Summary: If you need to connect to UCInet from off campus, Virtual Private Network (VPN) may be the solution for you. VPN allows you to connect to on campus-only resources like the Library and encrypts the information you are sending over the network, protecting your data.
Peer-to-peer file sharing services and other high-bandwidth applications should not be used while using the VPN service. You may be automatically blocked from using the VPN if your bandwidth exceeds the maximum bandwidth limit.
3 Ways to Access the VPN
2. VPN Software
- Download the VPN Software (Login Required)
- How to install and configure the VPN Software
VPN Software Versions
|Windows Vista-10 AnyConnect 32/64 bit||3.1.11004||October 2, 2015|
|Mac OS 10.8, 10.9, 10.11 - AnyConnect 32/64 bit||3.1.11004||October 2. 2015|
|Mac OS 10.6 - 10.7 AnyConnect Intel 32/64 Bit||3.1.05182||October 21, 2014|
|Linux AnyConnect 32/64 bit||3.1.11004||October 2, 2015|
3. iOS and Android VPN
Network Traffic Encryption
When you connect to another site using a VPN, your traffic is encrypted so that if anyone intercepts the traffic, they cannot see what you are doing unless they can break the encryption. Your traffic is encrypted from your computer through the network to the VPN concentrator hardware at UCI. At that point the traffic is un-encrypted and sent out over the campus network. If you are using software like ssh, your traffic on the campus network is still encrypted because ssh encrypts its traffic.
Access UCI Resources
When you are using a VPN connection, it will appear to systems on campus that you are also on campus – you will have a UCI IP address instead of the one you have at home. This allows you to connect to resources that you would not be able to from home, and bypass any port blocking at the campus border router.
Windows File Shares
The VPN offers a way for authorized users to mount Microsoft Windows file shares from off campus. As of November 5th, 2002, aVPN is required to use “shares” from outside of UCInet because of special port blockades.
You need VPN if:
- You mount a Windows disk share from your work computer on your home computer.
- You need to access restricted services.
- You use network protocols like NetBIOS to a host or service on campus.
- You are using a public network, (for example, in a hotel, coffee shop, or airport), especially if it is a wireless network.
You don’t need VPN if:
- You check your UCI e-mail via IMAP with SSL/STARTTLS encryption.
Downsides to using VPN if it is not needed.
- Slows down your connection
- Uses resources others could be using
- Adds a step to connect to UCI
VPN service can be connected from any off-campus Internet location or UCInet Mobile Access (wireless) network. It will not work from the campus dial-in modems or any host on campus.
UCI has two types of VPN tunnels, a “split” tunnel and a “full” tunnel.
The “split” tunnel only sends traffic destined for UCI over the VPN connection. All other traffic goes through your normal cable modem/dsl connection. Use the “split” tunnel for connections to and from UCI only. If you are using online Library resources, use the “full” tunnel.
It allows you to talk directly to the Internet, but when your machine “talks” to UCI network addresses the traffic is put through the established VPN tunnel to the UCI VPN node, where it is decrypted and given a UCInet network address.
This is useful for people who need access to things at UCI which require a UCInet IP address (such as connecting to a system that restricts access to UCI hosts only), or to use services which are blocked for security reasons at the campus firewall (such as NetBIOS ports, used in mounting shared drives and other ports used by Microsoft Windows). Only traffic to/from UCI is sent through the VPN connection, so if you were to access Yahoo, it would go through your regular network connection (cable modem, dsl, etc).
The “full” tunnel sends all your internet traffic through the VPN connection, and then out to the internet through UCI’s connection.
The “full” tunnel is useful for people who need to access sites off-campus that need a UCI IP address to allow access to a resource. The UCI Library has links to resources such as these. If you wanted to access the Oxford English Dictionary (OED), you can’t get to it with a split tunnel because it’s off campus and your off-campus packets aren’t network address translated to UCI addresses. By using the “full” tunnel, this problem is circumvented. However, note that *all* your traffic is sent through the VPN connection and then out UCI’s internet connection.
You should use the “full” tunnel VPN connection with care since heavy use can cause an increase in UCI’s internet connection costs, and is likely slower than the split tunnel method.
Once you bring up your VPN client and initiate a connection, you will remain connected as long as you’re actively using it. If the connection is idle for one hour, it will “timeout”. If you are not going to use your computer, it is best to take down the connection yourself, to free-up a tunnel for someone else to use. In either case, when you later come back to your computer you will need to re-initiate a connection if you still need to use the VPN.
There is a limit of 2 VPN tunnels which may be simultaneously established under one UCInetID.
The campus VPN provides off-campus users access to university resources not normally available to remote users and is thus a critical resource. The VPN appliance handles connections for all users through the same 100 Mb interface. Users of bandwidth-intensive applications that are not related to the University’s academic mission can detrimentally impact other users on the VPN.
For this reason, Gnutella, Kazaa, Bit Torrent, E-Donkey, and other peer to peer (p2p) file sharing programs (as well as internet gaming and other recreational, high-bandwidth applications) are not allowed on the VPN.
For those of you who would like to allow or restrict access from VPN users, here are the possible address ranges that VPN users will be using.
220.127.116.11 - 18.104.22.168
When accessing Web sites, this is the recommended tool. The “Application Access” function is not enabled. If you need to access restricted UCI resources other than Web pages, please use the Software VPN provided by OIT.
A few web sites do not work with the WebVPN. If you cannot access a site via the WebVPN, please use Software VPN.
Before You Begin
The WebVPN service is a clientless, Web-based version of VPN, built to be compatible with as many different computers as possible. However, there are a few basic requirements:
- A connection to the Internet
- Cookies enabled on browser
- A WebVPN supported Web browser. Most recent browsers should work.
Do not use the WebVPN service to connect to banking, financial, or other Web pages where you have to enter personal information (name, address, social security number, banking login and password, etc). The WebVPN service intercepts any certificates from the Web site, which prevents your browser from checking the certificates for validity.
- Using your Web browser, go to https://vpn.nacs.uci.edu
- Login with your UCInetID and password. Click Login.
- In the WebVPN window, you may choose a Library resource from the Web Bookmarks list or type in an address in the Address field.
( This will connect through UCI’s VPN allowing you to access UCI restricted resources and encrypting the network traffic. )
Note: Only Web pages browsed from the UCI Library Online Resources link or entered in the provided “Enter Web Address” fields use the WebVPN.
- If you clicked the UCI Library Online Resources link, you will see the following page. Browse to the resource you need or use the Search feature. If you need help, you can use the “Ask a Librarian” feature.
Note: The Library Web page is being passed through the WebVPN, as shown in the address bar. The browser toolbar will be in the right top corner. See more information on the Browser toolbar below.
- If you typed in a Web address, the Web site you requested will appear in your browser window. If you look at the address bar in your browser, you will notice that the address is being passed through UCI’s VPN.
The browser toolbar will also appear in the right corner of the browser window.
- To visit another restricted site, click the Go To Address button in the browser toolbar. If you type in a Web address directly in the browsers’s address field you will be logged out of the WebVPN.
- When you are done using the WebVPN, click the Exit icon [ X ] to log out.
These instructions should work for Windows 7, 8, Vista
Download and then Launch the VPN software install by clicking on anyconnect-win-3.0.x.msi file
- Click Run on the Open File – Security Warning dialog box.
- Click Next in the Cisco AnyConnect Secure Mobility Client Setup dialog box.
- Click on the radio button next to I accept the terms in the License Agreement and then click on Next button to continue.
- Click on the Install button in the Install Software dialog box.
- Click on the Finish button in the dialog box to complete the installation and exit the install.
Launching the VPN Client Connection
- Locate the program launch icon in Start-Programs-Cisco-Cisco AnyConnect Secure Mobility Client to launch the program.
- In the VPN: Ready to connect dialog box if not already present either select from the drop down menu or type in vpn.uci.edu then click on the Connect button to launch the username and password login screen.
- Select the Group that you want to connect through from the drop down menu, enter your UCInetID and Password then click on the OK button.
- Click on the Accept button
You should now be connected to the VPN. You can verify that by looking for the connection icon in the bottom right of your screen and by mousing over the icon you should get the pop up tool tip reporting that you are connected.
Installing the VPN Client
- Download the Anyconnect VPN client if you have not done so already. (Login required)
Locate the downloaded file. By default, Mac OS X puts files downloaded via web browser on the desktop.
Double click on the .dmg file to get the disk image mounted. An icon will appear on the desktop called AnyConnect 3. A separate window will open
- Double-click on AnyConnect.mpkg to open it and start the installer.
- Note: This applies to Mac OSX 10.8 Mountain Lion Users only.
- If you are having trouble opening the .pkg file and are getting an error message, please follow these steps:
- Open System Preferences
- Click on Security & Privacy
- On the General tab, click on the Anywhere option underneath the Allow applications downloaded from:heading.
- Note: This applies to Mac OSX 10.8 Mountain Lion Users only.
- Authenticate as a machine Administrator if necessary and click Next (as necessary) to proceed through the installer.
Starting the VPN Client
- Go to the Cisco folder in Applications and double-click the Cisco AnyConnect Secure Mobility Client.
- Enter vpn.uci.edu in the Ready to Connect to field.
- Press the Connect button.
- Select your desired connection profile from the Group drop-down menu:
- UCI – Route only campus traffic through the UCI VPN. All other traffic goes through your normal Internet provider.
- UCIFULL – Route all traffic through the UCI VPN.
- Use UCIFULLwhen accessing Library resources.
- Enter your UCInetID and password.
- Click OK.
- When you are finished using the VPN remember to Disconnect
- Click the AnyConnect client icon located near the top right corner of your screen.
- Select Quit.
Download the Cisco AnyConnect Client for Linux
- Go to the OIT Licences database.
- Login with your UCInetID and password.
- Select the Linux 32-bit or Linux 64-bit client
- Click the “get the VPN client” button.
- The Linux Cisco client will download to your computer.
Getting Started with Cisco AnyConnect for Linux
To get started you will first untar the file and then run the setup file. Note: Commands below are between brackets [ ]. When you enter them, leave off the brackets.
- As root, untar the gzip’d tar file [tar xzvf anyconnect-xxx]. This will create a directory called anyconnect-xxx (where ‘xxx’ equals the current version number e.g. 3.1.11004).
- Go to the anyconnect-xxx directory and then go to the vpn directory, and once you are there type [./vpn_install.sh]
- The vpn client will be installed on your system and the vpnagentd process will be started. This process will be started each time your system is booted.
- To start the client type [/opt/cisco/anyconnect/bin/vpnui] in a terminal window. Note: if you are not running a GUI, you can enter interactive mode by entering [/opt/cisco/anyconnect/bin/vpn]
If you are using a desktop environment, you should be able to find the client in one of your menus as well (e.g. in a RHEL environment, look in Applications -> Internet).
- In the “Connect to:” box, type vpn.uci.edu and press Return on your keyboard. Note: in interactive mode type [connect vpn.uci.edu]
- In the “Group” menu that will appear, select the tunnel you wish to use, usually “UCI” or “UCIFull”. (See the differences in the Tunnels below.)
- Enter your UCInetID and password in the appropriate boxes and click “Connect”.
- You should get a banner box. When you do, click “Accept” and you are now connected.
You are now ready to use your VPN connection. If you have any problems, please call the OIT Help Desk at 949-824-2222.
Possible Error Messages
If you get one of the following messages when you try to connect to the campus VPN service:
“Connection attempt has failed due to server certificate problem”
“AnyConnect cannot confirm it is connected to your secure gateway”
this means that the AnyConnect client cannot validate the certificate on the campus VPN service.
To remedy this, get a copy of the README and the setup-certs.tar.gz files from ftp://ftp.uci.edu/linux-anyconnect-cert-fix. Follow the directions in the README file to install the InCommon certificate files on your system.
If you are using Ubuntu Linux and are having problems using the VPN, Jeff Stern has instructions for making the AnyConnect VPN work on Ubuntu. See
http://www.socsci.uci.edu/~jstern/uci_vpn_ubuntu/ for more information.
VPN Connection Tunnels
- Split Tunnel (UCI)
The “split” tunnel only sends traffic destined for UCI over the VPN connection. All other traffic goes through your normal cable modem/dsl connection. Use the “split” tunnel for connections to and from UCI only. If you are using online Library resources, use the “full” tunnel. It allows you to talk directly to the Internet, but when your machine “talks” to UCI network addresses the traffic is put through the established VPN tunnel to the UCI VPN node, where it is decrypted and given a UCInet network address. This is useful for people who need access to things at UCI which require a UCInet IP address (such as connecting to a system that restricts access to UCI hosts only), or to use services which are blocked for security reasons at the campus firewall (such as NetBIOS ports, used in mounting shared drives and other ports used by Microsoft Windows). Only traffic to/from UCI is sent through the VPN connection, so if you were to access Yahoo, it would go through your regular network connection (cable modem, dsl, etc).
- Full Tunnel (UCIFull)
The “full” tunnel sends all your internet traffic through the VPN connection, and then out to the internet through UCI’s connection. The “full” tunnel is useful for people who need to access sites off-campus that need a UCI IP address to allow access to a resource. The UCI Library has links to resources such as these. If you wanted to access the Oxford English Dictionary (OED), you can’t get to it with a split tunnel because it’s off campus and your off-campus packets aren’t network address translated to UCI addresses. By using the “full” tunnel, this problem is circumvented. However, note that *all* your traffic is sent through the VPN connection and then out UCI’s internet connection. You should use the “full” tunnel VPN connection with care since heavy use can cause an increase in UCI’s internet connection costs, and is likely slower than the split tunnel method.
Linux Openconnect Client
Note: Using the Linux openconnect software is not supported by OIT. If you have problems using this, OIT will not be able to help you. These instructions are provided for you if you want to use something other than the supported Cisco AnyConnect client on your Linux system.
Some Linux distributions include a VPN client called openconnect that can be used with the the UCI VPN service. The instructions below are for Fedora Linux. Other distributions may be similar.
(Jeff Stern has a page on setting up Openconnect for Debian/Ubuntu users, at http://www.socsci.uci.edu/~jstern/uci_vpn_ubuntu/ubuntu-openconnect-uci-instructions.html .)
- Make sure openconnect is installed. As root type “yum install openconnect”. This will install openconnect and anything it depends on. You will need vpnc installed as well, in case installing openconnect does not install it.
- In a terminal window:
123su root(give root password)openconnect -s /etc/vpnc/vpnc-script -u xxxxxx -v vpn.uci.edu
- You will be prompted for the Group to use. Pick one of the options, usually UCI or UCIFull.
You will be prompted for your password. After you give the client your password you will be logged in. You can minimize the terminal window while you do your work (don’t close it or you will lose your VPN connection). When you are done type ^C (control-c) to terminate openconnect and your VPN session will be logged out.
Download and Configure Cisco AnyConnect
- From your iOS device, download and install the Cisco AnyConnect App from the iTunes Store.
- Open the App
- Tap OK to allow the Cisco AnyConnect software to run.
- Tap the Add VPN Connection
- Type in UCI in the description field
- Type in vpn.uci.edu in the Server Address field
- Tap Save
Using the Cisco AnyConnect Software
- Toggle the AnyConnect VPN switch to ON
- Select a Group if needed
- Type in your UCInetID in the Username field
- Type in your UCInetID password in the Password field
- Tap Connect
- You should now be connected.
- Remember to switch to OFF when you are done.
- Open the AnyConnect App
- Select Add VPN Connection
- Description: UCI
- Server Address: vpn.uci.edu
- Select Done or Save
- Select the UCI connection from the “Choose a connection” area
- Choose the UCIFull or UCI group and enter your UCInetID and password
- You may also need to choose to Trust the application the first time you connect
- Remember to disconnect when you are finished.