VPN, Cisco AnyConnect, Cisco Secure Client, About VPN Profiles

This page explains the differences between the VPN profiles available for users to choose from.

Normal use: "Split Tunnel" profile

Most people will ordinarily select the 'Split Tunnel' profile. This sends traffic meant for University computers to the University, and doesn't intervene in your non-University web browsing such as Facebook or Google. As of Fall 2018 both IPv4 and IPv6 traffic are supported by the VPN.  Click here for more details on how exactly the IPv6 traffic is handled with Split Tunnel.

Identity, Privacy and Cybersecurity (IPC) suggests the use of the Split Tunnel profile from secured networks that you trust, such as home and work networks.

Special cases: "Tunnel All," "Split Tunnel Public IPs Only"

Tunnel All (off-campus online resource use, traveling in countries with restricted network access)

The "Tunnel All" profile is used in cases where you need to present a University identity to a third party website, such as the Library's online resource collection. (See Library Resources and the VPN for more information about remote access to the Library's resources.) There are some other services provided to campus based on IP address in addition to those from the Library.  Additionally, if you are traveling outside the US and want to reach US servers for services such as Google or Facebook then the Tunnel All profile will send all your data back to campus first, and then out to those services. Researchers accessing NIST data must use either "Tunnel All" in order to be compliant with grant award restrictions. As of Fall 2018 both your IPv4 and IPv6 traffic are sent back to campus.

Identity, Privacy and Cybersecurity (IPC) recommends the use of the Tunnel All profile from untrusted networks, such as unsecured wireless networks, coffee shops, hotels, and other potentially vulnerable networks. This way all of your network traffic is encrypted on the path between your computer and the campus network, helping to protect your data from snooping.

Problem: I cannot connect to "Tunnel All" VPN and local server or printer without being disconnected.

Answer: You need to check the box in settings for "Allow local (LAN) access when using VPN" in your settings. That should let you keep access to the local samba server while using Tunnel All.

VPN, Configuration for local LAN access

Split Tunnel Public IPs Only

The "Split Tunnel Public IPs Only" profile is used in the rare case that you need to use the features of Split Tunnel but also need to be able to connect to computers off-campus that are on Private IP addresses normally used on campus.  The standard "Split Tunnel" profile will send traffic meant for any university IP address, both the public addresses and private addresses, used on campus.  Most of the time this will not interfere with your ability to use non-university resources.  However a few Internet providers and businesses might be using the same parts of private IP space in such a way that "Split Tunnel" will not work correctly. In that case you can use "Tunnel All" or "Split Tunnel Public IPs Only" to connect. See more about what IP ranges are in use on campus on the Guide to University of Illinois IP Spaces.
As of Fall 2018 both IPv4 and IPv6 traffic are supported by the VPN.  Click here for more details on how exactly the IPv6 traffic is handled with Split Tunnel.

Why does the program default to Split Tunnel and not Tunnel All?

Tunnel All is required for library use, but might slow a person's network connection down for regular Internet use.  Split Tunnel sends traffic for campus IP addresses to campus, but also lets all their traffic out to the Internet go straight to where it is going without the overhead of first encrypting it, then sending it to the university, having it unencrypted, and then sending it back out to the Internet. Then the response comes back to the University, get encrypted, and then sent back to their computer where it has to be unencrypted.  That adds time, and the encryption process uses a lot of CPU power on their computer. It also sends all the traffic in and out of the University's Internet connection (multiple times) that otherwise doesn't need to be there, using a moderately expensive resource shared by all of campus.

Because of all the extra steps the data has to take with Tunnel All, most people have the best experience using the Internet and University resources at the same time with Split Tunnel.

Split Tunnel does let people connect to classroom servers, just not Library online resources.  Classroom servers have University IP addresses, so the VPN sends that traffic to campus in either Split Tunnel or Tunnel All.  The Library's online resources are located off-campus, and depend on checking your IP address to see if you are allowed to use them. That means the traffic must come from campus, so only Tunnel All works.



Keywords:
VPN profiles, Cisco, AnyConnect, split tunnel, tunnel all, duo, Library online resources, IPv6, 2FA token Secure Client 
Doc ID:
47638
Owned by:
Network E. in University of Illinois Technology Services
Created:
2015-02-26
Updated:
2024-03-12
Sites:
University of Illinois Technology Services