The VPN stuff works by coming into the Altiga box, 12.44.168.66 for San Jose (our former address was 205.243.24.68) and 12.158.6.2 for Lisle. The VPN uses the Windows Domain Controller (is this the right term?) on digital (also replicated on tiger) to do its authentication. The Delphion-internal side of the Altiga box is sjvpn=10.224.88.239 which is what you point a web browser to in order to administer it. The userid/password you need to get in, is admin/1adapter. ========================================================================= For info on getting VPN to work under/with Windows ME, see http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/l2tpclient.asp The installer is MSL2TP.EXE ========================================================================= To change ones VPN password, get a "Terminal Services" window open to either digital or tiger, and launch the "Active Directory Users and Computers", which you can find either on the desktop or under "Programs", "Administrative Tools", "Active Directory Users and Computers" Expand the "sanjose.delphion.com" in the left hand window if need be, and click on "Users". Scroll down to find your person and right-click, "Reset Password..." ========================================================================= You have the alternative to using Lisle's VPN instead of San Jose's by creating another VPN connection, pointing it Lisle's VPN server. The authentication is replicated between Lisle and San Jose, so all userids and passwords should stay in synch. ========================================================================= The VPN logs are kept on loon via the syslog deamon. You can check the /etc/syslog.cnf file for certain, but the log is at /var/tmp/vpnsys.log. This is useful for watching VPN authentication traffic. ========================================================================= To approve a Pending Certificate, get a "Terminal Services" window open to digital (password = adapter) and launch the "Certification Authority" program that's on the desktop. Under the "Pending Requests" tab, you should see the pending request you want to approve. Move the mouse to it and right-click it to see "All Tasks", and from there, you can "Issue" (i.e. approve) it. ========================================================================= When following the "How to Configure & Install VPN" directions from w3, you get into trouble when installing the Delphion certificate and marking it as a trusted root certificate. The problem is, the Delphion certificate is not in that list of 132 or so Trusted Root CA certificates. Mike said there are 4 solutions to this. (#1 is best, #3 is second best) 1) Don't use encryption/certificates at all. A lot of folks are doing this 'cause the can't do encryption from home 'cause it's NAT'd. 2) Use MMC. Follow the write-up in that w3 page to "Add the Snap-In", then you should see your certificate under "Certificates (Local Computer)" "Personal" "Certificates" Somehow, Mike said you can "find" your cert and "move" it to the "Certificates (Local Computer)" "Trusted Root Certification Authorities" "Certificates" But when Sander tried this, he couldn't get it to work. Not sure why. 3) Export the Delphion certificate, either from the digital "Certification Authority" program, or (what I did), from another machine that has this already installed (that is, under MMC, right-click on "Certificates (Local Computer)" "Trusted Root Certification Authorities" "Certificates" "Delphion Certificate Authority" Now you get it to, and install it on, the target machine, e.g. ftp in binary mode from /afs/d/u/jasper/aixnotes/vpn.Delphion.cert. To import it, again under MMC, right-click the "Trusted Root Certification Authorities" folder, Select "All Tasks", Select "Import..." 4) Copy an existing, working, installed certificate to the new machine (I didn't know you could do this). Under MMC, export both your personal certificate and Delphion's trusted root certificate. Get it to the target machine, and under MMC, import both. ========================================================================= Those w3 instructions presume you're requesting & installing a certificate from within the San Jose office, thus having access to digital, (10.224.88.249). If you're trying to do this from home or the Internet, you won't be able to resolve digital, much less connect to it. The solution to this problem is to use 12.44.168.72 instead of digital, in your web browser. Mike set this up specially for this purpose. Incoming https requests to this port, get forwarded to digital.