About OIT About the OIT
Directories Directories
Connect to Network Connect to Network
Network Services Network Services
Security IT Security
Voice Services Voice Services
Cable TV Cable Television
Computing Computing
Information Resources Information Resources
Committees IT Committees
Jobs IT Jobs at UCSB
 
spacer spacer
spacer Office of Information Technology  
spacer
spacer
           
spacer
spacer
spacer view site index contact OIT staff
spacer
spacer
  OIT Home > Network Services > VPN Service > VPN Service Frequently Asked Questions
spacer spacer
 

VPN Service Frequently Asked Questions

 

This FAQ answers commonly asked questions about the virtual private networking (VPN) service at UCSB.

  1. Why should I use a VPN?
  2. What address will be assigned to my VPN connection?
  3. How can I tell what address was assigned to me after establishing a VPN Client connection to a VPN Concentrator?
  4. Why does the "IP Address Check" page report that I am using a non-UCSB IP address?
  5. Why does Tunnelblick have trouble connecting or frequently drops my connection?
  6. Should I also use SSH and other "higher layer" encrypted services even if I am using the VPN tunnel?
  7. Can I use a personal firewall (such as ZoneAlarm, Black ICE, McAfee Firewall, etc.) with VPN?
  8. My AOL dialup or broadband connection drops when I connect to the VPN, or doesn't connect at all. What can I do?
  9. What is IPSec?
  10. How strong is the encryption used in the UCSB VPN service?
  11. Why am I unable to connect from ResNet?
  12. Can I connect to the UCSB VPN with an Android or Apple iOS device?
  13. Where do I find more documentation?
  14. Can I use the VPN from China?

1. Why should I use a VPN?

By connecting to the VPN service when you are off campus, you assure that the data you transmit will be secure between your host and the UCSB core network. Once it arrives on campus, it is decrypted and sent in the clear. Furthermore, it allows you to gain access to resources that are restricted based on source address. While you are connected to the VPN server, you appear to other hosts at UCSB as if you were on the UCSB network. This also allows you to gain access to external resources from off campus (such as library resources) that are based on UCSB source addresses.
Back to Top

2. What address will be assigned to my VPN connection?

The UCSB VPN Service assigns addresses between 128.111.61.1 and 128.111.61.254.
Back to Top

3. How can I tell what address was assigned to me after establishing a VPN Client connection to a VPN Concentrator?

Visit our IP Address Check page.
Back to Top

4. Why does the "IP Address Check" page report that I am using a non-UCSB IP address?

This is a problem that we have noticed when the OpenVPN GUI program for Windows is not run as a user with administrative rights. To solve this on Windows XP, always right-click on the OpenVPN GUI icon and select the "Run as" option, then choose a user with administrative rights. To solve this on Windows Vista and 7, right-click on the OpenVPN GUI icon, select Properties > Compatibility, check "Run this program as an administrator," then click OK.
Back to Top

5. Why does Tunnelblick have trouble connecting or frequently drops my connection?

We have only seen this behavior when the "Monitor connection" option is on. To turn it off, click on the Tunnelblick icon near the top-right corner of the desktop and select "Details...." Then make sure the check box next to "Monitor connection" is unchecked.
Back to Top

6. Should I also use SSH and other "higher layer" encrypted services even if I am using the VPN tunnel?

Generally yes. SSH provides end-to-end encryption whereas the VPN server only provides encryption from your client up to the server hardware itself, which is located on the UCSB core network. Once the traffic is on the UCSB core network, it is decrypted and sent to the UCSB host in the clear.
Back to Top

7. Can I use a personal firewall (such as ZoneAlarm, Black ICE, McAfee Firewall, etc.) with VPN?

Yes, but these types of software can sometimes cause intermittent connectivity issues with VPN. We recommend using the built-in firewall instead if you are running Windows XP SP2. If you run personal firewall software from a 3rd party, you must configure it to "trust" (allow access to) the VPN IP addresses (vpn.ucsb.edu). You cannot have Microsoft Internet Connection Sharing installed on Windows 98 or Windows 2000 or XP while you are running the VPN client.
Back to Top

8. My AOL dialup or broadband connection drops when I connect to the VPN, or doesn't connect at all. What can I do?

The VPN Client will not work with AOL dialup or AOL Broadband services. When connected to the VPN via AOL dialup service, the VPN client disconnects after few seconds. This happens because of a "connection keep-alive" sent by AOL. When connected to the VPN, the AOL server doesn't recognize that the connection is now being sent through the VPN, and is lead to believe that the machine is no longer connected to it's network. Since it no longer sees the client, it disconnects the session. This is expected behavior from AOL connected clients. AOL does not claim to provide any support for VPN on their infrastructure. Solution: Use a different ISP if you need to connect to the UCSB VPN.
Back to Top

9. What is IPSec?

The IPSec protocols (AH and ESP) can be used to protect either an entire IP payload or only the upper-layer protocols of an IP payload. Transport mode is mainly for an IP host to protect the data generated locally, while tunnel mode is for security gateway to provide IPSec service for other machines lacking of IPSec capability. In this case, Transport mode only protects the upper-layer protocols of IP payload (user data). Tunneling mode protects the entire IP payload including user data. There is no restriction that the IPSec hosts and the security gateway must be separate machines. Both IPSec protocols, AH and ESP, can operate in either transport mode or tunnel mode.
Back to Top

10. How strong is the encryption used in the UCSB VPN service?

The UCSB VPN service uses AES (Advanced Encryption Standard) with a key length of 256 bits. The National Institute of Standards and Technology (NIST) has created AES, which is a new Federal Information Processing Standard (FIPS) publication that describes an encryption method. AES is a privacy transform for IPSec and Internet Key Exchange (IKE) and has been developed to replace the Data Encryption Standard (DES). AES is designed to be more secure than DES: AES offers a larger key size, while ensuring that the only known approach to decrypt a message is for an intruder to try every possible key. It also uses a technique called Cypher Block Chaining (CBC) in which each plaintext block is XORed with the previous cypher text block before encryption. This makes dictionary style attacks very difficult and increases the overall effectiveness of encryption.
Back to Top

11. Why am I unable to connect from ResNet?

Connections from the UCSB residential networks (ResNet) are not allowed in order to ensure adherence to ResNet management policies.
Back to Top

12. Can I connect to the UCSB VPN with an Android or Apple iOS device?

No. Although there are VPN clients available for Android and iOS, none of them are compatible with our current VPN server configuration. We do not know when this incompatibility will be resolved, but we will update this document once we do.
Back to Top

13. Where do I find more documentation?

14. Can I use the VPN from China?

Our VPN customers are currently experiencing trouble reaching our server from China. We suspect that connections to our VPN server is being blocked by the Chinese government's firewall. We are investigating this issue, but we do not have a solution to the problem at this time.
Back to Top

ETA

  spacer
spacer University of California Santa Barbara Home Page
  Copyright 2003-2014 The Regents of the University of California, All Rights Reserved
Web contactTerms of UseAccessibility
Last modified: 7/1/2013
  spacer