|
Campus VPN Service |
|
WHY USE VPN? The Campus VPN (Virtual Private Network) service is designed to allow CalNetID authenticated users to connect to the UC Berkeley network from outside of campus, as if they were on campus, and encrypts the information sent to the network. When you use a VPN connection, it appears to systems on campus that you are also on campus - you will have a UCB IP address instead of the one you have at home (through your dsl/dialup service's ISP). The VPN offers a way for authorized users to 'tunnel' in to the campus network, to access UCB resources normally not available from home machines, bypassing any port blocking at the campus border. Note: traffic is encrypted from your workstation through the network to the VPN concentrator hardware at UCB, but at that point the traffic is un-encrypted and sent out over the campus network. (If you are using software like ssh, your traffic on the campus network remains encrypted.) If you use a VPN connection from an *on-campus* location, the encrypted part of your traffic is still between your workstation and the VPN concentrator. You may want to use a VPN connection if:
You don't need to use a VPN connection if you check your email via IMAP or POP. Downsides to using a VPN include:
'Split Tunnel' vs. 'Full Tunnel' The campus VPN service is set up currently with a 'split tunnel' option as the recommended default. When a client establishes a connection to the VPN concentrator, it is assigned a UCB IP address. The 'tunnel' means that any traffic destined for an IP address in the following ranges will travel through the tunnel. 128.32.0.0 - 128.32.255.255 169.229.0.0 - 169.229.255.255 136.152.0.0 - 136.152.255.255 172.16.0.0 - 172.31.255.255 10.16.0.0 - 10.255.255.255Any other internet traffic travels normally over the client's off-campus connection, with the source IP address assigned by the client's ISP. The UCB IP address that is assigned to the VPN client is within the 136.152.208.0/22 subnet. Some Library-subscribed database applications depend on source ip address for authentication purposes. Note that if the authentication component of a database is hosted by a third-party (not UCB), then a split-tunnel VPN may not be an appropriate access solution. Another option in these cases is to use the Library's proxy web server service to provide access to patrons using non-campus IP addresses: http://www.lib.berkeley.edu/Help/connecting_off_campus.html. There is now also a 'full tunnel' option available, for use when appropriate. With a full tunnel, *all* internet traffic would traverse the VPN, regardless of its destination, and all source traffic would appear to have a UCB ip address. This may be a useful option where the Library Proxy Service runs into limitations (for example, it can address the need to reach some databases or applications that use non-web-based protocols for access like Z39.50/Endnote). In these cases, reaching the desired application (a non-UCB ip address) is dependent on your ip address originating from UCB, so the full tunnel is helpful. A full tunnel option provides encryption where application level encryption (like ssl, ssh) is not possible. Although as described previously, if you use a VPN connection from an *on-campus* location, the encrypted part of your traffic is still between your workstation and the VPN concentrator. The full tunnel option should be used with care. Traffic to any destination will appear to originate from a UCB IP address, and so is subject to the Campus Computer Use Policy: http://technology.berkeley.edu/policy/. Depending on the amount of traffic, and its destination, it may also prove to be slower than the use of the split tunnel. Downloading the appropriate software to use the VPN service is described in the next section. Please note that there is now an additional profile that will allow a 'full tunnel' option as part of the client software installer package available from the IST software cental website: http://software-central.berkeley.edu/. Click on the 'Early Adopters' link under the link for the Cisco VPN.
DOWNLOAD SOFTWARE
Note: Windows and Macintosh client software is available bundled with the configuration parameters described in the 'Configure VPN Service' section of this document. Access to client software for non-Windows is also available, although you may need to configure the parameters described below manually.
CONFIGURE VPN SERVICE Configuration parameters described below may already be bundled in the particular version of the software you download. It is easiest (and recommended) that you follow the installer instructions. The basic steps described below come with the packaged installer but are included here since manual configuration is possible.
connection entry: ucbsplit (or ucbfull) VPN device: ucb-vpn.Berkeley.EDU (169.229.0.98) Group name and password: ucbsplit (or ucbfull) Under 'Transport' tab: - UNselect 'Enable Transparent Tunneling' ** ** You may actually need to select 'Enable Transparent Tunneling', if you connect from behind a NAT enabled Cable/DSL router. If that is necessary, then: - select 'Enable Transparent Tunneling' - select 'IPSec over TCP'
USE THE VPN SERVICE
THIRD PARTY CLIENTS IST does not recommend the use of VPN clients other than the officially distributed versions available via the IST software cental website: http://software-central.berkeley.edu/. Anyone who uses an unsupported client must assume full responsibility for supporting its use. IST plans and tests future changes to the campus VPN service with respect to officially distributed clients only. Future changes in the campus VPN service may cause unsupported clients to stop functioning properly; therefore, an unsupported client that works today may not work tomorrow. IST may choose not to troubleshoot a campus VPN problem specific to an unsupported VPN client. IST reserves the right to not make custom changes to the campus VPN service to accommodate unsupported clients. You may use an unsupported client with the campus VPN service provided that you accept these conditions, the client meets minimum security standards, and the client does not cause operational problems for other users of the campus VPN service. MORE INFO For help and further information, check the links from the software download pages listed above. There are some configuration issues that were uncovered during the implementation of the PPS/OPTRS dedicated VPN. Links to common configuration questions are available from those pages. To report problems with the VPN service, please contact the IST Service Desk.
|