Many thanks to the 40 people who responded to our call for help testing new virtual private network (VPN) hardware and software. Based on the results of our evaluation, we have ordered equipment to update the campus VPN service. This announcement includes important information on the upcoming transition to this new equipment for people who use the campus VPN service or support others who do.
Preliminary transition schedule
We are planning a six-week transition period during which time both the old and new equipment will operate in parallel. We expect to begin this transition the first week of July, so that we may shut down the old hardware after the second week of August, prior to the start of the fall 2009 semester.
As soon as we have completed configuring the new hardware for production, we will begin an initial testing period. This testing period will last until the beginning of the transition period. If you would like to participate in pre-production testing, please subscribe to at https://calmail.berkeley.edu/manage/list/listinfo/vpn-eval@lists.berkeley.edu. We will send instructions to the vpn-eval list when the equipment is ready for testing. At this time, we cannot predict the duration of the initial testing period.
We will make additional announcements as we finalize this schedule.
Changes to the campus VPN service
The current VPN software client is no longer under active development by the vendor. As part of the upcoming transition, all users of the campus VPN service must install new client software. We are working to update our documentation for this new software. See the Knowledge Base article Getting started with the Cisco AnyConnect VPN Client for our current work. If you would like to download the software in advance for evaluation purposes, it is available from the Knowledge Base article. We expect to support these versions of software in production.
Host-based security software may need to be adjusted for the new VPN software client. For example, the campus-distributed Symantec Client Security software must be configured to trust the campus VPN concentrator; instructions for making this adjustment can be found in the Getting started with the Cisco AnyConnect VPN Client article.
As part of this transition, the IP address block out of which VPN clients are assigned addresses will change. We will also use different address blocks for full and split tunnels. For people who would like to update firewall rules and the like in advance, we will be using the following IPv4 blocks:
- full tunnel: 136.152.208.0/23
- split tunnel: 10.136.0.0/23
Note that the split tunnel uses RFC 1918 address space, which we will route on campus. For more information on our use of RFC 1918 address space on campus, see the document Use of RFC 1918 "Private Addresses" on the UC Berkeley Campus Network.
Since traffic sent via the split tunnel does not leave campus, we do not need to use globally routable IPv4 address space for split-tunnel clients. We are making this change to help conserve our allocation of globally routable IPv4 address space.
New features
Windows Vista running on 64-bit computers is supported by the new VPN client software.
VPN connections made via the new VPN client software will use the SSL protocol to carry tunneled traffic back to campus. Since this is the same protocol used to securely access websites, VPN connections made using SSL are more likely to work with networks that limit the protocols they carry.
The new VPN will support IPv6. You will be able to use the campus VPN to obtain IPv6 connectivity even when your local network (on campus or off) does not support IPv6. IPv6 will be an optional feature until the vendor resolves an issue we identified during our testing. We will announce IPv6 client address blocks in the future.
Updates, feedback, and questions
We will announce additional updates as we finalize our schedule and work on the transition. Feel free to send feedback, comments, and questions to the VPN update team,