Caltech VPN FAQ

I need help troubleshooting my AnyConnect client.

Click here for the troubleshooting page.

I've previously used VPN3000. Will AnyConnect allow me to connect in the same way the VPN3000 client did?

Yes, functionally AnyConnect and the VPN3000 client perform the same task. You should be able to connect to the same sites as you have been. Technically, AnyConnect and VPN3000 are very different. AnyConnect uses SSL technology (the same as a secure transfer in a web browser). You'll notice the following changes:

  • AnyConnect does not affect the central core of the operating system (i.e. kernel) so is much easier to install and maintain.
  • AnyConnect does not require a special configuration Network Address Translation (NAT).
  • AnyConnect works over standard web ports which are most always open.
  • AnyConnect is automatically updated so you don't have to install newer versions to stay current.

Can I have AnyConnect and the older VPN3000 client installed at the same time.

Yes, they can be installed at the same time. You can use one or the other but not both at the same time.

I installed AnyConnect, but now I can't connect to a site that I used to connect to with the older VPN3000.

Assuming that AnyConnect is working correctly, you may need to contact the system administrator of the site and ask them to update their access list.

I can't seem to connect to journals that require me to be on the Caltech network.

Remote journal access should now be done through the Library's authenticated proxy server using your access.caltech username and password. The jump-off point is located at:

http://library.caltech.edu/databases/proxy.htm

If this isn't working, you can also access the journals by using the 'Tunnel-All-Traffic' profile, although the Library prefers that remote users use their proxy server.

What is VPN and what does it do?

VPN stands for 'Virtual Private Network'.

Once the Caltech VPN client is installed on your computer, whenever you create a VPN connection, it will encrypt the data you are sending, and use your existing Internet connection to send the encrypted data to the VPN server on the Caltech network. The VPN server then decrypts the data and forwards it to the final destination. This means that the path between your location and the Caltech network is secure. A VPN connection is sometimes referred to as a "tunnel", and sending data over a VPN connection can be referred to as "tunneling".

The Caltech VPN also provides your connection with a Caltech IP address. To any service on campus, your connection will appear as though it is on the Caltech network. This is useful for remotely connecting to services which have been restricted to campus-only.

What is the difference between the different Caltech VPN profiles?

Tunnel-Caltech-Traffic-Only

Who should use it?

  1. Remote users who may need to access restricted resources on their own network. For example, a JPL user wishes to access JPL IP restricted sites while being connected to Caltech's VPN.
  2. Users at home who need access to Caltech resources but don't want all their traffic sent over VPN to Caltech. There may be sites configured to recognize a home IP address.
  3. Users who want the best possible network performance. Encrypting data will somewhat impact performance, so it's best to only send necessary data over the VPN connection.

What does it do?

  1. Sends only data destined for Caltech, or a small number of select sites (see below which sites are being tunneled) over the VPN connection.
  2. Any other network traffic is sent as it normally would be if you were not using the Caltech VPN connection.
  3. This mode is referred to sometimes as 'split tunneling'.

Tunnel-All-Traffic

Who should use it?

  1. When using applications within access.caltech, please use Tunnel All.
  2. Users on an insecure network, such as a public wireless access point or a hotel DSL connection, that wish to send all of their network traffic through an encrypted tunnel. 
  3. Users attempting access to a Caltech IP restricted site which is not being tunneled by the 'Tunnel-Caltech-Traffic-Only' profile. Using Tunnel-All-Traffic may solve the problem.
  4. This also works for accessing journal databases that are Caltech IP restricted, although we suggest you use the Library proxy server. Click here to read more about this.

What does it do?

  1. Sends all data being generated by your computer through the VPN connection.
  2. This mode is referred to sometimes as 'tunnel everything'.
  3. If you have 'Exclude Local LAN' selected, then the exception would be any traffic destined for your local subnet (for example, printing).

Tunnel-Caltech-WinDomainUsers andTunnel-All-WinDomainUsers

  1. Who should use it?
  2. The two profiles labeled WinDomainUsers are intended for Windows users who have a business requirement to create a VPN session before logging in to the computer.
  3. This is useful for such things as mounting a shared drive.
  4. You should check with your supervisor or system administrator to see if you should use these profiles.

What does it do?

  1. The WinDomain profiles will alter the AnyConnect configuration to include a feature called Start Before Logon.
  2. Otherwise they function exactly the same as the Caltech-Only and Tunnel-All profiles.

Which sites are tunneled by the 'Caltech-Only' group?

Site

Tunneled IP range

Caltech IP range

131.215.xxx.xxx

E-academy.com (hosts software.caltech.edu)

209.35.xxx.xxx

We are willing to add more sites to the split tunnel as people report them -- to report a site that should be added, please send the IP range needed and the reason to http://help.caltech.edu (request type IMSS-->Network, Wireless & Remote Access-->Other).

I already have an Any Connect client which I use to connect to another institution (JPL, USC, UCLA, etc). Do I need to install the Caltech client as well?

No. Please read the overview page. You will first need to have your Caltech VPN account enabled. Once you have received confirmation that VPN access has been added to your account, go to https://vpn.caltech.edu and log in with your access.caltech credentials. The Caltech profiles will be added to your AnyConnect client, and appear in the Group dropdown. Profiles from any other institution will not be affected. You can then choose which VPN connection you want to use.

Note: The Caltech AnyConnect VPN will automatically upgrade your client if it detects that your installed version is lower that the one Caltech makes available. You may want to verify with the non-Caltech institution whether this would affect connectivity there.

I have the Caltech AnyConnect client installed and now I need to use AnyConnect to connect to another institution (JPL, USC, UCLA, etc). Can I use the Caltech client?

Yes, you should be able to. Connect to the remote institution and login with the appropriate credentials. You should automatically receive the correct profiles for the remote institution. For help with connecting to remote institutions, contact their network administrators.

What range will VPN assign me IP addresses from?

You will get an IP address of 131.215.248.xxx or 131.215.249.xxx

Is it possible for me to have a static IP address assignment (i.e. have the exact same IP address every time) with the Caltech VPN (AnyConnect)?

No. We do not provide static IP address assignments. You will receive a different IP address each time you connect.

Can I use the Caltech VPN over wireless networks?

Yes, the Caltech VPN client will work over wireless connections.
 
For connections established via Caltech BeaverNet (which is an encrypted network), the encryption provided via VPN is redundant, and creates an unnecessary performance impact.
Registered and Guest networks are not encrypted, so VPN encryption does provide protection of network traffic.
 
For all other wireless networks, including encrypted ones, VPN will provide protection of network traffic.
 
If you need to access resources that are restricted by IP address, then you'll need to use VPN even when on BeaverNet.
 

Cisco has released a version of the AnyConnect client that will work on rooted Android devices. Is this supported at Caltech?

Even though Cisco has released a version of AnyConnect that will work on a rooted phone, they explicitly do not support it. Due to the complexities and risks of rooting a phone, IMSS cannot support rooted phones as well. Users with the necessary skills may use rooted devices but must support the configuration and any resulting issues themselves.