Installing the VPN Client
- Download the Anyconnect VPN client for Linux 32-bit or Linux 64-bit.
- From the commandline, go to the directory where you downloaded the file.
- As root, untar the gzip’d tar file by running the command [tar xzvf anyconnect-xxx]. NOTE: Leave off the brackets when entering the command, and make sure you enter the full file name which includes a timestamp at the end of the file followed by a gz. (e.g. anyconnect-predeploy-linux-64-4.3.05017-k9.tar 6.59.23 AM.gz). This will create a directory called anyconnect-xxx (where ‘xxx’ equals the current version number).
- Go to the anyconnect-xxx directory and then go to the vpn directory, and once you are there type [./vpn_install.sh]
- The VPN client will be installed on your system and the vpnagentd process will be started. This process will be started each time your system is booted.
Starting the VPN Client
- To start the client type now, type [/opt/cisco/anyconnect/bin/vpnui]. Note: if you are not running a GUI, you can enter interactive mode by entering[/opt/cisco/anyconnect/bin/vpn]
- NOTE: If you are using a desktop environment, you should be able to find the client in one of your menus as well (e.g. in a RHEL environment, look in Applications -> Internet).
- In the “Connect to:” box, type vpn.uci.edu and press Return on your keyboard. Note: in interactive mode type [connect vpn.uci.edu]
- In the “Group” menu that will appear, select the tunnel you wish to use, usually “UCI” or “UCIFull”. (See the differences in the Tunnels below.)
- Enter your UCInetID and password in the appropriate boxes and click “Connect”.
- You should get a banner box. When you do, click “Accept” and you are now connected.
Possible Error Messages
If you get one of the following messages when you try to connect to the campus VPN service:
“Connection attempt has failed due to server certificate problem”
“AnyConnect cannot confirm it is connected to your secure gateway”
this means that the AnyConnect client cannot validate the certificate on the campus VPN service.
To remedy this, get a copy of the README and the setup-certs.tar.gz files from ftp://ftp.uci.edu/linux-anyconnect-cert-fix. Follow the directions in the README file to install the InCommon certificate files on your system.
If you are using Ubuntu Linux and are having problems using the VPN, Jeff Stern has instructions for making the AnyConnect VPN work on Ubuntu. See
http://www.socsci.uci.edu/~jstern/uci_vpn_ubuntu/ for more information.
VPN Connection Tunnels
- Split Tunnel (UCI)
The “split” tunnel only sends traffic destined for UCI over the VPN connection. All other traffic goes through your normal cable modem/dsl connection. Use the “split” tunnel for connections to and from UCI only. If you are using online Library resources, use the “full” tunnel. It allows you to talk directly to the Internet, but when your machine “talks” to UCI network addresses the traffic is put through the established VPN tunnel to the UCI VPN node, where it is decrypted and given a UCInet network address. This is useful for people who need access to things at UCI which require a UCInet IP address (such as connecting to a system that restricts access to UCI hosts only), or to use services which are blocked for security reasons at the campus firewall (such as NetBIOS ports, used in mounting shared drives and other ports used by Microsoft Windows). Only traffic to/from UCI is sent through the VPN connection, so if you were to access Yahoo, it would go through your regular network connection (cable modem, dsl, etc).
- Full Tunnel (UCIFull)
The “full” tunnel sends all your internet traffic through the VPN connection, and then out to the internet through UCI’s connection. The “full” tunnel is useful for people who need to access sites off-campus that need a UCI IP address to allow access to a resource. The UCI Library has links to resources such as these. If you wanted to access the Oxford English Dictionary (OED), you can’t get to it with a split tunnel because it’s off campus and your off-campus packets aren’t network address translated to UCI addresses. By using the “full” tunnel, this problem is circumvented. However, note that *all* your traffic is sent through the VPN connection and then out UCI’s internet connection. You should use the “full” tunnel VPN connection with care since heavy use can cause an increase in UCI’s internet connection costs, and is likely slower than the split tunnel method.
Linux Openconnect Client
Note: Using the Linux openconnect software is not supported by OIT. If you have problems using this, OIT will not be able to help you. These instructions are provided for you if you want to use something other than the supported Cisco AnyConnect client on your Linux system.
Some Linux distributions include a VPN client called openconnect that can be used with the the UCI VPN service. The instructions below are for Fedora Linux. Other distributions may be similar.
(Jeff Stern has a page on setting up Openconnect for Debian/Ubuntu users, athttp://www.socsci.uci.edu/~jstern/uci_vpn_ubuntu/ubuntu-openconnect-uci-instructions.html .)
- Make sure openconnect is installed. As root type “yum install openconnect”. This will install openconnect and anything it depends on. You will need vpnc installed as well, in case installing openconnect does not install it.
- In a terminal window:
su root (give root password) openconnect -s /etc/vpnc/vpnc-script -u xxxxxx -v vpn.uci.edu
(replace xxxxxx with your UCInetID)
- You will be prompted for the Group to use. Pick one of the options, usually UCI or UCIFull.
You will be prompted for your password. After you give the client your password you will be logged in. You can minimize the terminal window while you do your work (don’t close it or you will lose your VPN connection). When you are done type ^C (control-c) to terminate openconnect and your VPN session will be logged out.