University of Florida VPN Service

Frequently Asked Questions (FAQ)

General Information
  1. What is a VPN?
    VPN stands for Virtual Private Network. It is a set of technologies that allow you to build secure "virtual" paths between hosts on insecure networks. The particular type of VPN Network Services is deploying is commonly known as a remote access or tunnel mode VPN. This acts very much like a classical dialup service, except you are using a data network rather than a voice network to make your "calls". Rather than dialing into a modem on the far end, you are making a connection to a VPN concentrator and creating a secure tunnel from your machine to the tunnel concentrator, which is located on the UF network. Thus, everything you send and receive to/from the UF network is encrypted. Additionally, your machine will appear as if it were on the UF network. (i.e. you get an IP address on the remote network).
  2. What technologies are used in UF's VPN system?
    UF's latest VPN service is based on Secure Sockets Layer (SSL) transport, which is the same technology used to secure websites. Datagram Transport Layer Security (DTLS) is also used.
  3. Why should I use a VPN?
    By connecting to the VPN service, you assure that the data you transmit will be secure between your host and the UF core network. Once it arrives on campus, it is decrypted and sent in the clear. Furthermore, it allows you to gain access to resources that are restricted based on source address. While you are connected to the VPN concentrator, you appear to other hosts at UF as if you were on the UF network. This also allows you to gain access to external resources from off campus (such as library databases) that are based on UF source addresses.
  4. How strong is the encryption used in the UF VPN service?
    The UF VPN service uses primarily AES-128. AES is the current state-of-the-art in high grade encryption technology and is the recommended method of encryption. AES-128 was chosen to provide strong encryption along with high performance for all operating environments.
  5. Should I also use SSH and other "higher layer" encrypted services even if I am using the VPN tunnel?
    Generally yes. SSH provides end to end encryption whereas the VPN concentrator only provides encryption from your client up to the concentrator hardware itself, which is located on the UF core network. Once the traffic is on the UF core network, it is decrypted and sent to the UF host in the clear.
  6. What traffic will take the VPN?
    By default, using the "username@ufl.edu" style of login, all traffic except for local subnet (whatever network your network card is on) traffic and DHCP will take the VPN tunnel. This is known as a full tunnel. If you are not on the UF network and connected to the VPN, all traffic will first come to UF, and then take the appropriate route (either local, Internet or Internet 2). This makes it appear to the world that you are on UF's network. This is the recommended configuration if you are on the campus wireless network, using an ISP with a direct connection to the University (such as GRU or Cox), or are trying to use Internet resources that require a UF IP address (such as a Library Database). There are other tunnel types as well. For more info, please see the Available Tunnel Types section of the Operations Guide.
  7. Should I use the VPN service if I am on campus?
    Yes! On campus, all wireless transmissions are in the clear (not encrypted) unless you a visiting a secure website or using an encrypted application, such as ssh. By using the VPN with a full tunnel, all network traffic over the wireless will be encrypted.
  8. Is the VPN service a firewall?
    No. The purpose of the VPN service is to transport your traffic to the UF campus in a secure manor. Is also has the side benefit of giving you a UF IP address, which can be used in combination with network ACLs or host based filters, to identify a user as a VPN user and give them access to University resources. In its standard configuration, it does not provide mechanisms to secure the VPN client machine from attacks over the network. While you are connected to the VPN concentrator, your machine is reachable from campus using the IP address that is assigned to your client at connect time. By default, the UF VPN service uses private IP for the client IP address, thus your VPN client will only be reachable from networks off the UF campus if it is using NAT to reach off campus systems (for example, browsing web pages on the Internet). Using the "campus only" VPN tunnel, your VPN client will never be reachable via the VPN tunnel from off campus systems (see FAQ question 6). A host based firewall is a reasonable step to prevent such attacks. Keep in mind that even if you have a home broadband firewall, because your VPN traffic is tunneled, your firewall will not provide protection for your computer while it is connected to the VPN concentrator.
  9. When I type my password, is it encrypted, or sent over the network in clear-text?
    The password is encrypted using the same strength encryption as the VPN tunnel uses. In the case of the UF VPN, that is AES-128. Your password is never sent in the clear!
  10. Is there a listserv that deals with the VPN service at UF?
    Yes, its called "vpn-l". You can subscribe to the list by sending an email to "listserv@lists.ufl.edu" with the body: subscribe vpn-l
  11. I have a home network. What IP addresses should I assign my machines at home so as not to conflict with the VPN service.
    The UF network uses some RFC1918 reserved (aka "Private IP") address space. This use falls into three major categories:
    • 10.0.0.0/255.0.0.0 (10/8): Assigned to systems throughout the network. Is reachable via the default and campus-only tunnels. May access external systems via NAT.
    • 172.16.0.0/255.240.0.0 (172.16/12): Assigned to systems throughout the network. Is not reachable via the default and campus-only tunnels. May not access external systems via NAT.
    • 192.168.0.0/255.255.0.0 (192.168/16): Not routed on campus. May be used on layer 2 networks, but not centrally managed. Not reachable via VPN and may not access external systems via NAT.
    We recommend using IP addresses in the 192.168/16 range. This is the default for most broadband routers. Do not use IP addresses in the 10/8 range or you will not be able to access those on-campus networks via the VPN.
  12. What is a Departmental VPN tunnel? How do I get one? A Departmental VPN tunnel is a service offered by CNS to departments with 16 or more VPN users. CNS will assign the department a subnet within the range 10.228/16 and a tunnel name. The department/division/college will provide CNS a list of gatorlink users to map, or the name of a UF Active Directory group which contains the users. When those users log in to the VPN with username@ufl.edu/[dept name] They will receive a VPN address in the range agreed upon. This is useful to limit departmental resources to specific users rather than the entire VPN user community. To have a Departmental VPN tunnel created, the subnet manager should open a CNS ticket by going to the Network Services website.
  13. How is the Departmental VPN membership managed?
    There are currently two modes in which the membership may be managed:
    • Manually by opening requests with CNS and having specific GLIDs added or removed from the group.
    • Automatically by providing CNS the name of between 1 and 8 groups which contain the user population to be mapped to the tunnel. As changes are made to UFAD, the VPN membership is instantly updated.

General Client FAQ
  1. Why should I use the Cisco Anyconnect SSL VPN client over the legacy Cisco IPsec VPN client or built in L2TP/IPsec client
    The Cisco SSL client supports the following features not found with the legacy Cisco IPsec client:
    1. More reliable network transport (SSL,DTLS) which is more likely to work in a variety of network environments, including heavily firewalled networks.
    2. Tolerant of short network disruptions such as the network card going to sleep, or roaming between wifi areas.
    3. 64bit client support.
    4. Automatic software updates.
    5. Lightweight client.
    The Cisco SSL client supports the following features not found with the L2TP/IPsec client:
    1. More reliable network transport (SSL,DTLS) which is more likely to work in a variety of network environments, including heavily firewalled networks.
    2. Tolerant of short network disruptions such as the network card going to sleep, or roaming between wifi areas.
    3. Campus only tunnels (Gatorlink or Departmental).
    4. Certificate based server authentication (prevents a "man in the middle attack.")
    5. More advanced signaling to the VPN concentrator which helps in problem resolution.
    6. Local client logging.
    7. Automatic tunnel initiation.
    8. AES-256 encryption.
  2. Can I still use the legacy Cisco VPN client or the built in L2TP VPN client
    Yes, both will continue to function, however all new development effort is going toward the SSL based client. All users are encouraged to use the newer client if possible.
  3. I am having problems getting my client to work, what should I do?
    Contact the UF Computing Help Desk during their hours of operation by calling (352) 392-4357(HELP) or via email at helpdesk@ufl.edu.
  4. I accidentally erased the name of the VPN concentrator I am supposed to connect to. What is it?
    The name is vpn.ufl.edu. Make sure your client is always set to this name or certain redundancy and load balancing features will not work.
  5. What IP address will my VPN connection get?
    On campus, you will have a 10.228.0.0/16 address. Once the traffic leaves campus, it will be translated into an address in the UF NAT pool. Departmental VPN tunnels will get an address in a pre-arranged subnet, but it will still start with 10.228.

Windows
  1. What platforms are supported under Windows?
    Windows 7 (32 and 64 bit), Windows Vista (32 and 64 bit), Windows XP (32 bit only).

Macintosh
  1. What platforms are supported for the Macintosh?
    The Cisco client supports MacOSX 10.5 and 10.6 for Intel (32 and 64 bit) and 10.5 for PowerPC.

Linux
  1. What platforms are supported under Linux?
    Both Ubuntu 10.x and Fedora 11-13 are known to work. Ubuntu provides the most trouble free installation, and is the only distribution supported by our vendor. As a result, only Ubuntu linux can be officially supported, however, feel free to install Anyconnect on whatever distribution you like. Most distributions will require the manual install method mentioned in the Installation guide.

Mobile Clients
  1. Does the IPhone work with the Gatorlink VPN system?
    Yes, you must first download the Cisco Anyconnect client from the Apple App Store.
  2. Are Windows Mobile or Android Supported?
    Windows Mobile will be supported shortly. Android is much further off. This is due in large part to the way the Android operating system is managed by each wireless provider and the need for "root" level access on a phone to perform VPN functions. Cisco must work with each wireless vendor to deploy a version of the Anyconnect client. We are receiving regular updates from Cisco on this issue.