Configuring and Installing VPN software
Summary: This handout is a comprehensive
set of instructions to configure and install the UCI VPN software.
Download the Cisco AnyConnect Client for Linux
- Go to the OIT Licences
- Login with your UCInetID and password.
- Select the Linux 32-bit or Linux 64-bit client
- Click the "get the VPN client" button.
- The Linux Cisco client will download to your computer.
Getting Started with Cisco AnyConnect for Linux
To get started you will first untar the file and then run the setup file.
- As root, untar the gzip'd
tar file (tar xzvf). This will create a directory called ciscovpn.
- Go into the ciscovpn directory (cd ciscovpn) and type ./vpn_install.sh
- The vpn client will be installed on your system and the vpnagentd process
will be started. This process will be started each time your system
- To start the client type /opt/cisco/vpn/bin/vpnui in a terminal window.
If you are using gnome, you should be able to find the client in one of
your menus as well. On Fedora, look in Applications -> Internet.
- In the "Connect to:" box, type vpn.uci.edu and press
- In the "Group" menu that will appear, select
the tunnel you wish to use, usually "UCI" or "UCIFull".
(See the differences in the Tunnels below.)
- Enter your UCInetID and password in the appropriate boxes and click "Connect".
You should get a banner box, click "Accept" and
you are nowconnected.
You are now ready to use your VPN connection. If you have any problems, please
call the OIT Help Desk at 949-824-2222, Monday through Friday, 8:00 AM to 5:00
Possible Error Messages
If you get one of the following messages when you try to connect to the campus VPN service:
"Connection attempt has failed due to server certificate problem"
"AnyConnect cannot confirm it is connected to your secure gateway"
this means that the AnyConnect client cannot validate the certificate on the campus VPN service.
To remedy this, get a copy of the README and the setup-certs.tar.gz files from ftp://ftp.uci.edu/linux-anyconnect-cert-fix. Follow the directions in the README file to install the InCommon certificate files on your system.
If you are using Ubuntu Linux and are having problems using the VPN, Jeff Stern has instructions for making the AnyConnect VPN work on Ubuntu. See
http://www.socsci.uci.edu/~jstern/uci_vpn_ubuntu/ for more information.
VPN Connection Tunnels
- Split Tunnel (UCI)
The "split" tunnel only sends traffic destined for UCI over the VPN connection. All other traffic goes through your normal cable modem/dsl connection. Use the "split" tunnel for connections to and from UCI only. If you are using online Library resources, use the "full" tunnel. It allows you to talk directly to the Internet, but when your machine "talks" to UCI network addresses the traffic is put through the established VPN tunnel to the UCI VPN node, where it is decrypted and given a UCInet network address. This is useful for people who need access to things at UCI which require a UCInet IP address (such as connecting to a system that restricts access to UCI hosts only), or to use services which are blocked for security reasons at the campus firewall (such as NetBIOS ports, used in mounting shared drives and other ports used by Microsoft Windows). Only traffic to/from UCI is sent through the VPN connection, so if you were to access Yahoo, it would go through your regular network connection (cable modem, dsl, etc).
- Full Tunnel (UCIFull)
The "full" tunnel sends all your internet traffic through the VPN connection, and then out to the internet through UCI's connection. The "full" tunnel is useful for people who need to access sites off-campus that need a UCI IP address to allow access to a resource. The UCI Library has links to resources such as these. If you wanted to access the Oxford English Dictionary (OED), you can't get to it with a split tunnel because it's off campus and your off-campus packets aren't network address translated to UCI addresses. By using the "full" tunnel, this problem is circumvented. However, note that *all* your traffic is sent through the VPN connection and then out UCI's internet connection. You should use the "full" tunnel VPN connection with care since heavy use can cause an increase in UCI's internet connection costs, and is likely slower than the split tunnel method.
Linux Openconnect Client
Note: Using the Linux openconnect software
is not supported by OIT. If you have problems using this, OIT will not
be able to help you. These
instructions are provided for you if you want to use something other than
the supported Cisco AnyConnect client on your Linux system.
Some Linux distributions include a VPN client called openconnect that
can be used with the the UCI VPN service. The instructions below are for
Fedora Linux. Other distributions may be similar.
- Make sure openconnect is installed. As root type "yum install
openconnect". This will install openconnect and anything it depends
on. You will need vpnc installed as well, in case installing openconnect
does not install it.
In a terminal window:
(give root password)
openconnect -s /etc/vpnc/vpnc-script -u xxxxxx -v vpn.uci.edu
(replace xxxxxx with your UCInetID)
You will be prompted for the Group to use. Pick one of the options, usually UCI or UCIFull.
You will be prompted for your password. After you give the client your
password you will be logged in. You can minimize the terminal window while
you do your work (don't close it or you will lose your VPN connection).
When you are done type ^C (control-c) to terminate openconnect and your
VPN session will be logged out.