If that also fails, try the Worst-Case profile (see the appropriate VPN client for your system for the proper profiles to use). If none of the profiles work at the location you are but they work elsewhere, there is nothing that the NCI-Frederick LAN office can do to correct the problem as the issue has to do with the network from which you are attempting to make the connection.

I am entering my user name into the VPN client and using copy-paste to enter the password so that I do not make a mistake. Yet the system prompts me again and again for my password as if it's invalid. How can the password be wrong when I've used copy and paste?

Using the standard copy and paste functions on a Windows-based computer (and possibly on other operating systems) will not only grab an extra "space" character, but will also imbed hidden characters into the password. Since passwords are character-sensative and extra spaces and un-printable characters are considered part of the password entered into the password prompt field, your entered password does NOT actually match up with your user name password and the system rejects it. Likewise, entering your user name incorrectly will cause the user name to fail to authenticate. Be sure to only enter your user name and password. If you normally connect to another domain, you may need to use the "NIH\" prefix to your user account name in order for the system to accept the entry.

I am have been using the VPN system for some time, but my saved password fails to connect. What's wrong?

All of the VPN client user accounts were disabled on September 18, 2007 and replaced with NIH Active Directory accounts. In order to continue using the NCI-Frederick VPN and Dial-up services, you will need to clear your stored password and use your NIH Active Directory user account and password. To do this, open the VPN Client and select (but do not double-click) the VPN profile. Click the "Modify" button at the top of the page. On the next screen, click the "Erase User Password" button located at the bottom-left, then click "Save". This will clear your stored password and allow you to enter a new user name and password upon your next connection attempt. DO NOT ENTER YOUR USER NAME OR PASSWORD INTO THE GROUP AUTHENTICATION FIELDS. Doing so will prevent you from making the connection to the NCI-Frederick VPN system. The group authentication name, password, and confirm password fields are NOT for user information. If you have changed the group authentication name or password for any reason, you will have to delete your profiles and download replacement profiles from the appropriate VPN client page.

Additionally, the NIH Active Directory passwords automatically expire every 60 days (in accordance with HHS password policies). If you log into your computer onto the NIH domain, or if you possess an NIH E-mail account that you are actively using periodically, you will be notified of the password change. However, if you do not use either of these two services, you will not receive any kind of notification of the password expiring. If your password expires, your account becomes locked until you change the password. This also prevents you from using all remote access services (VPN and dial-up included). To change your password utilize NIH's password web site.

I have an NIH ITAS account and am using that user name and password to try and connect to the VPN. The ITAS account logs into ITAS just fine, but won't connect me to the VPN system. Why is this happening?

The NIH Active Directory System and the NIH ITAS system are interconnected. They use the same user name and password. However, the ITAS system receives a copy of the user credentials every time that the user changes their password. Unlike ITAS, the NCI-Frederick VPN and dial-up system authenticate directly against the NIH Active Directory system, requesting user validation for each request and does not cache these credentials. Should the NIH Active Directory password expire, the ITAS system will continue to work because of the cached credentials. However, the NCI-Frederick VPN and dial-up system will not authenticate the account because of expired passwords. To solve this problem, change your password every 60 days via the NIH Change password system located at http://password.nih.gov. This will keep the VPN and dial-up system up to date as well as your NIH ITAS password. NIH policy mandates that all NIH passwords be changed every 60 days. This mandate includes the NIH Active Directory account that operates ITAS, NIH login, NIH e-mail, and the NCI-Frederick remote access systems (VPN and dial-up).

 

Usage Problems

I can connect to the Internet just fine without the VPN client and I can connect to the VPN system as well. However, after connecting, I cannot seem to do anything. What's wrong?

This problem happens most often when your computer is behind a firewall or a router instead of a pure cable or DSL modem. It may also occur if you are using security software on your computer that prevents the normal flow of traffic (such as the Norton or McAfee protection suites, ZoneAlarm, or Black Ice). To determine if this is the cause, connect to the VPN client and attempt to use a web browser and web to http://www.ncifcrf.gov web site. If you cannot connect to the site, select the "Status" menu bar item and choose "Statistics". Click on the "Tunnel Details" tab at the top of the window and look at the "Bytes" section. If you see a zero (0) in the "received" field, your connection is experiencing this problem and you need to configure your software and/or firewall to permit the VPN traffic to flow.

In order to correct this problem, your security software must permit the VPN software full access to the Internet. If you are using a firewall or router, it must permit ALL of the following types of traffic:

Protocol 6 (TCP) - port 10,000
Protocol 17 (UDP) - port 500
Protocol 50 (ESP) - all ports
Protocol 51 (AH) - all ports

Check your owner's manual for your security software, firewall or router for information on how make these changes. Note that Protocol 50 (ESP) and 51 (AH) are synonymous with the term "IPSec". If your router or security software specifically has an option to permit IPSec VPN traffic to pass, you must enable this option in order for the VPN client to work. This is especially true of wireless connections using the Linksys brand hardware but may also apply to other brands of security software, firewalls and wireless routers.

Windows users should properly configure their Windows Firewall by selecting their "Start" menu and choosing the "Control Panel" option. Then select the "Exceptions" tab and add the "Cisco VPN Client" to the "programs list" as well as the above ports to the "Ports" list.

Please be aware that security updates installed by Windows Update or any updates that affect installed security software (McAfee, ZoneAlarm, Norton, etc.) may change your existing settings to the point of preventing the VPN from being used. If your system was connecting just fine to the VPN and you've installed one of these updates, check your security settings. You may need to re-configure them in order for the VPN to work properly.

Additionally, it has been discovered that not all wireless device drivers are compatible with the VPN client. This is especially true of the DELL drivers for wireless radios. To ensure proper connection and use of the VPN client software, be absoletly sure that your network adapter or wireless radio adapter drivers are up to date. Do to this, go to the vendor's web site that is associated with the adapter and make sure that you have the most up to date drivers and bios software installed. If you've recently re-installed your computer to factory settings and the VPN no longer works, the driver is the most likely culprit and must be updated prior to contacting the help desk for assistance.

I have two computers at home and want to VPN with them both at the same time, from a home broadband connection (cable or DSL modem). However, whenever one is using the VPN and the second computer's connection is made, the first computer loses the VPN connection. What is happening and why can I not make two VPN connections at the same time?

When you order a high speed connection for your house, your Internet Service Provider (ISP) only grants you a single connection to the Internet at a time. Under normal use, your computer is connected to the ISP through a cable (or DSL) modem that attaches directly to the ISP source and your computer without any ability to connect additional devices.

By purchasing a router or wireless router for your system, you configure your connection with the ISP to share the single address with all systems in your household. For most applications (such as web and e-mail), this does not pose a problem. However, the VPN client uses a special, dedicated, connection type to communicate with the VPN concentrator. Most routers that you purchase for home use simply cannot handle more than one IPSec VPN connection at the same time. This is a limitation of the router hardware.

There are two options to correct the problem. The first is to use the Alternate profile on BOTH of the VPN connections. This may or may not work depending upon your hardware. The second option is to pay your ISP for a business class Internet connection. A business class connection gives you more Internet addresses from your ISP. In such a case, you have two (or more) Cable (or DSL) modems and no router. Each modem receives its own Internet address and your VPN software can be used on both at the same time. Note that this usually requires you to pay more money to your ISP. It is therefore recommended to try the alternate and worst-case profiles BEFORE you spend the extra money on additional high speed lines.

Why does putting my computer to sleep (hibernate mode) lock-up my system when I am running the VPN client? Shouldn't the client resume when I wake the computer up?

To make an analogy, consider the VPN tunnel to be a draw-bridge crossing a large river (the firewall that protects our systems from the Internet is synonymous with the river and the client is synonymous with a bridge that allows you to cross that river). When you want to cross the river (our firewall), you lower the draw-bridge (activate the VPN client) and allow traffic to pass (bypassing the firewall to our network). When you are finished, you raise the draw-bridge (disconnect from VPN) and no traffic passes (the firewall blocks it). When you put the computer to sleep or enter hibernate mode, you effectively drive an oil tanker smack into the middle of the drawbridge. While this has the effect of raising the draw-bridge (breaks the VPN tunnel connection) as expected, the bridge is broken and needs repaired (in this case, the computer needs rebooted and there is the potential that your account needs to be reset).

The only solution is to prevent the problem by disconnecting from the tunnel prior to putting the system to sleep or entering hibernate mode. You do NOT have to shut down the VPN software to do this. For Windows based systems, simply double-click on the opened VPN client (should appear in the right-hand area of your quick-action bar at the bottom of your screen), then click the "Disconnect" button at the top of the VPN client panel. For Macintosh based systems, simply click the "Disconnect" button. For Unix based systems, issue the appropriate command (see the VPN Client user's manual for details). This will gracefully sever your link. Then, proceed as usual with putting your system to sleep. Upon awakening our system, re-activate the VPN connection as usual to continue your session.

I have the Windows VPN client and I am being told that my VPN client software is out of date. Yet when I download and install the updated client, it is the same version as the current version that I am running. I then get into an infinite loop of being told that I need to download the client. What's wrong?

One possibility is that, although you downloaded the new client, when you launch the update your system needs to run the old client un-installer first. This will have the appearance of installing the old client software instead of the new. The old client version will show up to perform an un-install. After that version has completed its un-install, you will be prompted to reboot your computer. Upon restarting, the new client will automatically launch and begin its installation. Allow this to complete and you will be prompted to reboot a second time. After the second reboot, your new VPN client is ready to use. However, if you do not allow this process to complete entirely, you will be prompted again and again until you complete the process. This will have the appearance of entering an infinite loop.

A second possibility is that you have downloaded the correct client but still have an older client installer on your system and instead of launching the new installer, you are in fact launching the old installer. Check this by verifying that you are using the correct installation version by opening the README.TXT file in the installation folder. Compare this version number to the version number on the web site. If they do not match, you are in the wrong installation directory. Delete this directory, download the new client into a location that you write down, and open the new client directory and installer.

 

NCI-Frederick Communications | Search | Downloads | What's New
NIH | NCI | NCI-Frederick | ABCC | CSS

Questions or comments?

All pages Copyright © 1998-2005 NCI-Frederick Communications.
All material and graphics copyrighted to their respective owners.