DRAFT
Caltech Logo
Information Management Systems and Services
IMSS  /  Services  /  Wired, Wireless & Remote Access  /  Virtual Private Network (VPN)  /  VPN FAQ

Virtual Private Network FAQ

VPN stands for 'Virtual Private Network'

Caltech's VPN uses encryption to create a secure network connection to campus over the public internet. VPNs work by establishing secure "tunnels" for the transfer of information. Because the data which passes through such tunnels is encrypted, it is protected from unauthorized access. Additionally, the VPN tunnel end-points authenticate with each other to prevent identity spoofing, and verify all received data to ensure that it has not been altered during transmission.

Once you've installed the Caltech VPN client on your computer, you can use it to create a VPN connection that uses your existing Internet connection to exchange encrypted data with the VPN server on the Caltech network. The VPN server then decrypts the data and forwards it to the final destination, and receives and re-encrypts return traffic destined for your computer. This process protects the network traffic between your location and the Caltech campus network from unauthorized access. Please note that while the VPN connection secures your session by encrypting network traffic between your device and Caltech, we strongly recommend always using your computer's built-in firewall to protect from possible network-based attacks

The Caltech VPN also provides your connection with a Caltech IP address. To any service on campus, your connection will appear as though it is on the Caltech network. This is useful for remotely connecting to services which have been restricted to campus-only.

VPN is not required for cloud services such as Email, Box, Google Drive, Google Hangouts Meet, Gradescope, Canvas, OneDrive, Teams, and Zoom. For a better experience, IMSS recommends not connecting to VPN while using these services.

For a full list of applications that require VPN, no VPN, or Remote Desktop visit:

Data passed over the your VPN connection is secured in transit using encryption. While the VPN connection secures network traffic between your device and Caltech, we strongly recommend using your computer's built-in firewall to protect from possible attacks, just as you would when your computer is on campus or any other open network.

Click here for the troubleshooting page.

Remote journal access should now be done through the Library's authenticated proxy server using your access.caltech username and password. The jump-off point is located at:

http://library.caltech.edu/databases/proxy.htm

If this isn't working, you can also access the journals by using the 'Tunnel-All-Traffic' profile, although the Library prefers that remote users use their proxy server.

Tunnel-Caltech-Traffic-Only

Who should use it?

  1. Remote users who may need to access restricted resources on their own network. For example, a JPL user wishes to access JPL IP restricted sites while being connected to Caltech's VPN.
  2. Users at home who need access to Caltech resources but don't want all their traffic sent over VPN to Caltech. There may be sites configured to recognize a home IP address.
  3. Users who want the best possible network performance. Encrypting data will somewhat impact performance, so it's best to only send necessary data over the VPN connection.

What does it do?

  1. Sends only data destined for Caltech, or a small number of select sites (see below which sites are being tunneled) over the VPN connection.
  2. Any other network traffic is sent as it normally would be if you were not using the Caltech VPN connection.
  3. This mode is referred to sometimes as 'split tunneling'.

Tunnel-All-Traffic

Who should use it?

  1. When using applications within access.caltech, please use Tunnel All.
  2. Users on an insecure network, such as a public wireless access point or a hotel DSL connection, that wish to send all of their network traffic through an encrypted tunnel.
  3. Users attempting access to a Caltech IP restricted site which is not being tunneled by the 'Tunnel-Caltech-Traffic-Only' profile. Using Tunnel-All-Traffic may solve the problem.
  4. This also works for accessing journal databases that are Caltech IP restricted, although we suggest you use the Library proxy server. Click here to read more about this.

What does it do?

  1. Sends all data being generated by your computer through the VPN connection.
  2. This mode is referred to sometimes as 'tunnel everything'.
  3. If you have 'Exclude Local LAN' selected, then the exception would be any traffic destined for your local subnet (for example, printing).

Tunnel-Caltech-WinDomainUsers andTunnel-All-WinDomainUsers

  1. Who should use it?
  2. The two profiles labeled WinDomainUsers are intended for Windows users who have a business requirement to create a VPN session before logging in to the computer.
  3. This is useful for such things as mounting a shared drive.
  4. You should check with your supervisor or system administrator to see if you should use these profiles.

What does it do?

  1. The WinDomain profiles will alter the AnyConnect configuration to include a feature called Start Before Logon.
  2. Otherwise they function exactly the same as the Caltech-Only and Tunnel-All profiles.

Which sites are tunneled by the 'Caltech-Only' group?

Site

Tunneled IP range

Caltech IP range

131.215.xxx.xxx

E-academy.com (hosts software.caltech.edu)

209.35.xxx.xxx

We are willing to add more sites to the split tunnel as people report them -- to report a site that should be added,

Request for Help Desk Support

Please send the IP range needed and the reason to http://help.caltech.edu (request type IMSS-->Network, Wireless & Remote Access-->Other)

No. Please read the VPN overview page. You will first need to have your Caltech VPN account enabled. Once you have received confirmation that VPN access has been added to your account, go to https://vpn.caltech.edu and log in with your access.caltech credentials. The Caltech profiles will be added to your AnyConnect client, and appear in the Group dropdown. Profiles from any other institution will not be affected. You can then choose which VPN connection you want to use.

Note: The Caltech AnyConnect VPN will automatically upgrade your client if it detects that your installed version is lower that the one Caltech makes available. You may want to verify with the non-Caltech institution whether this would affect connectivity there.

Yes, you should be able to. Connect to the remote institution and login with the appropriate credentials. You should automatically receive the correct profiles for the remote institution. For help with connecting to remote institutions, contact their network administrators.

You will get an IP address between 131.215.248.1 and 131.215.252.254

No. We do not provide static IP address assignments. You will receive a different IP address each time you connect.

Yes, the Caltech VPN client will work over wireless connections. For connections established via Caltech wireless networks (Secure and Beavernet) which are encrypted networks).

The encryption provided via VPN is redundant, and creates an unnecessary performance impact.

Registered and Guest networks are not encrypted, so VPN encryption does provide protection of network traffic.

For all other wireless networks, including encrypted ones, VPN will provide protection of network traffic.

If you need to access resources that are restricted by IP address, then you'll need to use VPN even when on Beavernet.

Even though Cisco has released a version of AnyConnect that will work on a rooted phone, they explicitly do not support it. Due to the complexities and risks of rooting a phone, IMSS cannot support rooted phones as well. Users with the necessary skills may use rooted devices but must support the configuration and any resulting issues themselves.

Submit a Help Desk Ticket with the following request type: IMSS-->Network, Wireless & Remote Access-->Other.