A guide for using VPN

Help and information for using the University VPN service

Expand All

Some online resources can only be accessed by devices connected to the University's network or VPN.

Most services do not require you to use a VPN, but commonly restricted services are:

  • HR Self-Service
  • Restricted University web pages (like the IT Services Online Shop)
  • Certain Bodleian Library resources (Oxford Libraries Information Platform)
  • Departmental network drives

The VPN application requires an SSL tunnel and optionally a DTLS tunnel.

  • SSL: TCP port 443
  • DTLS: UDP port 443

The VPN application contacts the servers in the IP range 192.76.7.64/27.

The VPN application is given an IP address from the private IP range 10.1.32.0/20 or 10.10.64.0/18.

The private addresses are mapped by dynamic PAT to a public IP address in the IP range 129.67.116.0/22.

The Cisco AnyConnect socket filter is installed along with the VPN on macOS devices and has a role in monitoring, routing and filtering network traffic on the VPN connections.

The socket filter runs all the time, but does not do anything when the VPN is not connected.  If required, it can be removed if you delete the application "Cisco AnyConnect Socket Filter.app" then reboot.

By default your network traffic is sent through the VPN while connected, with the following exceptions:

  • High volume Microsoft traffic, such as Teams, to allow the service to have greater capacity.
  • Local network traffic, so you can connect to devices such as printers and home assistants.

If you are concerned about the security of your network, you should instead connect to vpn.ox.ac.uk/tunnel-all to make all network traffic to go through the VPN tunnel.  You will still be able to connect to printers and other devices on your local network.

Most VPN applications are not compatible with the University VPN service as they do not support multi-factor authentication (MFA).

Cisco AnyConnect and Cisco Secure Client are currently the only supported VPN applications, any others could stop working without notice.

Further information regarding the Cisco VPN client  is available to University IT Support Staff (ITSS), with specific articles on:

  • Split Tunnelling Profiles and Local LAN Access
  • Customising the Cisco VPN Client
  • Automatic updates with the Cisco VPN Client
  • AnyConnect Socket Filter on macOS
  • Configuring the Cisco VPN Client Installer for macOS

If you encounter issues connecting to printers and other devices on your local network whilst using the VPN:

 

  1. In Cisco Secure Client / AnyConnect, select the cog icon  
  2. Select the Preferences tab
  3. Ensure Allow local (LAN) access when using VPN (if configured) is ticked

For issues due to the default web browser being used to provide the username, password and MFA details, the VPN application's internal web browser can be used instead by providing the server name as vpn.ox.ac.uk/cisco-browser when logging in.

 

Before you start...

Minimise or close open windows so you can clearly see messages and instructions displayed during installation.

 

Essentials

On macOS 13 (Ventura) and above, after installing or upgrading the Cisco Secure client, connecting to VPN displays "Connect capability is unavailable because the VPN service is unavailable." You may also see a warning message in the Connect box saying: "No connection to VPN service. Reattach failed" where normally it would show "Ready to connect". This applies to new installations, manual updates, and forced updates to the Cisco Secure Client - AnyConnect VPN Service.

If you are an Administrator of the Mac, Go into   > System Settings > General > Login Items, and make sure the switch against Cisco Secure Client - AnyConnect VPN Service shows as enabled. You can toggle this off and on (for luck) if it is already enabled.

Deep dive

Starting with macOS 13 (Ventura), Apple made changes, including allowing users who have administrative access to their macOS devices, to have more visibility of, and control over, tasks running in the background. Previously, it wasn't possible to view and manage background tasks from the GUI. From Ventura, you can view and change them in System Settings\General\Login Items in the Allow in Background section.

When recent versions of the Cisco Secure Client are installed on devices running macOS 13 (Ventura) and above (including upgrade scenarios), you may be prompted to allow the VPN Service to run in the background. The prompt includes a link to the System Settings and an image to show the setting change you need to make. If you either ignore the prompt or cannot make the change (e.g. because you don't have permission), you won't be able to connect to the VPN.

When the Cisco Secure Client v5 installs or upgrades, you may see one or both of the following prompts:

  • allow the socket filter kernel extension

  • allow the VPN Service to run in the background

both require you to make changes in System Settings; the prompts include links.

If you do not allow the socket filter kernel extension, it may continue to show warnings, but the VPN should still work. However, if you don't allow the VPN Service to run in the background, the VPN will not be able to connect.

For University macOS devices managed centrally and where you do not have administrative access, your local IT may need to fix this for you.

Older macOS versions (12 and below) have no way in the GUI to view and manage background tasks, and you may only see the kernel extension prompt.

Cisco also provide release notes and a troubleshooting guide for the Cisco Secure Client.

 

Related links

Get support

If you cannot find the solution you need here then we have other ways to get IT support

Get IT support

Submit a suggestion, compliment or complaint