VPN Service Frequently Asked Questions

By connecting to the VPN service when you are off campus, you assure that the data you transmit will be secure between your host and the UCSB core network. Once it arrives on campus, it is decrypted and sent in the clear. Furthermore, it allows you to gain access to resources that are restricted based on source address. While you are connected to the VPN server, you appear to other hosts at UCSB as if you were on the UCSB network. This also allows you to gain access to external resources from off campus (such as library resources) that are based on UCSB source addresses.

The UCSB VPN service uses AES (Advanced Encryption Standard) with a key length of 256 bits. The National Institute of Standards and Technology (NIST) has created AES, which is a new Federal Information Processing Standard (FIPS) publication that describes an encryption method. AES is a privacy transform for IPSec and Internet Key Exchange (IKE) and has been developed to replace the Data Encryption Standard (DES). AES is designed to be more secure than DES: AES offers a larger key size, while ensuring that the only known approach to decrypt a message is for an intruder to try every possible key. It also uses a technique called Cypher Block Chaining (CBC) in which each plaintext block is XORed with the previous cypher text block before encryption. This makes dictionary style attacks very difficult and increases the overall effectiveness of encryption.

Generally yes. HTTPS and SSH provides end-to-end encryption whereas the VPN server only provides encryption from your client up to the server hardware itself, which is located on the UCSB core network. Once the traffic is on the UCSB core network, it is decrypted and sent to the UCSB host in the clear.

The following limits exist on VPN sessions:

Idle Timeout: 60 min
Max Session: 720 min (12 hours)

When 5 minutes are remaining on your VPN session, you will be prompted if you would like to extend your sesssion.  If you click "Yes," your connection will stay intact and your session timer will be restarted.

Each user may have up to 3 concurrent VPN sessions active at a time from various devices.

The UCSB VPN Service assigns addresses from the following subnets:

  • 128.111.61.0/24
  • 128.111.64.0/24

This is an indication that your VPN client is not installed correctly, or you do not have an active connection to the VPN server.  Try re-installing the client, or re-initiating your connection from the VPN client.  A last option is to reboot your computer and try re-initiating the connection from your VPN client.

As of mid-2017, our VPN customers have had positive experiences connecting to the campus VPN from networks in China, behind the Chinese government's firewall technologies.  Pulse Secure uses ESP over port 4500/UDP for VPN transport and will fall-back to SSL over 443/TCP if ESP can not be negotiated (for instance if the ISP is blocking or throttling it.)  This provides flexibility for connectivity from remote networks.

Depending on future technical methods deployed by China's government firewalls, it may not be possible to connect to the Pulse Secure VPN.  We will update this FAQ as new information is discovered.

You may receive this message after successful authentication to the Campus VPN Service if you do not have a valid affiliation in the UCSB Campus Directory.  Valid affiliations for connection to the Campus VPN service are:

  • contractor
  • employee
  • extension
  • pre-hire
  • student
  • academic-affiliate

For more information about guest affiliations, see Identity Services pages

If you are receiving this message and have a valid affiliation and valid UCSBNetID and password,  your access to the VPN and Wireless may have been blocked administratively by the NOC/SOC due to a network security issue.  Please check your email for a message related to the issue.

Your system is missing the Root or intermediate CAs.

 

Windows:

Internet Explorer can install these automatically to the Windows Certificate Store if you browse to https://ps.vpn.ucsb.edu/install)  If you don't wish to use Internet Explorer, you can complete this task manually.

 

Download the root CA and intermediates from the bottom of this page:

https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View...

 

After they are downloaded, double-click on each certificate to install them - this will open the Windows Certificate Wizard.

 

Mac OS X:

Download the root CA and intermediates from the bottom of this page:

https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View...

 

After they are downloaded, double-click on each certificate to install them into your system Keychain.

 

Yes, it is safe to follow the prompts in this message.   The VPN server can provide users an up-to-date client to Mac and Windows users automatically.  Click "Upgrade" to follow the prompts to upgrade your installed Pulse Secure VPN client (an Administrator username/password are required to complete the upgrade on Mac systems).  Any customized connection profiles you created in the Pulse Secure VPN client will be saved after the upgrade.