VPN service: Technical details

FIREWALLS

VPN clients contact the VPN servers in the netblock 163.1.94.16/28.

VPN clients will be given an IP address from the private IP ranges of 10.0.0.0/19, 10.0.32.0/19, 10.0.64.0/19 or 10.0.96.0/19.  These private addresses will be mapped to a public IP in the 129.67.116.0/22 netblock by the use of dynamic PAT.

The protocols and ports used will depend on whether you are using the older Cisco VPN client, the newer AnyConnect client or a 3rd party or native client.

CISCO VPN

The Cisco VPN client can operate in one of three transport modes.  The client needs access to the following protocols and ports.  These details are also relevant to most native clients capable of connecting to the IT Services VPN Service including the OS X native VPN client and clients on iPhone, iPod touch and iPad, as well as many 3rd party clients.

IPSec: ESP (IP protocol 50), UDP port 500
IPSec/TCP: TCP port 10000
IPSec/UDP: UDP ports 500, 10000

CISCO ANYCONNECT

The Cisco AnyConnect VPN client requires an SSL tunnel and optionally a DTLS tunnel.

SSL: TCP port 443
DTLS: UDP port 443

OTHER CLIENTS

There is nothing to stop other clients connecting to the IT Services VPN Service, for example the open-source vpn client vpnc works well.  However, many vendors choose not to support the protocols needed.

The following parameters may help in the configuration of a third-party IPSec client.

Server platform: Cisco ASA 5500 series
Server hostname: vpn.ox.ac.uk
Transport mode: IPSec, IPSec/TCP or IPSec/UDP
Authentication mode: IKE Extended Authentication (Xauth)
IPSec group name: oxford
IPSec group password: See the IPSec secret.
Xauth username: your Remote Access username
Xauth password: your Remote Access password

The following IKE proposals are supported.

Authentication Algorithm Encryption Algorithm Diffie-Hellman Group
MD5/HMAC-128 3DES-168 Group 2
MD5/HMAC-128 3DES-168 Group 5
SHA/HMAC-160 AES-128 Group 2

 

The service does not allow split tunnelling by VPN clients.

Get support


Local IT support provide your first line of on-the-spot help

FIND MY LOCAL IT TEAM

 

Common requests and fault reports can be logged using self-service

   USE IT SELF-SERVICE      

   LOG A SUPPORT CALL     

VIEW MY SUPPORT CALLS  

 

The central Service Desk is available 24x7 on +44 1865 6 12345 (check central IT support arrangements over Christmas)

 

If you do not have an SSO account you can use this form to contact the Service Desk