Some of the more common issues that may be encountered are covered below.

• Unable to connect to Engineering hosts without specifying their Fully Qualified Domain Name (FQDN)
• Installing a missing QuoVadis Root CA 2 G3 certificate on Windows
• IKE authentication credentials are unacceptable when trying to connect to the VPN on Windows
• Unable to connect to the VPN when at Engineering
• Other troubleshooting resources
• Technical/generic information for making connections

Unable to connect to Engineering hosts without specifying their Fully Qualified Domain Name (FQDN)

In order to communicate with hosts on the Engineering network when connected to the Managed VPN Service you will need to refer to them using their Fully Qualified Domain Name (FQDN) instead of the unqualified name, for example mypc.eng.cam.ac.uk as oppose to simply mypc.

This is a known issue and limitation of the StrongSwan implementation used by the UIS Managed VPN service and it is not possible to pass attributes relating to the connection specific DNS suffix or search domain name over to the client as part of the VPN connection negotiation that takes place between the client and VPN server when the VPN connection is established. While proprietary attributes exist for the IKEv1 protocol, and were used with Engineering’s previous Cisco VPN implementation, these are not supported by the UIS service. There is no standard provision for similar attributes in StrongSwan using IKEv2 which is now the default for Windows clients and is likely to be the preferred choice for other clients in the future.

Installing a missing QuoVadis Root CA 2 G3 certificate on Windows

There may issues establishing a connection that are related to a missing QuoVadis Root CA 2 G3 certificate from the list of Trusted Root Certification Authorities on Windows. The following procedures describe how to install the required certificate

Basic certificate installation:

The following procedure is the preferred installation process and should work for most scenarios:

1. Download a copy of the QuoVadis Root CA 2 G3 certificate file from here and copy it to the machine where the certificate is to be installed.
2. Double click on the certificate file to open it and click Install Certificate….
3. The Certificate Import Wizard should start, click Next to continue.
4. Ensure that Automatically select the certificate store based on the type of certificate is selected and then click Next to continue.
5. A summary screen will be displayed, click Finish to proceed with the certificate installation.
6. You should see a notification that The import was successful.
7. Click OK to finish.

Advanced certificate installation:

Unfortunately Windows does not report that the installation of a certificate into the Trusted Root Certification Authorities was not successful during the import process, instead often silently storing the certificate in the list of Intermediate Certification Authorities where it cannot be used as intended. In this situation the following procedure should be used to install the required certificate:

1. Download a copy of the QuoVadis Root CA 2 G3 certificate file from here and copy it to the machine where the certificate is to be installed.
2. Right click the Internet Explorer icon and select Run as administrator. You may need to click Allow and/or provide the administrator password at this point.
   Note: Running Internet Explorer when logged in as an administrator is not the same as right clicking the Internet Explorer icon and selecting Run as administrator. If this option is not available you may have to use either the Internet Explorer shortcut in the Quick Launch toolbar next to the Start Menu or from the shortcut in the Start Menu itself.
3. From the Tools menu select Internet Options.
4. Select the Content tab and then select Certificates in the certificate section.
5. Select Import to start the certificate import wizard.
6. Click Next and then Browse to locate and select the certificate file downloaded in step 1. followed by Open and Next.
7. Select Place all certificates in the following store and then click Browse.
8. Select the Show physical stores option, expand the Trusted Root Certification Authorities section and then select Local Computer.
9. Click OK followed by Next and then Finish. You should see a confirmation dialogue telling you that The import was successful.
10. Verify the certificate has now been installed by selecting the Trusted Root Certification Authorities tab and checking that QuoVadis Root CA 2 G3 now appears in the list.
11. Click Close to return back to the Internet Options dialogue.
12. Click OK and then exit Internet Explorer.

IKE authentication credentials are unacceptable when trying to connect to the VPN on Windows

If you receive an error when verifying user name and password during a connection attempt on Windows stating ‘IKE authentication credentials are unacceptable’ or ‘Error 13801: IKE authentication credentials are unacceptable’ the most likely cause for this is a missing QuoVadis Root CA 2 G3 certificate. See guidance above relating to installing the required certificate.

Unable to connect to the VPN when at Engineering

If you are already connected to the network at Engineering, either via a wired connection or via wireless to the CUED wireless network, then you will be unable to connect to the VPN Service. This behaviour is to be expected. As you are already connected to the internal Engineering network you should not require a VPN connection to access internal network resources.

Other troubleshooting resources

The University Information Services have a troubleshooting section relating to the Managed VPN Service that can be found at the following location:

• UIS VPN Service – Troubleshooting

Technical/generic information for making connections

The University Information Services have a section relating to technical aspects of the Managed VPN Service that can be found at the following location:

• UIS VPN Service – Technical/generic information for making connections