Virtual private network (VPN)

Warning: Internet traffic goes through University servers

While using the VPN all your internet traffic will route through the University.  You are therefore bound by our IT Rules and Regulations until you close the connection.

 

 

Some web pages and online resources can only be accessed by computers directly connected to the Oxford University campus network.  Access to these restricted resources from outside the campus network is provided via the IT Services VPN Service.

Using an application such as the Cisco AnyConnect VPN client, the VPN service provides your device with virtual connection to the campus network so it behaves exactly as it would when on campus.

Expand All

The following is required to access the IT Services VPN service:

The Cisco AnyConnect VPN client is available for a number of operating systems.

  1. Download the appropriate AnyConnect VPN client from our Software downloads page
  2. Launch the installer and complete the installation
  3. Start the Cisco AnyConnect application
  4. Enter vpn.ox.ac.uk into the dropdown box
  5. Select Connect
  6. Provide your Oxford username in the format abcd1234@ox.ac.uk and your Remote Access password
  1. Download the appropriate AnyConnect VPN client from our Software downloads page
  2. Launch the installer and complete the installation
  3. Start the Cisco AnyConnect application
  4. Enter vpn.ox.ac.uk into the dropdown box
  5. Select Connect
  6. Provide your Oxford username in the format abcd1234@ox.ac.uk and your Remote Access password
    1. The AnyConnect VPN Client for Linux is available from our Software downloads page for:

      • Linux Red Hat 7 and 8
      • Ubuntu 16.04, 18.04 and 20.04 (all x64)

      Other Linux distributions that may fulfil the requirements are detailed in the release notes

    2. If not extracted automatically, unpack the downloaded file using an archive manager or type tar -xzvf filename from a terminal window (replacing filename with the file's name)
    3. In a terminal window, navigate to the newly created directory beginning 'anyconnect', then to the vpn directory
    4. Start the installation by typing sudo ./vpn_install.sh
    1. Download the AnyConnect app from the device’s app store
    2. Start the Cisco AnyConnect application
    3. Select Connections > Add New VPN Connection
    4. Select Server Address then provide vpn.ox.ac.uk
    5. Select Done
    1. Download the AnyConnect app from the device’s app store
    2. Start the Cisco AnyConnect application
    3. Select Connections > Add VPN Connection...
    4. Select Server Address, provide vpn.ox.ac.uk
    5. Select Save
    1. Open the launcher and select the Chrome Web Store
    2. Search for the Cisco AnyConnect app, then add it to Chrome
    3. Launch the Cisco AnyConnect app
    4. Select Add New Connection
    5. For the Server Address provide vpn.ox.ac.uk
    6. Select Save

    You usually only need to provide server and username details when connecting to the VPN for the first time.

    1. Start the Cisco AnyConnect application
    2. Type vpn.ox.ac.uk into the dropdown box
    3. Select Connect
    4. Provide your Oxford username in the format abcd1234@ox.ac.uk and your Remote Access password
    1. Start the Cisco AnyConnect application
    2. Type vpn.ox.ac.uk into the dropdown box
    3. Select Connect
    4. Provide your Oxford username in the format abcd1234@ox.ac.uk and your Remote Access password
    1. To start the client either:

      • Select Cisco AnyConnect Secure Mobility Client from the Applications menu
      • Type vpnui at the command line in the installation directory (for Ubuntu this is /opt/cisco/bin)

    2. Provide vpn.ox.ac.uk then Connect
    3. Provide your Oxford username in the format abcd1234@ox.ac.uk and your Remote Access password
    1. Start the Cisco AnyConnect application
    2. Select the AnyConnect VPN toggle
    3. Provide your Oxford username in the format abcd1234@ox.ac.uk and your Remote Access password
    1. Start the Cisco AnyConnect application
    2. Select the AnyConnect VPN toggle
    3. Provide your Oxford username in the format abcd1234@ox.ac.uk and your Remote Access password
    1. Select the WiFi icon in the notifications bar
    2. Choose VPN and select vpn.ox.ac.uk
    3. Provide your Oxford username in the format abcd1234@ox.ac.uk and your Remote Access password

    It is advisable to disconnect from the VPN when it is not needed.

      1. Select the VPN icon in the system tray
      2. Select Disconnect
      1. Select the VPN icon in the system tray
      2. Select Disconnect
      1. Select the VPN client in the system tray
      2. Select Disconnect
      1. Open the Cisco AnyConnect application
      2. Toggle the VPN connection to show as disconnected
      1. Open the Cisco AnyConnect application
      2. Toggle the VPN connection to show as disconnected
      1. Select the WiFi icon in the notifications bar
      2. Select VPN
      3. Select Disconnect

      Connections to the IT Services VPN Service are supported by a number of third-party and native (built in) VPN clients, though we cannot provide support and instructions for all of these.

      macOS VPN client

      Devices running macOS can use their own native VPN client.

      Configure

      1. Select Apple menu > System PreferencesNetwork
      2. Select the bottom left + button.
      3. Set the following:

         

        Interface VPN
        VPN Type Cisco IPSec
        Service Name IT Services VPN
      4. Select the new VPN entry then set:

         

        Server vpn.ox.ac.uk
        Account Name Your Oxford username in the format abcd1234@OX.AC.UK
        Password Your Remote Access password
      5. Select Authentication Settings... then set:

         

        Shared Secret Available from the VPN shared credentials link on our VPN CLient download page
        Group Name oxford
      6. (Optional) Enable Show VPN status in menu bar to connect and disconnect from here
      7. Select Apply
      8. Select Connect

      VPNC

      Install VPNC

      As Linux distributions vary these instructions will not take you step by step through obtaining and installing the software but assume you are familiar with installing software on your system.

      Debian or Ubuntu users can use the universe package repository, with Ubuntu users using the Synaptic Package Manager.  In the default Gnome environment, go to System > Administration > Synaptic Package Manager.  If VPNC does not appear on the search list, check that the universe package repository has been added and the list of packages has been refreshed.

      In addition to the core vpnc package, if you would like a GUI interface to the vpnc program you can also install kvpnc (for the KDE environment) or network-manager-vpnc.

      Configure VPNC

      1. From a terminal window type: sudo vpnc-connect
      2. Provide the connection information:

         

        IPSec gateway vpn.ox.ac.uk
        IPSec ID oxford
        IPSec secret Available from the VPN shared credentials link on our VPN client download page
        Username Your Oxford username in the format abcd1234@OX.AC.UK
        Password Your Remote Access password
        Domain  
      3. From a terminal window the ifconfig command should now show a new interface tun0 with an Oxford IP address.

      Saving the connection settings

      If desired, the connection settings can be saved in a configuration file, though as this is a plain text file do not include a password when using a shared computer.

      1. Create a text file in the /etc/vpnc/ directory called oxford.conf
      2. Save the following text, with each line followed by a single space and the corresponding information (see above).  Do not leave a space after any value before starting a new line.
        IPSec gateway
        IPSec ID
        IPSec secret
        Xauth username
        Xauth password
      3. After creating the file, you can connect with the command sudo vpnc-connect oxford.  If you encounter an error regarding the domain, you may need to also include a Domain line in the oxford.conf file.

      More information on vpnc should be available in your system's man pages.

      iOS VPN client

      The iPhone, iPad and iPod Touch can use their own native VPN client.

      Configure

      1. Select Settings > General > VPN
      2. Select Add VPN Configuration...
      3. Provide the following:

         

        Type IPSec
        Description IT Services VPN
        Server vpn.ox.ac.uk
        Account Your Oxford username in the format abcd1234@OX.AC.UK
        Password Your Remote Access password
        Group Name oxford
        Secret Available from the VPN shared credentials link on our VPN CLient download page
      4. A small VPN symbol should now be visible in the menu bar.

      Disconnect

      To disconnect, go to Settings and move the VPN slider to OFF.

      Other VPN clients

      The only thing stopping a VPN client from connecting to the IT Services VPN Service is that many do not support the protocols needed.

      The following information may help in the configuration of other VPN clients.

       

      Server platform Cisco ASA 5500 series
      Server hostname vpn.ox.ac.uk
      Transport modes

      IPSec

      IPSec/TCP

      IPSec/UDP

      Authentication mode IKE Extended Authentication (Xauth)
      IPSec group name oxford
      IPSec group password Available from the VPN shared credentials link on our VPN CLient download page
      Xauth username Your Oxford username in the format abcd1234@OX.AC.UK
      Xauth password Your Remote Access password
      Domain ""

       

      The following IKE proposals are supported.

      Authentication Algorithm Encryption Algorithm Diffie-Hellman Group
      MD5/HMAC-128 3DES-168 Group 2
      MD5/HMAC-128 3DES-168 Group 5
      SHA/HMAC-160 AES-128 Group 2

       

      The service does not allow split tunnelling by VPN clients.

      Cisco VPN Client

      The Cisco VPN client can operate in one of three transport modes and needs access to the following protocols and ports.  These details are also relevant to most native and 3rd party clients capable of connecting to the IT Services VPN Service including the native VPN clients for macOS and iOS.

      IPSec ESP (IP protocol 50), UDP port 500
      IPSec/TCP TCP port 10000
      IPSec/UDP UDP ports 500, 10000

      Cisco AnyConnect VPN Client

      The Cisco AnyConnect VPN client requires an SSL tunnel and optionally a DTLS tunnel.

      SSL TCP port 443
      DTLS UDP port 443

      Firewalls

      VPN clients contact the VPN servers in the netblock 163.1.94.16/28.

      VPN clients will be given an IP address from the private IP ranges of 10.0.0.0/19, 10.0.32.0/19, 10.0.64.0/19 or 10.0.96.0/19.  These private addresses will be mapped to a public IP in the 129.67.116.0/22 netblock by the use of dynamic PAT.

      The protocols and ports used will depend on whether you are using the older Cisco VPN client, the newer AnyConnect client or a 3rd party or native client.

      Expand All

      Some University online resources, particularly web pages, can only be accessed by devices directly connected to the University's network.

      Examples of restricted services include:

      • Accessing the HR Self-Service for online payslips
      • Accessing certain secured departmental and college web pages
      • Connecting to local departmental services
      • Accessing departmental network drives
      • Viewing external websites when using the OWL WiFi network

      Your Remote Access username is the same as your Oxford username followed by @OX.AC.UK, for example abcd1234@OX.AC.UK.

      Your Remote Access password can be created or updated from your Self Registration pages.

      To access the VPN you will need:

      You will not be able to use the VPN service where:

      • You cannot install new software onto your device, such as in an internet café or public library.
      • Your Internet Service Provider or organisation blocks the use of a VPN.
      • You are using a non Cisco VPN client that does not support XAUTH.

      It is advisable to disconnect from the VPN when you have finished using it.

      Many services do not require the VPN and are restricted by single sign-on (SSO) only, this includes services such as email and the Libraries SOLO service.

      When using the VPN you will be connected to the University network, so your device may encounter issues connecting to devices such as home assistants or printers on your local wireless network.

      Make sure you are entering your Remote Access password, this is different to the single sign-on (SSO) password.  If in doubt, you can reset your Remote Access password from your Self Registration web pages.

      If you use Kaspersky security software you may need to add an exception to trust the VPN software.

      To add an exception to either Kaspersky Internet Security 2010 and Kaspersky Anti-Virus 2010:

      1. Right-click on the Kaspersky icon near your system clock and choose Settings
      2. Select Options > Threats and exclusions
      3. Under the Exclusions section, select Settings....
      4. Select the Trusted applications tab, then Add
      5. Select Browse...
      6. Locate the vpnagent program (normally in C:\Program Files\Cisco\Cisco AnyConnect VPN Client), then Open.
      7. In the window titled Exclusions for application, under Exclusions check the box Do not scan network traffic.
      8. Click OK, OK, then OK again to close the settings window and apply the changes.

      There is no way to make the client remember your Remote Access password.

      To check whether you have the current version installed:

      1. Start the AnyConnect VPN Client.
      2. Compare the latest version of the software available for your operating system in the VPN section of the IT Services software download page.

        • On Windows and Linux systems, select the About tab.
        • On macOS systems, check the bottom-right of the AnyConnect VPN Client window.

      3. If the version number shown on the downloads page for your operating system is higher than the start of your version, download and install it.

      We would recommend that you uninstall the older client.  If you do have both clients installed you should never connect using both VPN clients simultaneously.

        Windows

        1. Select Start Menu > Settings > Apps
        2. Select the entry for Cisco AnyConnect Secure Mobility Client, then Uninstall

        macOS

        1. Select ApplicationsCisco
        2. Select Uninstall AnyConnect
        3. Follow the prompts to uninstall the program.

        Linux

        1. Open a terminal window
        2. Type the command sudo /opt/cisco/vpn/bin/vpn_uninstall.sh.
        3. You will be prompted for your password.

        Information is also provided in the Cisco AnyConnect client's own FAQtroubleshooting guide and release notes.

        If this does not resolve your issue you can also contact the central IT Service Desk, including details of:

        • Your operating system and version
        • Your AnyConnect VPN Client version
        • Your Internet Service Provider

        Get support


        Local IT support provides your first line of on-the-spot help

        FIND MY LOCAL IT TEAM

         

        Common requests and fault reports can be logged using self-service

           USE IT SELF-SERVICE      

           LOG A SUPPORT CALL     

        VIEW MY SUPPORT CALLS  

         

        The Central IT Service Desk is available 24x7 on +44 1865 6 12345

        If you do not have access to your Single Sign-On, you can use this form to contact the Service Desk