This FAQ answers commonly asked questions about the virtual private networking (VPN) service at UCSB. Click a question to view its answer. To view all the answers at one time, select the View all answers check box.
|
Q: Why should I use a VPN?
|
|
By connecting to the VPN service when you are off campus, you assure that the data you transmit will be secure between your host and the UCSB core network. Once it arrives on campus, it is decrypted and sent in the clear. Furthermore, it allows you to gain access to resources that are restricted based on source address. While you are connected to the VPN server, you appear to other hosts at UCSB as if you were on the UCSB network. This also allows you to gain access to external resources from off campus (such as library resources) that are based on UCSB source addresses.
|
| Q: What address will be assigned to my VPN connection? |
The UCSB VPN Service assigns addresses between 169.231.64.1 and 169.231.65.254 |
|
Q:
How can I tell what address was assigned to me after establishing a VPN Client connection to a VPN Concentrator?
|
|
The VPN Client has an option which allows you view statistics for your private network connection. On the Statistics screen, you can see the Client IP address and the Server IP address. Open the minimized VPN Client, if necessary, then select Status > Statistics... from the menu bar or type Ctrl+S (on Windows systems) or ⌘+S (on Mac OS X systems).
|
|
Q:
Why do I lose my VPN connection after 1 hour?
|
|
While a computer is connected to the VPN server, it is logically connected to both the internal UCSB network and the Internet. For security reasons, each VPN user should disconnect from the VPN server when access to the UCSB network is no longer required. To facilitate this process, the maximum idle time for a VPN connection is 1 hour.
|
|
Q:
Should I also use SSH and other "higher layer" encrypted services even if I am using the VPN tunnel?
|
|
Generally yes. SSH provides end-to-end encryption whereas the VPN server only provides encryption from your client up to the server hardware itself, which is located on the UCSB core network. Once the traffic is on the UCSB core network, it is decrypted and sent to the UCSB host in the clear.
|
|
Q:
Can I use a personal firewall (such as ZoneAlarm / Black ICE / McAfee Firewall, etc) with VPN?
|
|
Yes, but these types of software can sometimes cause intermittent connectivity issues with VPN. We recommend using the built-in firewall instead if you are running Windows XP SP2. If you run personal firewall software from a 3rd party, you must configure it to "trust" (allow access to) the VPN IP addresses (vpn.ucsb.edu). You cannot have Microsoft Internet Connection Sharing installed on Windows 98 or Windows 2000 or XP while you are running the VPN client. Make sure that TCP port 10000 is not blocked.
|
|
Q:
Is it safe to use split tunneling?
|
|
With full tunnelling, all network traffic is routed through the VPN tunnel. Split tunneling allows you to have the convenience of browsing the Internet directly while connected through the VPN tunnel. However, it does pose us some risk if the VPN user connected to the UCSB network is vulnerable to attacks. It is recommended that the users use a personal firewall in that case. The release notes for any given VPN Client version discuss interoperability with personal firewalls.
|
| Q:
My AOL dialup or broadband connection drops when I connect to the VPN, or doesn't connect at all. What can I do?
|
|
The VPN Client will not work with AOL dialup or AOL Broadband services. When connected to the VPN via AOL dialup service, the VPN client disconnects after few seconds. This happens because of a "connection keep-alive" sent by AOL. When connected to the VPN, the AOL server doesn't recognize that the connection is now being sent through the VPN, and is lead to believe that the machine is no longer connected to it's network. Since it no longer sees the client, it disconnects the session. This is expected behavior from AOL connected clients. AOL does not claim to provide any support for VPN on their infrastructure.Solution: Use a different ISP if you need to connect to the UCSB VPN.
|
|
Q:
I accidentally erased the name of the VPN server I am supposed to connect to. What is it?
|
|
The name is vpn.ucsb.edu.
|
|
Q:
How do I restore my VPN configuration if I delete the UCSB VPN connection or if the UCSB VPN connection entry is no longer available?
|
|
You can restore the UCSB VPN connection entry either by re-installing the software, or downloading the connection profiles from ftp.ucsb.edu/ucsb/software-depot/site_licenses/cisco_vpnclient/Profiles, and placing it in your VPN profiles directory. With Netscape or Internet Explorer, the best way to download it is to right click on the desired profile file link (Windows or MacOSX) and selecting "Save Target As..." or "Save Link Target As...". The correct location to save this file in Windows is usually c:\program files\cisco systems\vpn client\profiles.
|
| Q:
Can I have VPN Clients from other vendors installed simultaneously with the Cisco VPN Client?
|
|
Probably not. Each VPN vendor includes specific drivers for their VPN client which may overwrite files from previous VPN client installations.
|
|
Q:
What is IPSec?
|
|
The IPSec protocols (AH and ESP) can be used to protect either an entire IP payload or only the upper-layer protocols of an IP payload. Transport mode is mainly for an IP host to protect the data generated locally, while tunnel mode is for security gateway to provide IPSec service for other machines lacking of IPSec capability. In this case, Transport mode only protects the upper-layer protocols of IP payload (user data). Tunneling mode protects the entire IP payload including user data. There is no restriction that the IPSec hosts and the security gateway must be separate machines. Both IPSec protocols, AH and ESP, can operate in either transport mode and tunnel mode.
|
|
Q:
How strong is the encryption used in the UCSB VPN service?
|
|
The UCSB VPN service uses AES (Advanced Encryption Standard) with a key length of 256 bits. The National Institute of Standards and Technology (NIST) has created AES, which is a new Federal Information Processing Standard (FIPS) publication that describes an encryption method. AES is a privacy transform for IPSec and Internet Key Exchange (IKE) and has been developed to replace the Data Encryption Standard (DES). AES is designed to be more secure than DES: AES offers a larger key size, while ensuring that the only known approach to decrypt a message is for an intruder to try every possible key. It also uses a technique called Cypher Block Chaining (CBC) in which each plaintext block is XORed with the previous cypher text block before encryption. This makes dictionary style attacks very difficult and increases the overall effectiveness of encryption.
|
|
Q:
Where do I find more documentation?
|
|
|
