All users of the current Campus VPN (virtual private network) service will need to switch to the new Campus VPN service, which became available July 13, 2009. The current Campus VPN service will be disabled August 12, 2009. To use the new Campus VPN service, users must remove the old VPN client and install the new AnyConnect VPN client. System administrators may need to adjust firewall rules to permit traffic from the new VPN address pools 136.152.208.0/23 (full tunnel) and 10.136.0.0/23 (split tunnel). Information about the new service may be found on the Campus VPN Service website. Instructions for installing the new client are available in the IST Knowledge Base article Getting started with the Cisco AnyConnect VPN Client.
Why do we need a new VPN service?
The current VPN software client is no longer under active development by the vendor, and security patch service for the client will end in the near future. The vendor also will stop supporting the current VPN hardware within a year. Under the Minimum Security Standards for Networked Devices policy, we may not operate equipment and software without support for security fixes. In addition, the current VPN client software does not support 64-bit versions of Windows Vista.
Switching to the new VPN service
General information about the new VPN service is available on the Campus VPN Service website.
Instructions for installing the new client may be found in the IST Knowledge Base article Getting started with the Cisco AnyConnect VPN Client.
Host-based security software may need to be adjusted for the new VPN software client. For example, the campus distributed Symantec Client Security software must be configured to trust the Campus VPN concentrator; instructions for making this adjustment are available in the Getting started with the Cisco AnyConnect VPN Client article.
The new service uses new IP address blocks for VPN client addresses, with separate blocks for full and split tunnels. The following are the new IP address blocks:
full tunnel: 136.152.208.0/23
split tunnel: 10.136.0.0/23
Note that the split tunnel uses RFC 1918 address space, which is routed on campus. (For more information on our use of RFC 1918 address space on campus, see the Use of RFC 1918 "Private Addresses" on the UC Berkeley Campus Network web page.)
Since traffic sent via the split tunnel does not leave campus, we do not need to use globally routable IPv4 address space for split tunnel clients. We are making this change to help conserve our allocation of globally routable IPv4 address space.
New features
Windows Vista running on 64-bit computers is supported by the new VPN client software.
VPN connections made via the new VPN client software will use the SSL protocol to carry tunneled traffic back to campus. Since this is the same protocol used to securely access websites, VPN connections made using SSL are more likely to work with networks that limit the protocols they carry.
Experimental IPv6 support is available with the new service. You will be able to use the new Campus VPN to obtain IPv6 connectivity even when your local network (on campus or off) does not support IPv6. Until the vendor resolves an issue we identified during our testing, IPv6 will remain an optional feature. You may elect to use IPv6 by selecting a group with IPv6 support.
Shutting down the old service
Effective July 16, a message displayed after authentication on the old service will inform users that they need to switch to the new service by August 12, 2009. This message will include links to the websites mentioned above.
IST will disable the old service on August 12. Users will be able to connect to the old service, but the service will not pass any traffic. Instead, users will continue to see a message about the new service. We will operate the old service in this configuration until September 1, or until the number of unique users connecting to the old service is insignificant.
Acknowledgements
Thanks to IST's Siegrid Rickenbach who handled hardware and network configuration, support, and documentation; Thomas Beale who handled hardware installation; and Karl Grose and Allison Henry who handled client configuration, support, and documentation. Thanks also to the folks in IST's DOCS unit and Client Services department who helped with client support and testing.
Thanks also to EECS, the School of Law, RSSP, and, especially, the Library for their help with this transition.
Many thanks to the 65 folks who responded to IST's call for help to test the new VPN hardware and software during the evaluation and pre-production testing periods.
Getting support
For help with the new VPN service, contact the IST Service Desk.