Virtual Private Network (VPN) provides secure, authenticated remote access to campus networks and services. This means you can access servers and others systems that require some security while you are off campus anywhere in the world. While connected through VPN, your computer will appear as any other on-campus computer. All network traffic between your system and campus is encrypted to protect it from electronic eavesdropping. Use VPN when you need to connect to campus resources that would otherwise be unavailable on distant networks such as file servers and print services. VPN provides an added layer of security for some services (FTP, Webmail, etc). This is useful when you're working with a possibly untrustworthy network for example, in hotels or airports. VPN transports any network service without special settings. File sharing, printing, remote desktop, SSH, FTP, telnet, and Web-based services have all been tested with VPN.
VPN authenticates your identity and affiliation with Cornell using your NetID and password, and then sends all your Cornell-related traffic through an encrypted "tunnel" to campus. Non-Cornell traffic follows your normal network path and does not enter the Cornell network. Campus resources will "see" your VPN-connected system as a computer on campus with an IP address in the range 128.84.32.0 to 128.84.35.255.
Cornell faculty, staff, students, and affiliates with valid NetIDs can use VPN. If you need to use VPN and you don't fall into one of these categories (for example, you're a contractor), you may be eligible for a sponsored NetID. Contact the department you're working with for more information. Details about sponsored NetIDs are found on the NetID page.
You should be able to use VPN from any Internet-connected network, anywhere in the world. Notes: If you are on campus, you can only use VPN with RedRover. If you're on campus and get an error message, make sure you're using RedRover. VPN does not work with EZ-Remote.
VPN stands for Virtual Private Network, and it's a means of securely connecting individual users at remote locations (at home, or while traveling) with resources on campus over public communication lines that might otherwise not be secure. VNC, or Virtual Network Computing, allows you to connect to and control an computer from a remote connection. For example, you could use VNC from your home computer to remotely control a desktop computer on campus.
This option has been discussed, and there are no plans to pursue it at this time. Although it offers some convenience for the end user, it is problematic for several other reasons. First, the list of departmental VPNs is always in flux as pools are created and retired. End-user lists would be out-of-date almost as soon as they were published. Also, as the number of departmental VPN grows, end-user lists would also grow and very possibly become unwieldy in an institution of our size. Lastly, and perhaps most importantly, most departments seek to keep their security-related information private. As a result, there's general unease about making public to end user a list of all the departmental VPNs that exist across campus.
A 64-bit VPN client is not available from Cisco. CIT is exploring secure remote access alternatives for users of Windows 64-bit edition operating systems. We are sorry for the inconvenience. To download the software, see the Installing VPN page.
To use VPN with Cornell campus networks and services, you must use the Cornell Cisco VPN software. Built-in Windows and Mac OSX software don't work. If you have used another VPN service, you must uninstall it before you install and use the Cornell Cisco VPN software. For more information or to download and install the software, see the Installing VPN page.
Linux users can use VPN software, but the Linux client is not supported by CIT. If you want information about using a Linux VPN client, go to the Linux VPNC page.
We know of no conflicts with operating-system-shipped clients. That is, even if you have a preconfigured session entry for either the Mac or the Windows native clients, installation of the Cisco client should not cause any problems.
Installation of two third-party VPN clients on the same computer, on the other hand, almost always causes problems. The consequences of having more than one third-party VPN client installed range from neither client working to disruption of the operations of the computer itself.
If you already have a Cisco client version 4.0 or higher, use our PCF, not a whole new installation. If you have already have any other third-party VPN client installed, you will have to decide which one is more important to have: that one or ours. If you decide you want to install ours, you must uninstall the previous one first.
Not at present. While VPN provides considerable security against network eavesdropping, it does not offer security against other Internet threats. For information about protecting your computer from viruses and other attacks, see the CIT Security page.
VPN sessions are limited to 8 hours. After 8 hours, the connection closes automatically. To continue working, connect again. You'll need to enter your NetID and password again. There is no limit on how often you can connect through VPN. For connection instructions, see Connecting to Campus with VPN.
It's possible that you'll experience some system slowness when you're using VPN. If you think you're experiencing a serious speed issue (for example, your service is significantly worse than your regular internet service), contact your technical support provider. Please be able to provide your NetID, time you logged into VPN, your operating system, and your IP address. (To find your IP address, check http://myipaddress.com or http://www.whatismyipaddress.com.)
Your client is negotiating an encrypted connection with the VPN concentrators. Agreeing on your identity, cipher, key material, and then pushing Cornell's network configuration to the client does take a perceptible length of time, but it's necessary for the service to work.
While you're connected through the VPN, only traffic to and from Cornell resources is routed through the VPN. Systems, sites and servers outside Cornell will continue to see your ISPs address, even when you're connected through the VPN. So if you're in a hotel room and connected to the VPN while you check your Cornell e-mail and place an order with an on-line retailer, you will appear to have a Cornell IP address when you check your mail and at the same time appear to have the Hotel ISPs IP address to the people you are placing your order with.
This is a configuration called, variously, split tunneling or split horizon. In this mode, traffic destined for Cornell's networks is sent through the VPN tunnel. Traffic destined anywhere else is sent through your default Internet connection. Computers outside Cornell see you as part of that ISP network for this reason.
The rationale behind split tunneling is that it's inefficient to haul all your Internet traffic through the VPN, receive it at Cornell, then send the results back to you. Not only would that create bandwidth concerns, it would bring privacy concerns as well.
Please see Troubleshooting.
VPN is not supported on the lowest level package for some satellite Internet services, for example, Hughes. If you're using one of these services, you may have to upgrade to a higher package before you can use VPN. Contact your Internet Service Provider for more information.
VPN does not work with EZ-Remote. EZ-Remote uses an on-campus IP address, rendering VPN redundant.
The VPN is intended to provide remote access to campus. As such, its understanding of the network consists of an "inside" and an "outside" When you try to use it from on-campus, it's seeing a client on the inside trying to reach the inside network. As such it doesn't understand how to route traffic to your client to make that connection work. For a few networks, like RedRover and RedRover-Secure, the VPN appliances have been configured to to treat those networks as external to Cornell. You can use those services to connect to the VPN for the purposes of testing.
Due to licensing restrictions, people using VPN may need to authenticate themselves via CUWebLogin before accessing certain electronic resources provided by Cornell University Library. All links from the library website and catalog should automatically check for authentication and enable proxy access. If, while connected via VPN, you are unable to access licensed resources that are linked from the Library website or catalog, please contact Cornell Library via its Technical Problem Report Form.
A 64-bit VPN client is not available from Cisco. Cisco made a strategic decision to provide minimal development effort for the 64-bit clients in an effort to shift customers toward an SSL-based VPN and away from more traditional IPSec VPNs (like Cornell's). Given that decision, we simply don't have a source for a VPN client for 64-bit Windows platforms. CIT is exploring secure remote access alternatives for users of Windows 64-bit edition operating systems amd hopes to introduce a solution in the next release of VPN.
Deinstall your VPN client Activate your Vista Administrator account
Right click on Computer and choose Manage. Select Computer Management (Local) > System Tools > Local Users and Groups > Users Double click the Administrator user. Uncheck "Account is disabled." Right click on the Administrator user. Choose "Set password." Enter a password for the Administrator user.
Restart, then log into the administrator account. Install the VPN file by right-clicking on it, then choosing "Run as Administrator." After the installation finishes, restart again.
The VPN concentrator dropped your connection. Many things can cause this, such as being on campus, having an unreliable Internet link, using a transparent tunneling protocol (TCP or UDP) that doesn't work well on your Internet link, and so on.
This error can sometimes be rectified by running Disk Utility, and then Repair Permissions.
