Hi
Beginning July 13th a new Campus VPN service is available. All users
of the current VPN service will need to switch to the new service. The
current Campus VPN service will be disabled on August 12th. To use the
new Campus VPN service, users must remove the old
VPN client and install the new AnyConnect VPN client. System
administrators may need to adjust firewall rules to permit traffic
from the new VPN address pools 136.152.208.0/23 (full tunnel) and
10.136.0.0/23 (split tunnel). Information on the new service may be
found at http://net.berkeley.edu/vpn/. Instructions for installing new
the client may be found at https://kb.berkeley.edu/kb2665.
- Why do we need a new VPN service? -
The current VPN software client is no longer under active development
by the vendor and security patch service for the client will end in
the near future. The vendor will no longer support the current VPN
hardware within a year. Under minimum security standards, we may not
operate equipment and software without support for security fixes. The
current VPN client software does not support 64 bit versions of
Windows Vista.
- Switching to the new VPN service -
General information about the new VPN service is available at the
following URL.
Instructions for installing new the client may be found at the
following URL.
https://kb.berkeley.edu/kb2665
Host based security software may need to be adjusted for the new VPN
software client. For example, the campus distributed Symantec Client
Security software must be configured to trust the Campus VPN
concentrator; instructions for making this adjustment may be found at
the above URL.
The new service uses new IP address blocks for VPN client
addresses, with separate blocks for full and split tunnels. The new
blocks follow.
full tunnel: 136.152.208.0/23
split tunnel: 10.136.0.0/23
Note that the split tunnel uses RFC 1918 address space, which is
routed on campus. For more information on our use of RFC 1918 address
space on campus see the following document.
http://www.net.berkeley.edu/netinfo/ip/rfc1918.shtml
Since traffic sent via the split tunnel does not leave campus, we do
not need to use globally routable IPv4 address space for split tunnel
clients. We are making this change to help conserve our allocation of
globally routable IPv4 address space.
- New features -
Windows Vista running on 64 bit computers is supported by the new VPN
client software.
VPN connections made via the new VPN client software will use the SSL
protocol to carry tunneled traffic back to campus. Since this is the
same protocol used to securely access web sites, VPN connections made
using SSL are more likely to work with networks that limit the
protocols they carry. (The old client software uses the IPsec
protocol, and we've received some reports of problems of this nature.)
Experimental IPv6 support is available with the new service. You will
be able to use the new Campus VPN to obtain IPv6 connectivity even
when your local network (on campus or off) does not support
IPv6. Until the vendor resolves an issue we identified during our
testing, IPv6 is an optional feature. You may elect to use IPv6 by
selecting a group with IPv6 support.
- Shutting down the old service -
This coming Wednesday morning, we will configure a message displayed
after authentication on the old service informing users that they need
to switch to the new service by August 12th. This message will include
the same URLs included above.
We will disable the old service on August 12th. Users will be able to
connect to the old service, but the service will not pass any
traffic. Users will continue to see a message about the new
service. We will operate the old service in this configuration until
September 1st, or until the number of unique users connecting to the
old service is insignificant.
- Acknowledgements -
Thanks to Siegrid Rickenbach who handled hardware and network
configuration, support and documentation, Thomas Beale who handled
hardware install, Karl Grose and Allison Henry who handled client
configuration, support and documentation. Thanks also to the folks in
DOCS and Client Services who helped with client support and testing.
Thanks also go to EECS, the School of Law, RSSP and especially the
Library for their help with this transition.
Many thanks to the 65 folks who responded to my call on this list for
help testing new VPN hardware and software during our evaluation
period and pre production testing.
- Getting Support -
For help with the new VPN service, please contact the service desk
using the information at the following URL.
http://ist.berkeley.edu/support/service-desk
Thanks
Erik
for the vpn update team
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:
To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet. This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Received on Mon Jul 13 2009 - 14:34:00 PDT
This archive was generated by hypermail 2.2.0 : Mon Jul 13 2009 - 14:34:03 PDT