VPN Service Frequently Asked Questions

By connecting to the VPN service when you are off campus, you assure that the data you transmit will be secure between your host and the UCSB core network. Once it arrives on campus, it is decrypted and sent in the clear. Furthermore, it allows you to gain access to resources that are restricted based on source address. While you are connected to the VPN server, you appear to other hosts at UCSB as if you were on the UCSB network. This also allows you to gain access to external resources from off campus (such as library resources) that are based on UCSB source addresses.

The UCSB VPN Service assigns addresses from the following subnets:


This is an indication that your VPN client is not installed correctly, or you do not have an active connection to the VPN server.  Try re-installing the client, or re-initiating your connection from the VPN client.

Generally yes. SSH provides end-to-end encryption whereas the VPN server only provides encryption from your client up to the server hardware itself, which is located on the UCSB core network. Once the traffic is on the UCSB core network, it is decrypted and sent to the UCSB host in the clear.

Yes, but these types of software can sometimes cause intermittent connectivity issues with VPN. We recommend using the built-in firewall instead if you are running Windows XP SP2. If you run personal firewall software from a 3rd party, you must configure it to "trust" (allow access to) the VPN IP addresses (vpn.ucsb.edu). You cannot have Microsoft Internet Connection Sharing installed on Windows 98 or Windows 2000 or XP while you are running the VPN client.

The VPN Client will not work with AOL dialup or AOL Broadband services. When connected to the VPN via AOL dialup service, the VPN client disconnects after few seconds. This happens because of a "connection keep-alive" sent by AOL. When connected to the VPN, the AOL server doesn't recognize that the connection is now being sent through the VPN, and is lead to believe that the machine is no longer connected to it's network. Since it no longer sees the client, it disconnects the session. This is expected behavior from AOL connected clients. AOL does not claim to provide any support for VPN on their infrastructure. Solution: Use a different ISP if you need to connect to the UCSB VPN.

The UCSB VPN service uses AES (Advanced Encryption Standard) with a key length of 256 bits. The National Institute of Standards and Technology (NIST) has created AES, which is a new Federal Information Processing Standard (FIPS) publication that describes an encryption method. AES is a privacy transform for IPSec and Internet Key Exchange (IKE) and has been developed to replace the Data Encryption Standard (DES). AES is designed to be more secure than DES: AES offers a larger key size, while ensuring that the only known approach to decrypt a message is for an intruder to try every possible key. It also uses a technique called Cypher Block Chaining (CBC) in which each plaintext block is XORed with the previous cypher text block before encryption. This makes dictionary style attacks very difficult and increases the overall effectiveness of encryption.

Our VPN customers are currently experiencing trouble reaching our server from China. We suspect that connections to our VPN server is being blocked by the Chinese government's firewall. We are investigating this issue, but we do not have a solution to the problem at this time.

The following limits exist on VPN sessions:

Idle Timeout: 60 min
Max Session: 720 min (12 hours)

When 5 minutes are remaining on your VPN session, you will be prompted if you would like to extend your sesssion.  If you click "Yes," your connection will stay intact and your session timer will be restarted.

Each user may have up to 3 concurrent VPN sessions active at a time from various devices.

You may receive this message after successful authentication to the Campus VPN Service if you do not have a valid affiliation in the UCSB Campus Directory.  Valid affiliations for connection to the Campus VPN service are:

contractor employee extension pre-hire student academic-affiliate

For more information about guest affiliations, see Identity Services pages

Your system is missing the Root or intermediate CAs.



Internet Explorer can install these automatically to the Windows Certificate Store if you browse to https://ps.vpn.ucsb.edu/install)  If you don't wish to use Internet Explorer, you can complete this task manually.


Download the root CA and intermediates from the bottom of this page:



After they are downloaded, double-click on each certificate to install them - this will open the Windows Certificate Wizard.


Mac OS X:

Download the root CA and intermediates from the bottom of this page:



After they are downloaded, double-click on each certificate to install them into your system Keychain.