Virtual private network (VPN)

Warning: Internet traffic goes through University servers

While using the VPN all your internet traffic will route through the University.  You are therefore bound by our IT Rules and Regulations until you close the connection.

 

 

Some web pages and online resources can only be accessed by computers directly connected to the Oxford University campus network.  Access to these restricted resources from outside the campus network is provided via the IT Services VPN Service.

Using an application such as the Cisco AnyConnect VPN client, the VPN service provides your device with virtual connection to the campus network so it behaves exactly as it would when on campus.

Expand All

The following is required to access the IT Services VPN service:

The Cisco AnyConnect VPN client is available for a number of operating systems.

Install Cisco Anyconnect

  1. Download the appropriate AnyConnect VPN client from our Software downloads page.
  2. Launch the installer and complete the installation.
  3. Start the Cisco AnyConnect application.
  4. Enter vpn.ox.ac.uk into the dropdown box.
  5. Select Connect
  6. When prompted, provide your Oxford username (in the format abcd1234@OX.AC.UK) and your Remote Access password.

Install Cisco Anyconnect

  1. Download the appropriate AnyConnect VPN client from our Software downloads page.
  2. Launch the installer and complete the installation.
  3. Start the Cisco AnyConnect application.
  4. Enter vpn.ox.ac.uk into the dropdown box.
  5. Select Connect
  6. When prompted, provide your Oxford username (in the format abcd1234@OX.AC.UK) and your Remote Access password.

Cisco Anyconnect for Linux

The Cisco AnyConnect Secure Mobility Client 4.10 is available for:

  • Linux Red Hat 7 and 8
  • Ubuntu 16.04, 18.04 and 20.04 (all x64)

Other Linux distributions that may fulfil the requirements are detailed in the Release Notes.

Install Cisco Anyconnect

  1. Download the appropriate AnyConnect VPN client from our Software downloads page
  2. If not extracted automatically, unpack the downloaded file using an archive manager or type tar -xzvf filename from a terminal window (replacing filename with the file's name)
  3. In a terminal window, navigate to the newly created directory beginning 'anyconnect', then to the vpn directory
  4. Start the installation by typing sudo ./vpn_install.sh
  5. Following the installation, start the Cisco AnyConnect Secure Mobility Client program from the Applications menu or command line by typing vpnui in the installation directory (for Ubuntu this is /opt/cisco/bin)
  6. Type vpn.ox.ac.uk, then Connect
  7. When prompted, provide your Oxford username in the format abcd1234@OX.AC.UK and your Remote Access password

Install Cisco Anyconnect

  1. Download the AnyConnect app from the device’s app store.
  2. Start the Cisco AnyConnect application.
  3. Select Connections > Add New VPN Connection
  4. Select Server Address then provide vpn.ox.ac.uk
  5. Select Done then the back arrow.
  6. Select the AnyConnect VPN toggle.
  7. When prompted, provide your Oxford username (in the format abcd1234@OX.AC.UK) and your Remote Access password.

Install Cisco Anyconnect

  1. Download the AnyConnect app from the device’s app store.
  2. Start the Cisco AnyConnect application.
  3. Select Connections > Add VPN Connection...
  4. Select Server Address, provide vpn.ox.ac.uk
  5. Select Save
  6. Select the AnyConnect VPN toggle.
  7. When prompted, provide your Oxford username (in the format abcd1234@OX.AC.UK) and your Remote Access password.

Add Cisco AnyConnect to Chrome

  1. Open the launcher and select the Chrome Web Store.
  2. Search for the Cisco AnyConnect app, then add it to Chrome.
  3. Start AnyConnect and wait for it to initialise.
  4. Click Add New Connection
  5. For the Server Address provide vpn.ox.ac.uk
  6. Select Save
  7. Select the Wi-Fi icon in the notifications bar.
  8. Choose VPN and select vpn.ox.ac.uk
  9. When prompted, provide your Oxford username (in the format abcd1234@OX.AC.UK) and your Remote Access password.

Connect to the VPN

After the initial setup of AnyConnect, when launching the VPN client you will usually only be prompted for your password when connecting to the VPN.

Disconnect from the VPN

It is advisable to disconnect from the VPN when it is not needed.  Depending on your device either:

  • Select the VPN icon in the system tray, then Disconnect.
  • Open the application and toggle the VPN connection to show as disconnected.

Connections to the IT Services VPN Service are supported by a number of third-party and native (built in) VPN clients, though we cannot provide support and instructions for all of these.

macOS VPN client

Devices running macOS can use their own native VPN client.

Configure

  1. Select Apple menu > System PreferencesNetwork
  2. Select the bottom left + button.
  3. Set the following:

     

    Interface VPN
    VPN Type Cisco IPSec
    Service Name IT Services VPN
  4. Select the new VPN entry then set:

     

    Server vpn.ox.ac.uk
    Account Name Your Oxford username in the format abcd1234@OX.AC.UK
    Password Your Remote Access password
  5. Select Authentication Settings... then set:

     

    Shared Secret Available from the VPN shared credentials link on our VPN CLient download page
    Group Name oxford
  6. (Optional) Enable Show VPN status in menu bar to connect and disconnect from here
  7. Select Apply
  8. Select Connect

VPNC

Install VPNC

As Linux distributions vary these instructions will not take you step by step through obtaining and installing the software but assume you are familiar with installing software on your system.

Debian or Ubuntu users can use the universe package repository, with Ubuntu users using the Synaptic Package Manager.  In the default Gnome environment, go to System > Administration > Synaptic Package Manager.  If VPNC does not appear on the search list, check that the universe package repository has been added and the list of packages has been refreshed.

In addition to the core vpnc package, if you would like a GUI interface to the vpnc program you can also install kvpnc (for the KDE environment) or network-manager-vpnc.

Configure VPNC

  1. From a terminal window type: sudo vpnc-connect
  2. Provide the connection information:

     

    IPSec gateway vpn.ox.ac.uk
    IPSec ID oxford
    IPSec secret Available from the VPN shared credentials link on our VPN client download page
    Username Your Oxford username in the format abcd1234@OX.AC.UK
    Password Your Remote Access password
    Domain  
  3. From a terminal window the ifconfig command should now show a new interface tun0 with an Oxford IP address.

Saving the connection settings

If desired, the connection settings can be saved in a configuration file, though as this is a plain text file do not include a password when using a shared computer.

  1. Create a text file in the /etc/vpnc/ directory called oxford.conf
  2. Save the following text, with each line followed by a single space and the corresponding information (see above).  Do not leave a space after any value before starting a new line.
    IPSec gateway
    IPSec ID
    IPSec secret
    Xauth username
    Xauth password
  3. After creating the file, you can connect with the command sudo vpnc-connect oxford.  If you encounter an error regarding the domain, you may need to also include a Domain line in the oxford.conf file.

More information on vpnc should be available in your system's man pages.

iOS VPN client

The iPhone, iPad and iPod Touch can use their own native VPN client.

Configure

  1. Select Settings > General > VPN
  2. Select Add VPN Configuration...
  3. Provide the following:

     

    Type IPSec
    Description IT Services VPN
    Server vpn.ox.ac.uk
    Account Your Oxford username in the format abcd1234@OX.AC.UK
    Password Your Remote Access password
    Group Name oxford
    Secret Available from the VPN shared credentials link on our VPN CLient download page
  4. A small VPN symbol should now be visible in the menu bar.

Disconnect

To disconnect, go to Settings and move the VPN slider to OFF.

Other VPN clients

The only thing stopping a VPN client from connecting to the IT Services VPN Service is that many do not support the protocols needed.

The following information may help in the configuration of other VPN clients.

 

Server platform Cisco ASA 5500 series
Server hostname vpn.ox.ac.uk
Transport modes

IPSec

IPSec/TCP

IPSec/UDP

Authentication mode IKE Extended Authentication (Xauth)
IPSec group name oxford
IPSec group password Available from the VPN shared credentials link on our VPN CLient download page
Xauth username Your Oxford username in the format abcd1234@OX.AC.UK
Xauth password Your Remote Access password
Domain ""

 

The following IKE proposals are supported.

Authentication Algorithm Encryption Algorithm Diffie-Hellman Group
MD5/HMAC-128 3DES-168 Group 2
MD5/HMAC-128 3DES-168 Group 5
SHA/HMAC-160 AES-128 Group 2

 

The service does not allow split tunnelling by VPN clients.

Cisco VPN Client

The Cisco VPN client can operate in one of three transport modes and needs access to the following protocols and ports.  These details are also relevant to most native and 3rd party clients capable of connecting to the IT Services VPN Service including the native VPN clients for macOS and iOS.

IPSec ESP (IP protocol 50), UDP port 500
IPSec/TCP TCP port 10000
IPSec/UDP UDP ports 500, 10000

Cisco AnyConnect VPN Client

The Cisco AnyConnect VPN client requires an SSL tunnel and optionally a DTLS tunnel.

SSL TCP port 443
DTLS UDP port 443

Firewalls

VPN clients contact the VPN servers in the netblock 163.1.94.16/28.

VPN clients will be given an IP address from the private IP ranges of 10.0.0.0/19, 10.0.32.0/19, 10.0.64.0/19 or 10.0.96.0/19.  These private addresses will be mapped to a public IP in the 129.67.116.0/22 netblock by the use of dynamic PAT.

The protocols and ports used will depend on whether you are using the older Cisco VPN client, the newer AnyConnect client or a 3rd party or native client.

Expand All

Some University online resources, particularly web pages, can only be accessed by devices directly connected to the University's network.

Examples of restricted services include:

  • Accessing the HR Self-Service for online payslips
  • Accessing certain secured departmental and college web pages
  • Connecting to local departmental services
  • Accessing departmental network drives
  • Viewing external websites when using the OWL WiFi network

Your Remote Access username is the same as your Oxford username followed by @OX.AC.UK, for example abcd1234@OX.AC.UK.

Your Remote Access password can be created or updated from your Self Registration pages.

To access the VPN you will need:

You will not be able to use the VPN service where:

  • You cannot install new software onto your device, such as in an internet café or public library.
  • Your Internet Service Provider or organisation blocks the use of a VPN.
  • You are using a non Cisco VPN client that does not support XAUTH.

It is advisable to disconnect from the VPN when you have finished using it.

Many services do not require the VPN and are restricted by single sign-on (SSO) only, this includes services such as email and the Libraries SOLO service.

When using the VPN you will be connected to the University network, so your device may encounter issues connecting to devices such as home assistants or printers on your local wireless network.

Make sure you are entering your Remote Access password, this is different to the single sign-on (SSO) password.  If in doubt, you can reset your Remote Access password from your Self Registration web pages.

If you use Kaspersky security software you may need to add an exception to trust the VPN software.

To add an exception to either Kaspersky Internet Security 2010 and Kaspersky Anti-Virus 2010:

  1. Right-click on the Kaspersky icon near your system clock and choose Settings
  2. Select Options > Threats and exclusions
  3. Under the Exclusions section, select Settings....
  4. Select the Trusted applications tab, then Add
  5. Select Browse...
  6. Locate the vpnagent program (normally in C:\Program Files\Cisco\Cisco AnyConnect VPN Client), then Open.
  7. In the window titled Exclusions for application, under Exclusions check the box Do not scan network traffic.
  8. Click OK, OK, then OK again to close the settings window and apply the changes.

There is no way to make the client remember your Remote Access password.

To check whether you have the current version installed:

  1. Start the AnyConnect VPN Client.
  2. Compare the latest version of the software available for your operating system in the VPN section of the IT Services software download page.

    • On Windows and Linux systems, select the About tab.
    • On macOS systems, check the bottom-right of the AnyConnect VPN Client window.

  3. If the version number shown on the downloads page for your operating system is higher than the start of your version, download and install it.

We would recommend that you uninstall the older client.  If you do have both clients installed you should never connect using both VPN clients simultaneously.

    Windows

    1. Select Start Menu > Settings > Apps
    2. Select the entry for Cisco AnyConnect Secure Mobility Client, then Uninstall

    macOS

    1. Select ApplicationsCisco
    2. Select Uninstall AnyConnect
    3. Follow the prompts to uninstall the program.

    Linux

    1. Open a terminal window
    2. Type the command sudo /opt/cisco/vpn/bin/vpn_uninstall.sh.
    3. You will be prompted for your password.

    Information is also provided in the Cisco AnyConnect client's own FAQtroubleshooting guide and release notes.

    If this does not resolve your issue you can also contact the central IT Service Desk, including details of:

    • Your operating system and version
    • Your AnyConnect VPN Client version
    • Your Internet Service Provider

    Get support


    Local IT support provide your first line of on-the-spot help

    FIND MY LOCAL IT TEAM

     

    Common requests and fault reports can be logged using self-service

       USE IT SELF-SERVICE      

       LOG A SUPPORT CALL     

    VIEW MY SUPPORT CALLS  

     

    The central Service Desk is available 24x7 on +44 1865 6 12345

     

    If you do not have an SSO account you can use this form to contact the Service Desk