2factor VPN - Frequently Asked Questions
The 2factor VPN service uses the Cisco AnyConnect VPN Client to establish its tunnel. This document explains some frequently asked questions about the 2factor VPN.
If you have a question not addressed below, please contact Jeff Savoy and Linda Pruss.What networks are being routed over the SSL split-tunnel?
As of 11/07/2000, traffic being exchanged between the below hosts/networks will be routed over the SSL tunnel:
Why a split-tunnel and not a dedicated tunnel?
Initially, the VPN will be implemented with a split tunnel for performance considerations, eg avoid having a majority of non restricted network activity going through the VPN concentrator which is a bottle neck.
Can I add another network or host to be routed through the VPN concentrator?
Please send your request to Jeff Savoy and Linda Pruss.
Why are you only offering the AnyConnect SSL tunnel option?
For ease of support, we are initially only using the AnyConnect SSL client and not IPsec clients, etc.
Is there a fail-over equipment installed for this service?
A duplicate VPN concentrator is configured in active/passive mode with the primary concentrator.
Why are we not using the NetID password in the AnyConnect connection establishment dialog box?
The authentication for this service is being done via the installed user PKI certificate. Currently, the AnyConnect needs the NetID entered in the connection establishment dialog box for identification purposes. In addition, it requires a password text entered (if not cached) thus we chose to use the NetID in this field as well.
What if I want to establish VPN connections from multiple machines, eg multiple office machines, home, etc?
You will need your PKI certificate installed on multiple machines ("soft token") or install on multiple smart cards, eg eToken, etc. Each user is assigned one IP number, therefore only one machine at a time can be connected to the VPN. If you need more than one machine to connect to the VPN at the same time, please contact Linda Pruss and Jeff Savoy.
Can I run the WiscVPN IPsec client on the same desktop (operating system instance) as the AnyConnect client?
No. This will cause conflict and the AnyConnect may stop working. If so, you may need to fully quit both the WiscVPN IPsec client and AnyConnect client and restart just one of them.
Can I run the WiscVPN IPsec client on a virtual operating system
on my desktop and the AnyConnect client on the host operating system at
the same time?
Maybe. In testing, we were able to run the MacOSx AnyConnect client on the host at the same time that we had a WiscVPN IPsec client running on a Windows XP Parallels virtual machine (in NAT mode).
When should I establish the AnyConnect connection?
It depends. Some staff may consider establishing the connection first thing upon arriving at work and any subsequent accesses that they make to select restricted servers (as listed in Question 1 above) will automatically be routed though the VPN concentrator. Alternatively, staff can establish the AnyConnect connection upon needing to make a connection to a select restricted server.
Who can I call for VPN support?
For VPN support for AnyConnect client, you can contact the Help Desk, be sure to specify you are using the 2factor VPN service. Any questions about the WiscVPN service should also be sent to the DoIT help desk.
I have multiple AnyConnect vpn IP addresses, can I pick which one I receive?
In general, no. Staff with multiple IP addresses are assigned an IP address "pool", eg IP address A, B and C. When you login, you will be assigned A. If you logout and quickly login again, you will be assigned B, etc.